[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch not returning namingContexts



ben thielsen <btb@bitrate.net> writes:

> On Jun 27, 2010, at 22.47, masarati@aero.polimi.it wrote:
>
>>> i just happened to notice that the following search(es) don't return the
>>> expected results:
>>> 
>>>> ldapsearch -xs base -b '' +
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <> with scope baseObject
>>> # filter: (objectclass=*)
>>> # requesting: +
>>> #
>>> 
>>> # search result
>>> search: 2
>>> result: 0 Success
>>> 
>>> # numResponses: 1
>>> 
>>> i'm using 2.4.21, courtesy of ubuntu.
>> 
>> [...]
>> 
>>> conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
>>> conn=1000 op=1 SRCH attr=+
>>> => test_filter
>>>    PRESENT
>>> => access_allowed: search access to "" "objectClass" requested
>>> => acl_get: [1] attr objectClass
>>> => acl_mask: access to entry "", attr "objectClass" requested
>>> => acl_mask: to all values by "", (=0)
>>> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>> <= check a_dn_pat: *
>>> <= acl_mask: [2] applying +0 (break)
>>> <= acl_mask: [2] mask: =0
>>> <= acl_get: done.
>>> => slap_access_allowed: no more rules
>>> => access_allowed: no more rules
>>> <= test_filter 50
>> 
>> This 50 means insufficient access, as pointed out by the above logs.  Your
>> ACLs prevent searching the rootDSE entry.
>
> i see, thank you.  where can i read more about possible values used here and what they mean?
>
> below are my current acls.  olcAccess: to dn.base="" by * read is what i'd expected would allow such searches - but, it occurs to me now that defining that in the context of a specific database/suffix is perhaps not right?
>
> #>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase olcaccess olcsuffix
> Enter LDAP Password: 
> dn: cn=config
>
> dn: olcDatabase={-1}frontend,cn=config
> olcDatabase: {-1}frontend
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

this rule only allows root to access rootDSE via local socket, that is
ldapi:///
that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base +

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6