Le 01/11/2010 17:56, Darren Hildebrand a écrit :
I'm having a problem with access control lists in slapd.conf. The filter
doesn't seem to be working in OpenLDPA 2.4.23 using syntax that worked
in 2.3.43. I've simplified my tests down to a single ACL rule just to
see if it's working, and this is what I'm finding:
I'm trying this ACL:
access to dn.subtree="ou=users,dc=companyname,dc=com"
filter="(objectClass=person)"
by * read
I tried an anonymous search using this command:
ldapsearch -h 1.2.3.4 -x -b ou=users,dc=companyname,dc=com
And it returned the following:
# search result
search: 2
result: 32 No such object
I tried the same with the same ACL as above with the filter set to
"(uid=*)", and got the same problem (note that all users have a uid
value set). However, I tried with the filter set to "(objectClass=*),
and it returned all users as I would expect.
Has anything changed with ACL syntax between OpenLDAP 2.3 and 2.4? Or do
you see any problems with the syntax of my ACL line above?
Yes, from slapd.access(5):
The search operation, requires search (=s) privileges on the
entry pseudo-attribute of the
searchBase (NOTE: this was introduced with OpenLDAP 2.4).
Then, for each entry, it requires
search (=s) privileges on the attributes that are defined
in the filter. The resulting
entries are finally tested for read (=r) privileges on the
pseudo-attribute entry (for read
access to the entry itself) and for read (=r) access on each
value of each attribute that is
requested.
So you likely need something like this too:
access to dn.base="ou=users,dc=companyname,dc=com" attrs="entry"
by * search
However, I'm not entirely sure why you're allowed to do the search
when using the "(objectClass=*)" filter, even though you don't have
access to the above-mentioned entry pseudo-attribute...
Jonathan