[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control

To: openldap-software@OpenLDAP.org
Subject: Re: access control
From: Dmitriy Kirhlarov <dkirhlarov@oilspace.com>
Date: Thu, 22 Jun 2006 17:47:30 +0400
Content-disposition: inline
In-reply-to: <Pine.SOL.4.58.0606211145220.7470@toolbox.rutgers.edu>
References: <20060621141003.GC754@dimma.mow.oilspace.com> <Pine.SOL.4.58.0606211145220.7470@toolbox.rutgers.edu>
User-agent: mutt-ng/devel-r581 (FreeBSD)

On Wed, Jun 21, 2006 at 11:59:39AM -0400, Aaron Richton wrote:
> Perhaps "slapd -d acl" would be good?

It's miracle. :(
I can't repeate this situation on another server.

My config:
# access to auth fields.
access to
        dn.regex="^(.+)o=oil([^,]+)$"
        attrs=userPassword,sambaLMPassword,sambaNTPassword
        by anonymous auth
        by self write
        by dn.exact,expand="uid=ldap-sync,ou=virtusers,o=oil$2" read
        by dn.exact,expand="uid=fbsd-samba-admin,ou=virtusers,o=oil$2"
read
        by * none

# access to information fields
access to
        dn.regex="^(.+)o=oil([^,]+)$"
        attrs=@inetOrgPerson,cn
        by self write
        by group/groupOfUniqueNames/uniqueMember.expand="cn=Users Editors,ou=groups,o=oil$2" write
        by users read

access to * by * read

My search command:
ldapsearch -LLLZxH ldap://ldap1.oilspace.com -b ou=users,o=oilspace -s one uid=dkirhlarov

My server log:
Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access to "uid=dkirhlarov,ou=users,o=oilspace" "uid" requested 
Jun 22 14:42:13 los02 slapd[4390]: => dnpat: [1] ^(.+)o=oil([^,]+)$ nsub: 2 
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [1] matched 
Jun 22 14:42:13 los02 slapd[4390]: => dnpat: [2] ^(.+)o=oil([^,]+)$ nsub: 2 
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [2] matched 
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [2] attr uid 
Jun 22 14:42:13 los02 slapd[4390]: => acl_mask: access to entry "uid=dkirhlarov,ou=users,o=oilspace", attr "uid" requested 
Jun 22 14:42:13 los02 slapd[4390]: => acl_mask: to value by "", (=0)  
Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: self 
Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: users 
Jun 22 14:42:13 los02 slapd[4390]: <= acl_mask: no more <who> clauses, returning =0 (stop) 
Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access denied by =0 

When I disabling "access to information fields" ruleset -- all work
fine.

Help!!!

WBR
-- 
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com

Follow-Ups:
- Re: access control
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

References:
- access control
  - From: Dmitriy Kirhlarov <dkirhlarov@oilspace.com>
- Re: access control
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: RE: Configuring Password Policy - Control not working
Next by Date: Re: use of the domain acl control
Index(es):
- Chronological
- Thread