[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL to permit access to some attributes
- Subject: Re: ACL to permit access to some attributes
- From: "José M. Fandiño" <ldap@fadesa.es>
- Date: Thu, 01 Apr 2004 18:30:07 +0200
- Cc: openldap-software@OpenLDAP.org
- Organization: Inmobiliaria FADESA
- References: <406852D1.17DBB92B@fadesa.es> <2676543445.1080555809@cadabra.stanford.edu> <4069B1E0.3FFC53A@fadesa.es> <2761852313.1080641120@cadabra.stanford.edu> <406AAEA3.8FBFF216@fadesa.es> <65169568.1080726736@cadabra.stanford.edu>
Quanah Gibson-Mount wrote:
>
> > line 57 (access to dn.base="" by * read break)
> > Global ACL: access to *
> > by * read(=rscx) break
> >
> > line 60 (access to dn.base="cn=Subschema" by * read break)
> > Global ACL: access to dn.base=cn=subschema
> > by * read(=rscx) break
> >
> > line 63 (access to dn.children="dc=fadesa,dc=es" attrs=mail by *
> > read) Global ACL: access to dn.children=dc=fadesa,dc=es
> > attrs=mail
> > by * read(=rscx)
>
> You have some type of invalid spacing in your ACL file. Look at how it
> shows attrs=mail by * read
>
> Compare that to how your other debugging output looks.
Good suggestion, thanks.
However I have removed all _cosmetic_ space charaters
(see cat output), and searchs always returns empty
responses.
It would be a very simple ACL, but I'm unable
to undertand this slapd(v2.1.29) behaviour.
Any other idea?
/------/
# cat -A slapd.conf
.
.
# Sample access control policy:$
#^IRoot DSE: allow anyone to read it$
#^ISubschema (sub)entry DSE: allow anyone to read it$
#^IOther DSEs:$
#^I^IAllow self write access$
#^I^IAllow authenticated users read access$
#^I^IAllow anonymous users to authenticate$
#^IDirectives needed to implement policy:$
$
access to dn.base="" by * read break$
$
access to dn.base="cn=Subschema" by * read break$
$
access to dn.children="dc=fadesa,dc=es" attrs=mail by * read$
$
# if no access controls are present, the default policy is:$
#^IAllow read by all$
#$
# rootdn can always write!$
.
.
/------/
# /usr/local/libexec/slapd -4 -h ldap:// -d 224
.
.
Global ACL: access to *
by * read(=rscx) break
line 58 (access to dn.base="cn=Subschema" by * read break)
Global ACL: access to dn.base=cn=subschema
by * read(=rscx) break
line 60 (access to dn.children="dc=fadesa,dc=es" attrs=mail by * read)
Global ACL: access to dn.children=dc=fadesa,dc=es
attrs=mail
by * read(=rscx)
line 89 (database bdb)
.
.
=> test_filter
PRESENT
=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es" "objectClass" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr objectClass
<= acl_get: done.
=> access_allowed: no more rules
<= test_filter 50
/------/
# ldapsearch -x -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" mail
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (objectclass=*)
# requesting: mail
#
# search result
search: 2
result: 0 Success
# numResponses: 1
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------