[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slapd.conf - acl question



On Wed, 2003-09-17 at 13:53, Douglas B. Jones wrote:

> 
> access to attrs=uid,sn
>         by self write
>         by users read
>         by anonymous read

I think you have to allow access to the entry that contains these
attributes...

> 
> If I do a 'ldapsearch -LLL '(uid=douglas)' sn', I get nothing back
> with an exit status of 0. Here is the log file with loglevel set at
> 128 (minus the date pid stamp):
> 
> => access_allowed: search access to "uid=douglas,dc=gpc,dc=edu" "sn"
> requested
> => acl_get: [1] check attr sn
> <= acl_get: [1] acl uid=douglas,dc=gpc,dc=edu attr: sn
> => acl_mask: access to entry "uid=douglas,dc=gpc,dc=edu", attr "sn"
> requested
> => acl_mask: to value by "", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: users
> <= check a_dn_pat: anonymous
> <= acl_mask: [3] applying read(=rscx) (stop)
> <= acl_mask: [3] mask: read(=rscx)
> => access_allowed: search access granted by read(=rscx)
> => access_allowed: read access to "uid=douglas,dc=gpc,dc=edu" "entry"
> requested
> => acl_get: [1] check attr entry
> <= acl_get: done.
> => access_allowed: no more rules send_search_entry: access to entry not
> allowed

the server has allowed you to search for that attribute but has no
access directives to allow you to read the entry. (as I understand it).

this might be what you want:
access to dn.base="uid=douglas,dc=gpc,dc=edu" attrs=uid,sn
 by self write
 by * read

The man pages in the latest versions of openldap (ie not the redhat
2.0.x version) are pretty good - slapd.access(5). You need to apply a
number of ACLs before you get good access control. I currently have 10
access directives on a simple authentication server.

GREG
-- 
Greg Matthews
iTSS Wallingford	01491 692445