[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapsearch not returning namingContexts
ben thielsen <btb@bitrate.net> writes:
> On Jun 27, 2010, at 22.47, masarati@aero.polimi.it wrote:
>
>>> i just happened to notice that the following search(es) don't return the
>>> expected results:
>>>
>>>> ldapsearch -xs base -b '' +
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <> with scope baseObject
>>> # filter: (objectclass=*)
>>> # requesting: +
>>> #
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 1
>>>
>>> i'm using 2.4.21, courtesy of ubuntu.
>>
>> [...]
>>
>>> conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
>>> conn=1000 op=1 SRCH attr=+
>>> => test_filter
>>> PRESENT
>>> => access_allowed: search access to "" "objectClass" requested
>>> => acl_get: [1] attr objectClass
>>> => acl_mask: access to entry "", attr "objectClass" requested
>>> => acl_mask: to all values by "", (=0)
>>> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>> <= check a_dn_pat: *
>>> <= acl_mask: [2] applying +0 (break)
>>> <= acl_mask: [2] mask: =0
>>> <= acl_get: done.
>>> => slap_access_allowed: no more rules
>>> => access_allowed: no more rules
>>> <= test_filter 50
>>
>> This 50 means insufficient access, as pointed out by the above logs. Your
>> ACLs prevent searching the rootDSE entry.
>
> i see, thank you. where can i read more about possible values used here and what they mean?
>
> below are my current acls. olcAccess: to dn.base="" by * read is what i'd expected would allow such searches - but, it occurs to me now that defining that in the context of a specific database/suffix is perhaps not right?
>
> #>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase olcaccess olcsuffix
> Enter LDAP Password:
> dn: cn=config
>
> dn: olcDatabase={-1}frontend,cn=config
> olcDatabase: {-1}frontend
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
this rule only allows root to access rootDSE via local socket, that is
ldapi:///
that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base +
[...]
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6