[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help for special ACL needed

To: openldap-technical@openldap.org
Subject: Re: Help for special ACL needed
From: Florian Götz <f.goetz@hs-mannheim.de>
Date: Mon, 4 May 2009 10:32:42 +0200
Content-disposition: inline
In-reply-to: <87hc06umwh.fsf@rubin.l4b.de>
Organization: Hochschule Mannheim
References: <200904301144.15550.f.goetz@hs-mannheim.de> <87hc06umwh.fsf@rubin.l4b.de>
User-agent: KMail/1.11.2 (Linux/2.6.28-11-generic; KDE/4.2.2; i686; ; )

Hi Dieter,

as I was trying to implement your ACL a more fundamental problem arose.

The structure at the moment is
dc=justushere,dc=de
-> ou= Users
  -> Some users in here with their data

If I do a ldapsearch with the admin DN I can get all the data from everything 
I want. The way it should be.

For example:
ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=goetzf
gives me all the information about my own user.

If I try 
ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf
I get "ldap_bind: Invalid credentials (49)" as answer.

The only ACL left in the system now are the following:

#1 .Publishing subschemas for JXplorer
access to dn.base="cn=Subschema"
  by dn="cn=admin,dc=justushere,dc=de" read

#2. Your ACL, now commented out for testing
#access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
#       attrs=entry,sn,cn,userPassword,mail
#       by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
#       by * none

#3. Deny any other access
access to *
  by none

I got no clue why I get a "invalid credential" message when using my own 
password. There are no ACLs restricting access. No matter if I you your ACL 
above or not, I´m not getting access with my password.

If I just use ACL Nr 1 and another
access to * by self read
I can´t get any info as well, no matter if i use
ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf  or even
ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de 
uid=goetzf,ou=Users,dc=justushere,dc=de

If I rewrite that to
access to * by * read
I get all information with my password. 

As I mentioned above, I got no more clues how to handle that :(

Florian

On Thursday 30 April 2009 18:27:58 Dieter Kluenter wrote:
> Florian Götz <f.goetz@hs-mannheim.de> writes:
> > A warm "Hello" from germany to the openldap-technical list!
> >
> > I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
> > I need to write an ACL which allows a user to see his own entry
> > (objectClass build up on inetOrgPerson) and nothing else.
> > I know that this isn´t the intended use of the LDAP system, but our
> > manager wants it that way.
> >
> > I tried it with somekind of that:
> >
> > access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry
> >   by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write
> >   by users none
> >
> > but I just get a message about invalid credentials.
> > Used command was:
> > ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1
>
> According to your ACL's a subtree search is not allowed.
>
> > ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1  with the rootdn
> > account shows the information, but if the uid of the user1 is used for
> > binding it fails.
> >
> > Has  anyone an idea how to realize these restrictions?
>
> access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
>        attrs=entry,more attrs
>         by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
>         by * none
>
> ldapsearch - -xDW -b uid=user1,ou=users,dc=justushere,dc=de -s base
> should do what you want.
>
> -Dieter

-----

Follow-Ups:
- Re: Help for special ACL needed
  - From: Ralf Haferkamp <rhafer@suse.de>

Prev by Date: Attribute for txt records
Next by Date: Re: Help for special ACL needed
Index(es):
- Chronological
- Thread