[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: slapd.conf - acl question
On Wed, 2003-09-17 at 13:53, Douglas B. Jones wrote:
>
> access to attrs=uid,sn
> by self write
> by users read
> by anonymous read
I think you have to allow access to the entry that contains these
attributes...
>
> If I do a 'ldapsearch -LLL '(uid=douglas)' sn', I get nothing back
> with an exit status of 0. Here is the log file with loglevel set at
> 128 (minus the date pid stamp):
>
> => access_allowed: search access to "uid=douglas,dc=gpc,dc=edu" "sn"
> requested
> => acl_get: [1] check attr sn
> <= acl_get: [1] acl uid=douglas,dc=gpc,dc=edu attr: sn
> => acl_mask: access to entry "uid=douglas,dc=gpc,dc=edu", attr "sn"
> requested
> => acl_mask: to value by "", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: users
> <= check a_dn_pat: anonymous
> <= acl_mask: [3] applying read(=rscx) (stop)
> <= acl_mask: [3] mask: read(=rscx)
> => access_allowed: search access granted by read(=rscx)
> => access_allowed: read access to "uid=douglas,dc=gpc,dc=edu" "entry"
> requested
> => acl_get: [1] check attr entry
> <= acl_get: done.
> => access_allowed: no more rules send_search_entry: access to entry not
> allowed
the server has allowed you to search for that attribute but has no
access directives to allow you to read the entry. (as I understand it).
this might be what you want:
access to dn.base="uid=douglas,dc=gpc,dc=edu" attrs=uid,sn
by self write
by * read
The man pages in the latest versions of openldap (ie not the redhat
2.0.x version) are pretty good - slapd.access(5). You need to apply a
number of ACLs before you get good access control. I currently have 10
access directives on a simple authentication server.
GREG
--
Greg Matthews
iTSS Wallingford 01491 692445