[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapsearch not returning namingContexts
On Jun 27, 2010, at 22.47, masarati@aero.polimi.it wrote:
>> i just happened to notice that the following search(es) don't return the
>> expected results:
>>
>>> ldapsearch -xs base -b '' +
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope baseObject
>> # filter: (objectclass=*)
>> # requesting: +
>> #
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 1
>>
>> i'm using 2.4.21, courtesy of ubuntu.
>
> [...]
>
>> conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
>> conn=1000 op=1 SRCH attr=+
>> => test_filter
>> PRESENT
>> => access_allowed: search access to "" "objectClass" requested
>> => acl_get: [1] attr objectClass
>> => acl_mask: access to entry "", attr "objectClass" requested
>> => acl_mask: to all values by "", (=0)
>> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> <= check a_dn_pat: *
>> <= acl_mask: [2] applying +0 (break)
>> <= acl_mask: [2] mask: =0
>> <= acl_get: done.
>> => slap_access_allowed: no more rules
>> => access_allowed: no more rules
>> <= test_filter 50
>
> This 50 means insufficient access, as pointed out by the above logs. Your
> ACLs prevent searching the rootDSE entry.
i see, thank you. where can i read more about possible values used here and what they mean?
below are my current acls. olcAccess: to dn.base="" by * read is what i'd expected would allow such searches - but, it occurs to me now that defining that in the context of a specific database/suffix is perhaps not right?
#>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase olcaccess olcsuffix
Enter LDAP Password:
dn: cn=config
dn: olcDatabase={-1}frontend,cn=config
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
dn: olcDatabase={0}config,cn=config
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
dn: olcDatabase={1}monitor,cn=config
olcDatabase: {1}monitor
dn: olcDatabase={2}bdb,cn=config
olcDatabase: {2}bdb
olcSuffix: dc=dipswitch,dc=net
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to attrs=userPassword
by self =xw
by anonymous auth
by * none
olcAccess: {2}to filter=(&(objectclass=iphost)(cn=flip.dipswitch.net)) attrs=authorizedservice val.exact=sshd
by group.exact="cn=ssh,ou=all_servers,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
by group.exact="cn=ssh,ou=flip,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
by * =dxrs
olcAccess: {3}to filter=(&(objectclass=iphost)(cn=flip.dipswitch.net)) attrs=authorizedservice val.exact=login
by group.exact="cn=console,ou=all_servers,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
by group.exact="cn=console,ou=flip,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
by * =dxrs
olcAccess: {4}to *
by self write
by group.exact="cn=directory_administrators,ou=general,ou=groups,dc=dipswitch,dc=net" manage
by users read
by * none