[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem: connection retrieves no attributes



Rafa wrote:
Hi. I have a problem connecting to my ldap service.
I have a subtree that represents applications and it's users, and these users have it's userPassword attribute. When I try to connect for authentication I succeed connecting, but I can't read any attribute. If I want this, I have to connect as rootdn.


For example:

base_dn: (user_dn)
auth.: simple
user_dn: (user_dn)
password: (user password)

This connects, but returns no attributes.
Same as anonymous user.


As rootdn:

base_dn: (user_dn)
auth.: simple
user_dn: (root_dn)
password: (root password)

This connects, and returns everithing.


My slapd.conf has only these access constraints

defaultaccess read
access to attr=userpassword
   by self write
   by dn=<root dn> write
   by * compare


I think I'm being always connected as an anonymous user.
OpenLdap bug? Did I miss anything (most probable)? What do I have to change in my slapd.conf?

Yes, if I recall defaultaccess only applies if *NO* access directives are used. However, defaultaccess isn't even listed in my version of the slapd.conf(5)/slapd.access(5) man pages. Rather than use something that may or may not work try this instead of the above.


access to attr=userPassword
	by self write
	by dn=<root dn> write
	by * auth

access to *
	by dn=<root dn> write
	by * read

Also realize that access directives are processed in the order seen. So if you have the second before the first everyone would see the userPassword.

If you want to make the userPassword a little more secure explicitly allow only write and auth with the following:

access to attr=userPassword
	by self =wx
	by dn=<root dn> write
	by * auth

access to *
	by dn=<root dn> write
	by * read

Note that whatever is listed in the rootdn will have write access regardless of the access directives.

If you haven't you might take a closer look at the slapd.conf(5) and slapd.access(5) man pages or documention. Additionally, the list archives or FAQ-O-Matic should have a lot of discussion on this topic.

Help! Help! Heeeelp...! :~(

FWIW, You haven't said which version you are using or even what platform. I'll guess a recent version.


Cheers,
Johnny