On Tue, Jan 23, 2007 at 04:31:56PM +0100, Julien Oix wrote: > hi everyone, > > I made a previous post, but noone answered, so I try again :) > > I'm trying to deploy a meta directory using the OpenLdap meta backend. > > I'm using the slapd Etch Debian package, version 2.3.27-1 > > when my target server includes the next ACL, eveything is fine, I can > retrieve any data by the meta directory using ldapsearch, it works fine > > ## > > access to attrs=userPassword > by dn="cn=admin,dc=toto,dc=fr" write > by anonymous auth > by self write > by * none > > and > > access to * > by dn="cn=admin,dc=toto,dc=fr" write > by * read > > ## > > but I want only authentified connections (no anonymous bind, if i'm > right) to have read access, so I change the ACL like that > > ## > > access to attrs=userPassword,shadowLastChange > by dn="cn=admin,dc=toto,dc=fr" write > by anonymous auth > by self write > by * none > > and > > access to * > by dn="cn=admin,dc=toto,dc=fr" write > by self read > by anonymous auth > by * none Why not change this to access to * by dn="cn=admin,dc=toto,dc=fr" write by users read by * none the above line say's only allow self to access *, so if the object is the dn for the user it is allowed to read, but it is not allow to read any thing else > ## > > So, for this target, i'm adding the acl-authcDN and acl-passwd > directives to the meta directory, with the target's rootdn and rootpw > values, in order to enable ACL checking and matching (in that case, the > write privilege for dn="cn=admin,dc=toto,dc=fr") > > giving this in the meta backend conf > > ## > database meta > > suffix "dc=meta-ufr-info-p7,dc=jussieu,dc=fr" > > uri "ldap://localhost:389/dc=meta-ufr-info-p7,dc=jussieu,dc=fr" > suffixmassage "dc=meta-ufr-info-p7,dc=jussieu,dc=fr" "dc=toto,dc=fr" > > acl-authcDN "cn=admin,dc=toto,dc=fr" > acl-passwd "xxxxx" > ## > > But at this moment, I can't retrieve any data anymore, as I perform an > ldapsearch by the meta directory .... > > Is there anything wrong in my conf ? > > the slapd-meta man page says about acl-authcDN directives : "it is > supposed to have read access on the target server to attributes used > on the proxy for acl checking." > > what does that mean exactly ? :) haven't looked at meta data > > > Thanks. > -- > Julien Oix > UFR d'Informatique - Université Paris Diderot > > Bureau 5C01 (5ème étage) > 175 rue du Chevaleret > 75013 PARIS > > Tel : +33 (0) 144 278 504 > Mobile : +33 (0) 664 392 207 > --------------------------------------------- > http://www.gnu.org/philosophy/no-word-attachments.html > >
Attachment:
signature.asc
Description: Digital signature