[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Help for special ACL needed
Am Montag 04 Mai 2009 10:32:42 schrieb Florian Götz:
> Hi Dieter,
>
> as I was trying to implement your ACL a more fundamental problem arose.
>
> The structure at the moment is
> dc=justushere,dc=de
> -> ou= Users
> -> Some users in here with their data
>
>
> If I do a ldapsearch with the admin DN I can get all the data from
> everything I want. The way it should be.
>
> For example:
> ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=goetzf
> gives me all the information about my own user.
>
> If I try
> ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf
> I get "ldap_bind: Invalid credentials (49)" as answer.
>
>
> The only ACL left in the system now are the following:
>
> #1 .Publishing subschemas for JXplorer
> access to dn.base="cn=Subschema"
> by dn="cn=admin,dc=justushere,dc=de" read
>
> #2. Your ACL, now commented out for testing
> #access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
> # attrs=entry,sn,cn,userPassword,mail
> # by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
> # by * none
>
> #3. Deny any other access
> access to *
> by none
>
>
> I got no clue why I get a "invalid credential" message when using my own
> password. There are no ACLs restricting access. No matter if I you your ACL
> above or not, I´m not getting access with my password.
>
> If I just use ACL Nr 1 and another
> access to * by self read
> I can´t get any info as well, no matter if i use
> ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf or even
> ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de
> uid=goetzf,ou=Users,dc=justushere,dc=de
>
> If I rewrite that to
> access to * by * read
> I get all information with my password.
>
> As I mentioned above, I got no more clues how to handle that :(
In order to be able to authenticate using simple bind, you need to have "auth"
privileges on the "userPassword" attribute. As none of your ACLs grants that
right, your ldapsearch -x.... currently fails with "ldap_bind: Invalid
credentials (49)".
Please try to add the following ACL as the first in your list:
access to attr=userpassword
by self =xw
by anonymous auth
Addtionally you should have a look at:
http://www.openldap.org/faq/data/cache/320.html
and
http://www.openldap.org/faq/data/cache/189.html
and the admin guide for more information.
[..]
--
Ralf