[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control
On Wed, Jun 21, 2006 at 11:59:39AM -0400, Aaron Richton wrote:
> Perhaps "slapd -d acl" would be good?
It's miracle. :(
I can't repeate this situation on another server.
My config:
# access to auth fields.
access to
dn.regex="^(.+)o=oil([^,]+)$"
attrs=userPassword,sambaLMPassword,sambaNTPassword
by anonymous auth
by self write
by dn.exact,expand="uid=ldap-sync,ou=virtusers,o=oil$2" read
by dn.exact,expand="uid=fbsd-samba-admin,ou=virtusers,o=oil$2"
read
by * none
# access to information fields
access to
dn.regex="^(.+)o=oil([^,]+)$"
attrs=@inetOrgPerson,cn
by self write
by group/groupOfUniqueNames/uniqueMember.expand="cn=Users Editors,ou=groups,o=oil$2" write
by users read
access to * by * read
My search command:
ldapsearch -LLLZxH ldap://ldap1.oilspace.com -b ou=users,o=oilspace -s one uid=dkirhlarov
My server log:
Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access to "uid=dkirhlarov,ou=users,o=oilspace" "uid" requested
Jun 22 14:42:13 los02 slapd[4390]: => dnpat: [1] ^(.+)o=oil([^,]+)$ nsub: 2
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [1] matched
Jun 22 14:42:13 los02 slapd[4390]: => dnpat: [2] ^(.+)o=oil([^,]+)$ nsub: 2
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [2] matched
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [2] attr uid
Jun 22 14:42:13 los02 slapd[4390]: => acl_mask: access to entry "uid=dkirhlarov,ou=users,o=oilspace", attr "uid" requested
Jun 22 14:42:13 los02 slapd[4390]: => acl_mask: to value by "", (=0)
Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: self
Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: users
Jun 22 14:42:13 los02 slapd[4390]: <= acl_mask: no more <who> clauses, returning =0 (stop)
Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access denied by =0
When I disabling "access to information fields" ruleset -- all work
fine.
Help!!!
WBR
--
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com