[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to permit access to some attributes



Quanah Gibson-Mount wrote:
> 
> > line 57 (access to dn.base=""  by * read break)
> > Global ACL: access to *
> >         by * read(=rscx) break
> >
> > line 60 (access to dn.base="cn=Subschema"  by * read break)
> > Global ACL: access to dn.base=cn=subschema
> >         by * read(=rscx) break
> >
> > line 63 (access to dn.children="dc=fadesa,dc=es" attrs=mail        by *
> > read) Global ACL: access to dn.children=dc=fadesa,dc=es
> >  attrs=mail
> >         by * read(=rscx)
> 
> You have some type of invalid spacing in your ACL file.  Look at how it
> shows attrs=mail                by * read
> 
> Compare that to how your other debugging output looks.

Good suggestion, thanks.

However I have removed all _cosmetic_ space charaters
(see cat output), and searchs always returns empty 
responses.

It would be a very simple ACL, but I'm unable
to undertand this slapd(v2.1.29) behaviour.

Any other idea?

	/------/

# cat -A slapd.conf
.
.
# Sample access control policy:$
#^IRoot DSE: allow anyone to read it$
#^ISubschema (sub)entry DSE: allow anyone to read it$
#^IOther DSEs:$
#^I^IAllow self write access$
#^I^IAllow authenticated users read access$
#^I^IAllow anonymous users to authenticate$
#^IDirectives needed to implement policy:$
$
access to dn.base="" by * read break$
$
access to dn.base="cn=Subschema" by * read break$
$
access to dn.children="dc=fadesa,dc=es" attrs=mail by * read$
$
# if no access controls are present, the default policy is:$
#^IAllow read by all$
#$
# rootdn can always write!$
.
.

	/------/

# /usr/local/libexec/slapd -4 -h ldap:// -d 224
.
.
Global ACL: access to *
        by * read(=rscx) break

line 58 (access to dn.base="cn=Subschema" by * read break)
Global ACL: access to dn.base=cn=subschema
        by * read(=rscx) break

line 60 (access to dn.children="dc=fadesa,dc=es" attrs=mail by * read)
Global ACL: access to dn.children=dc=fadesa,dc=es
 attrs=mail
        by * read(=rscx)

line 89 (database bdb)
.
.
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es" "objectClass" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr objectClass
<= acl_get: done.
=> access_allowed: no more rules
<= test_filter 50


	/------/

# ldapsearch -x  -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" mail
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (objectclass=*)
# requesting: mail
#

# search result
search: 2
result: 0 Success

# numResponses: 1

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------