[Date Prev][Date Next] [Chronological] [Thread] [Top]

Referral ACL question

To: OpenLDAP-software@OpenLDAP.org
Subject: Referral ACL question
From: Steve Sullivan <sullivan@mathcom.com>
Date: Mon, 1 Dec 2003 08:48:13 -0700 (MST)

Hi,

We're setting up a distributed OpenLDAP service, with a "local"
root server and a "remote" server for a subtree, but I'm having
trouble with the ACLs.

It all works fine when both ACLs have:
    access to * by * read

But if I use something more reasonable, like:
    access to *
        by users read
        by anonymous auth

then searches for the remote subtree fail (no error msg, just no results).
What am I doing wrong here?

The ldapsearch command I'm using is:

ldapsearch -C -P 3 -x -LLL -S "" -b 'dc=alaska,ou=remotes,dc=dlese,dc=org' \
  -H 'ldap://localhost:3890' -D 'cn=mainAdmin,ou=people,dc=dlese,dc=org' \
  -w xxx -s sub '(cn=alaskaAdmin)' '*' '+'

This same search command does find the matching entry when
I send it directly to the remote server.

Looking at the debug log on the remote server, it appears that ldapsearch -C
isn't presenting any credentials to the remote server ...

    ...
    ber_scanf fmt (m}) ber:
    >>> dnPrettyNormal: <>
    <<< dnPrettyNormal: <>, <>
    do_bind: version=3 dn="" method=128
    send_ldap_result: conn=0 op=0 p=3
    send_ldap_response: msgid=4 tag=97 err=0
    ber_flush: 14 bytes to sd 7
    do_bind: v3 anonymous bind
    ...

What am I doing wrong here?  Any hints much appreciated!


Steve

-- 

========================================
Steve Sullivan    sullivan@mathcom.com

   Mathcom Solutions Inc.: Custom Software Development.
    * Mathematical optimization, simulation, and modeling.
    * Data mining, information retrieval.
    * Java, XML, C++, Mathematica, Matlab, XSLT, XQuery, SOAP, RMI, ...

http://www.mathcom.com    303-494-7115
========================================

Prev by Date: Re: Unable to add the user
Next by Date: 'quote-insensitive' search
Index(es):
- Chronological
- Thread