[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Search access does not return any result



sim123 wrote:


On Mon, Nov 14, 2011 at 4:45 PM, Howard Chu <hyc@symas.com
<mailto:hyc@symas.com>> wrote:

    sim123 wrote:



        On Mon, Nov 14, 2011 at 1:37 PM, sim123 <Sim3159@gmail.com
        <mailto:Sim3159@gmail.com>
        <mailto:Sim3159@gmail.com <mailto:Sim3159@gmail.com>>> wrote:

            Hi All,

            I am playing with access controls on openldap 2.4.26, I have a
        user with
            search access on everything

            access to *
                     by anonymous auth
                     by dn="uid=102,ou=system,dc=__example,dc=com" search

            And when I perform search I get nothing

            ldapsearch -H "ldap://testldap:389"; -D
        "uid=102,ou=system,dc=example,__dc=com" -b "ou=users,dc=example,dc=com" -x
            -W '(uid=1)' mail cn dn

            Enter LDAP Password:
            # extended LDIF
            #
            # LDAPv3
            # base <ou=users,dc=example,dc=com> with scope subtree
            # filter: (uid=1)
            # requesting: mail cn dn
            #

            # search result
            search: 2
            result: 0 Success

            # numResponses: 1

            so I get a success but no value, is it a valid response?


    Yes, it's a valid response. You haven't given Read access to anything, so
    no values can be returned. But the search base existed and you had search
    access to it, so the search request succeeded.


        I want to control
            access so that the "uid=102" user can do lookup from given
        attributes but
            can not do (objectClass=*) to get a list of every entry in the ldap.

            Thanks for the help


        Other way of stating my problem is I want to control query filters on the
        server side so the user with "uid=102" can only do query using filter
        (uid=.+)
        ,  all other filters should be restricted. I tried this regular
        expression but
        getting no such object error.


    It seems to me that what you want cannot be done. You need Read access in
    order to retrieve any values. Read access includes Search access. So if
    you are able to read the value of an attribute, you are allowed to Search
    for it as well.

Thanks for the response, just wondering how can one prevent ldap injections
from the server side?
In my scenario there will be different systems talking to server and how can I
prevent them from getting list of users by doing simple query? I am using uid
as login id and this uid is not part of DN (because it can change and I need
the DN in different ldap groups), so for normal authentication these systems
need to know respective DN from given uid. Thats why I give read privilege to
a system account, all anonymous users have auth privilege only. Am I missing
something here?

Thanks again for the help and support.

Perhaps just configuring a sizelimit for those servers' IDs will be sufficient for your goal.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/