[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: slapd.conf - acl question
Hi,
Want to thank everyone who has helped, especially the comments about
how the first rule to satisfy prevails. I made one mistake in my
original posting. I did have uid and sn in the slapd.conf file,
I just did not have it typed up in the email. So, to recap, here
is my slapd.conf file (access part):
access to attrs=uid,sn
by self write
by users read
by anonymous read
If I do a 'ldapsearch -LLL '(uid=douglas)' sn', I get nothing back
with an exit status of 0. Here is the log file with loglevel set at
128 (minus the date pid stamp):
=> access_allowed: search access to "uid=douglas,dc=gpc,dc=edu" "sn"
requested
=> acl_get: [1] check attr sn
<= acl_get: [1] acl uid=douglas,dc=gpc,dc=edu attr: sn
=> acl_mask: access to entry "uid=douglas,dc=gpc,dc=edu", attr "sn"
requested
=> acl_mask: to value by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: users
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying read(=rscx) (stop)
<= acl_mask: [3] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
=> access_allowed: read access to "uid=douglas,dc=gpc,dc=edu" "entry"
requested
=> acl_get: [1] check attr entry
<= acl_get: done.
=> access_allowed: no more rules send_search_entry: access to entry not
allowed
A slapcat reveals that the entry is in there. There are no other access
lines in the file. Any ideas? I just know I am doing something brain dead.
I am almost to the point of re-downloading and re-installing.
Thanks,
Cheers,
Douglas
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
Gibson-Mount
Sent: Tuesday, September 16, 2003 6:50 PM
To: Aaron J. Angel; OpenLDAP-software@OpenLDAP.org
Cc: Peter Marschall
Subject: Re: slapd.conf - acl question
--On Monday, September 15, 2003 6:35 PM -0400 "Aaron J. Angel"
<uberfreak@darkphuture.org> wrote:
> Also, * does not include anonymous, does it?
Star (*) is everything, anonymous or not.
--Quanah
>
> On Mon, 15 Sep 2003 21:42:24 +0200, Peter Marschall <peter@adpm.de> wrote:
>
>> Hi,
>>
>> see http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control
>> especially section 5.3.4 ASccess Control Evaluation that states
>>
>> Within this priority, access directives are examined in the order in
>> which
>> they appear in the config file. Slapd stops with the first <what>
>> selector
>> that matches the entry and/or attribute. The corresponding access
>> directive
>> is the one slapd will use to evaluate access
>>
>> and
>>
>> Finally, slapd compares the access granted in the selected <access>
>> clause to
>> the access requested by the client. If it allows greater or equal access,
>> access is granted. Otherwise, access is denied.
>>
>> These two paragraphs should answer your questions.
>>
>> Peter
>>
>>
>>
>> On Monday 15 September 2003 16:29, Douglas B. Jones wrote:
>>> Hi,
>>>
>>> We are on 2.1.22 and I appear to have an acl problem. I have one access
>>> line (for test purposes) in my slapd.conf file with one db (bdb):
>>>
>>> access to attr=sn
>>> by * read
>>>
>>> When I do:
>>>
>>> ldapsearch -LLL '(uid=douglas)' sn
>>>
>>> I get no results. Here is the log file (I have loglevel set to 128):
>>>
>>> Sep 15 09:45:25 c01 slapd[17314]: bdb_initialize: Sleepycat Software:
>>> Berkeley D
>>> B 4.1.25: (December 19, 2002)
>>> Sep 15 09:45:25 c01 slapd[17314]: bdb_db_init: Initializing BDB database
>>> Sep 15 09:45:25 c01 slapd[17418]: slapd starting
>>> Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: search access to
>>> "uid=dougl
>>> as,ou=employee,dc=gpc,dc=edu" "uid" requested
>>> Sep 15 09:45:26 c01 slapd[17418]: => acl_get: [1] check attr uid
>>> Sep 15 09:45:26 c01 slapd[17418]: <= acl_get: done.
>>> Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: no more rules
>>>
>>> Any ideas why I get no results? If I stick 'access to * by * read',
>>> I get a result line as I expect:
>>>
>>> ldapsearch -LLL '(uid=douglas)' sn
>>> dn: uid=douglas,ou=employee,dc=gpc,dc=edu
>>> sn: Jones
>>>
>>> This leads me to believe I have to open all then restrict. I would
>>> rather have it closed and then open up as needed.
>>>
>>> I just did another test. In slapd.conf I have:
>>>
>>> access to *
>>> by * read
>>>
>>> access to *
>>> by * none
>>>
>>> I would think this would turn everything on then everything off, yet
>>> when I do a ldapsearch, I can see ALL attributes of who I look at.
>>> If I try it with no access line, then the default takes over that gives
>>> read access to anonymous.
>>>
>>> My main question is the one at the beginning, why if I have one access
>>> line of:
>>>
>>> access to attr=sn by * read
>>>
>>> not appear not to work?
>>>
>>> Thanks!
>>> Cheers,
>>> Douglas
>>
>
>
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html