[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help for special ACL needed

To: openldap-technical@openldap.org
Subject: Re: Help for special ACL needed
From: Ralf Haferkamp <rhafer@suse.de>
Date: Mon, 4 May 2009 11:46:44 +0200
Content-disposition: inline
In-reply-to: <200905041032.42402.f.goetz@hs-mannheim.de>
References: <200904301144.15550.f.goetz@hs-mannheim.de> <87hc06umwh.fsf@rubin.l4b.de> <200905041032.42402.f.goetz@hs-mannheim.de>
User-agent: KMail/1.11.2 (Linux/2.6.27.21-0.1-default; KDE/4.2.2; x86_64; ; )

Am Montag 04 Mai 2009 10:32:42 schrieb Florian Götz:
> Hi Dieter,
>
> as I was trying to implement your ACL a more fundamental problem arose.
>
> The structure at the moment is
> dc=justushere,dc=de
> -> ou= Users
>   -> Some users in here with their data
>
>
> If I do a ldapsearch with the admin DN I can get all the data from
> everything I want. The way it should be.
>
> For example:
> ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=goetzf
> gives me all the information about my own user.
>
> If I try
> ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf
> I get "ldap_bind: Invalid credentials (49)" as answer.
>
>
> The only ACL left in the system now are the following:
>
> #1 .Publishing subschemas for JXplorer
> access to dn.base="cn=Subschema"
>   by dn="cn=admin,dc=justushere,dc=de" read
>
> #2. Your ACL, now commented out for testing
> #access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
> #       attrs=entry,sn,cn,userPassword,mail
> #       by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
> #       by * none
>
> #3. Deny any other access
> access to *
>   by none
>
>
> I got no clue why I get a "invalid credential" message when using my own
> password. There are no ACLs restricting access. No matter if I you your ACL
> above or not, I´m not getting access with my password.
>
> If I just use ACL Nr 1 and another
> access to * by self read
> I can´t get any info as well, no matter if i use
> ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf  or even
> ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de
> uid=goetzf,ou=Users,dc=justushere,dc=de
>
> If I rewrite that to
> access to * by * read
> I get all information with my password.
>
> As I mentioned above, I got no more clues how to handle that :(
In order to be able to authenticate using simple bind, you need to have "auth" 
privileges on the "userPassword" attribute. As none of your ACLs grants that 
right, your ldapsearch -x.... currently fails with "ldap_bind: Invalid 
credentials (49)".
Please try to add the following ACL as the first in your list:

access to attr=userpassword
  by self =xw
  by anonymous auth

Addtionally you should have a look at:
http://www.openldap.org/faq/data/cache/320.html
and
http://www.openldap.org/faq/data/cache/189.html
and the admin guide for more information.

[..]

-- 
Ralf

Follow-Ups:
- Re: Help for special ACL needed
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Help for special ACL needed
  - From: Florian Götz <f.goetz@hs-mannheim.de>

References:
- Re: Help for special ACL needed
  - From: Florian Götz <f.goetz@hs-mannheim.de>

Prev by Date: Re: Help for special ACL needed
Next by Date: Re: Help for special ACL needed
Index(es):
- Chronological
- Thread