[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slapd.conf - acl question



Hi,

Thanks, I just tried this and got:

with -b ""

# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

and with -b dc=gpc,dc=edu

# extended LDIF
#
# LDAPv3
# base <dc=gpc,dc=edu> with scope base
# filter: (objectclass=*)
# requesting: ALL
#

# gpc.edu
dn: dc=gpc,dc=edu
objectClass: dcObject
objectClass: organization
dc: gpc
o: Georgia Perimeter College
description: ldif for GPC

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

You mentioned I need search access. From my interpretation of the logs
(see below) I had that, just not read. Am I interpreting them wrong?

Thanks,
Cheers,
Douglas

-----Original Message-----
From: Greg Matthews [mailto:gmatt@nerc.ac.uk]
Sent: Thursday, September 18, 2003 4:43 AM
To: Douglas B. Jones
Cc: OpenLDAP-software@OpenLDAP.org
Subject: RE: slapd.conf - acl question


ok but you probably need at least search access to the base of the tree.
Try one or both of these:

# allows access to rootDSE (capabilities of server)
access to dn=""
 by peername=127.0.0.1 read
 by peername=a.b.c.* read
 by any other restriction you want here
 by * none

# allows access to the base dn
access to dn.base="dc=gpc,dc=edu"
 by peername=127.0.0.1 read
 by peername=a.b.c.* read
 by any other restriction you want here
 by * none

to see what these are, allow read access to everything and perform the
following searches:

ldapsearch [-xZ] -H ldap://<your host>/ -b "" -s base
ldapsearch [-xZ] -H ldap://<your host>/ -b <your base> -s base

where a.b.c.* is your ip domain. note this is read access but search
*may* be enough. Ethereal is very useful for discovering exactly what
your client is asking.

hth

GREG

On Wed, 2003-09-17 at 20:32, Douglas B. Jones wrote:
> Hi,
> 
> Ok, I did:
> 
> access to dn.base="uid=douglas,dc=gpc,dc=edu"
>         attrs=uid,sn
>         by self write
>         by * read
> 
> but no luck. All I am trying to do is set up the most basic
> access to be able to read one or two attributes and then once
> that works to build from there....But, I do not want 'read *'.
> 
> Thanks,
> Cheers,
> Douglas
> 
> -----Original Message-----
> From: Greg Matthews [mailto:gmatt@nerc.ac.uk]
> Sent: Wednesday, September 17, 2003 10:56 AM
> To: Douglas B. Jones
> Cc: OpenLDAP-software@OpenLDAP.org
> Subject: RE: slapd.conf - acl question
> 
> 
> On Wed, 2003-09-17 at 13:53, Douglas B. Jones wrote:
> 
> > 
> > access to attrs=uid,sn
> >         by self write
> >         by users read
> >         by anonymous read
> 
> I think you have to allow access to the entry that contains these
> attributes...
> 
> > 
> > If I do a 'ldapsearch -LLL '(uid=douglas)' sn', I get nothing back
> > with an exit status of 0. Here is the log file with loglevel set at
> > 128 (minus the date pid stamp):
> > 
> > => access_allowed: search access to "uid=douglas,dc=gpc,dc=edu" "sn"
> > requested
> > => acl_get: [1] check attr sn
> > <= acl_get: [1] acl uid=douglas,dc=gpc,dc=edu attr: sn
> > => acl_mask: access to entry "uid=douglas,dc=gpc,dc=edu", attr "sn"
> > requested
> > => acl_mask: to value by "", (=n)
> > <= check a_dn_pat: self
> > <= check a_dn_pat: users
> > <= check a_dn_pat: anonymous
> > <= acl_mask: [3] applying read(=rscx) (stop)
> > <= acl_mask: [3] mask: read(=rscx)
> > => access_allowed: search access granted by read(=rscx)
> > => access_allowed: read access to "uid=douglas,dc=gpc,dc=edu" "entry"
> > requested
> > => acl_get: [1] check attr entry
> > <= acl_get: done.
> > => access_allowed: no more rules send_search_entry: access to entry not
> > allowed
> 
> the server has allowed you to search for that attribute but has no
> access directives to allow you to read the entry. (as I understand it).
> 
> this might be what you want:
> access to dn.base="uid=douglas,dc=gpc,dc=edu" attrs=uid,sn
>  by self write
>  by * read
> 
> The man pages in the latest versions of openldap (ie not the redhat
> 2.0.x version) are pretty good - slapd.access(5). You need to apply a
> number of ACLs before you get good access control. I currently have 10
> access directives on a simple authentication server.
> 
> GREG
-- 
Greg Matthews
iTSS Wallingford	01491 692445