[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch not returning namingContexts

To: openldap-technical@openldap.org
Subject: Re: ldapsearch not returning namingContexts
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Mon, 28 Jun 2010 09:16:18 +0200
In-reply-to: <F08FAAA0-10A7-44EA-9447-9CB3FBD7D6C4@bitrate.net> (ben thielsen's message of "Sun, 27 Jun 2010 23:51:51 -0400")
References: <0890B65C-6531-4A0D-8BFB-405F354CC93B@bitrate.net> <1f5820b4d69bd27da6028c7870525b37.squirrel@www.aero.polimi.it> <F08FAAA0-10A7-44EA-9447-9CB3FBD7D6C4@bitrate.net>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b29 (linux)

ben thielsen <btb@bitrate.net> writes:

> On Jun 27, 2010, at 22.47, masarati@aero.polimi.it wrote:
>
>>> i just happened to notice that the following search(es) don't return the
>>> expected results:
>>> 
>>>> ldapsearch -xs base -b '' +
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <> with scope baseObject
>>> # filter: (objectclass=*)
>>> # requesting: +
>>> #
>>> 
>>> # search result
>>> search: 2
>>> result: 0 Success
>>> 
>>> # numResponses: 1
>>> 
>>> i'm using 2.4.21, courtesy of ubuntu.
>> 
>> [...]
>> 
>>> conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
>>> conn=1000 op=1 SRCH attr=+
>>> => test_filter
>>>    PRESENT
>>> => access_allowed: search access to "" "objectClass" requested
>>> => acl_get: [1] attr objectClass
>>> => acl_mask: access to entry "", attr "objectClass" requested
>>> => acl_mask: to all values by "", (=0)
>>> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>> <= check a_dn_pat: *
>>> <= acl_mask: [2] applying +0 (break)
>>> <= acl_mask: [2] mask: =0
>>> <= acl_get: done.
>>> => slap_access_allowed: no more rules
>>> => access_allowed: no more rules
>>> <= test_filter 50
>> 
>> This 50 means insufficient access, as pointed out by the above logs.  Your
>> ACLs prevent searching the rootDSE entry.
>
> i see, thank you.  where can i read more about possible values used here and what they mean?
>
> below are my current acls.  olcAccess: to dn.base="" by * read is what i'd expected would allow such searches - but, it occurs to me now that defining that in the context of a specific database/suffix is perhaps not right?
>
> #>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase olcaccess olcsuffix
> Enter LDAP Password: 
> dn: cn=config
>
> dn: olcDatabase={-1}frontend,cn=config
> olcDatabase: {-1}frontend
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

this rule only allows root to access rootDSE via local socket, that is
ldapi:///
that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base +

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Follow-Ups:
- Re: ldapsearch not returning namingContexts
  - From: "btb@bitrate.net" <btb@bitrate.net>

References:
- ldapsearch not returning namingContexts
  - From: ben thielsen <btb@bitrate.net>
- Re: ldapsearch not returning namingContexts
  - From: masarati@aero.polimi.it
- Re: ldapsearch not returning namingContexts
  - From: ben thielsen <btb@bitrate.net>

Prev by Date: Re: ldapsearch not returning namingContexts
Next by Date: Re: openldap pwdReset
Index(es):
- Chronological
- Thread