[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slapd.conf - acl question



Hi,

Ok, I did:

access to dn.base="uid=douglas,dc=gpc,dc=edu"
        attrs=uid,sn
        by self write
        by * read

but no luck. All I am trying to do is set up the most basic
access to be able to read one or two attributes and then once
that works to build from there....But, I do not want 'read *'.

Thanks,
Cheers,
Douglas

-----Original Message-----
From: Greg Matthews [mailto:gmatt@nerc.ac.uk]
Sent: Wednesday, September 17, 2003 10:56 AM
To: Douglas B. Jones
Cc: OpenLDAP-software@OpenLDAP.org
Subject: RE: slapd.conf - acl question


On Wed, 2003-09-17 at 13:53, Douglas B. Jones wrote:

> 
> access to attrs=uid,sn
>         by self write
>         by users read
>         by anonymous read

I think you have to allow access to the entry that contains these
attributes...

> 
> If I do a 'ldapsearch -LLL '(uid=douglas)' sn', I get nothing back
> with an exit status of 0. Here is the log file with loglevel set at
> 128 (minus the date pid stamp):
> 
> => access_allowed: search access to "uid=douglas,dc=gpc,dc=edu" "sn"
> requested
> => acl_get: [1] check attr sn
> <= acl_get: [1] acl uid=douglas,dc=gpc,dc=edu attr: sn
> => acl_mask: access to entry "uid=douglas,dc=gpc,dc=edu", attr "sn"
> requested
> => acl_mask: to value by "", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: users
> <= check a_dn_pat: anonymous
> <= acl_mask: [3] applying read(=rscx) (stop)
> <= acl_mask: [3] mask: read(=rscx)
> => access_allowed: search access granted by read(=rscx)
> => access_allowed: read access to "uid=douglas,dc=gpc,dc=edu" "entry"
> requested
> => acl_get: [1] check attr entry
> <= acl_get: done.
> => access_allowed: no more rules send_search_entry: access to entry not
> allowed

the server has allowed you to search for that attribute but has no
access directives to allow you to read the entry. (as I understand it).

this might be what you want:
access to dn.base="uid=douglas,dc=gpc,dc=edu" attrs=uid,sn
 by self write
 by * read

The man pages in the latest versions of openldap (ie not the redhat
2.0.x version) are pretty good - slapd.access(5). You need to apply a
number of ACLs before you get good access control. I currently have 10
access directives on a simple authentication server.

GREG
-- 
Greg Matthews
iTSS Wallingford	01491 692445