[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Possible ACL Issue while try to read Root DSE

To: openldap-technical@openldap.org
Subject: Re: Possible ACL Issue while try to read Root DSE
From: Axel Birndt <towerlexa@gmx.de>
Date: Tue, 29 Nov 2011 12:28:20 +0100
In-reply-to: <4ED4A18C.6060403@acision.com>
References: <4ED3F04D.8060404@gmx.de> <4ED48BC2.6000804@acision.com> <4ED49410.1040903@gmx.de> <4ED4A18C.6060403@acision.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110921 Lightning/1.0b2 Mnenhy/0.8.3 Thunderbird/3.1.15



Am 29.11.2011 10:10, schrieb Ondrej Kuznik:

On 11/29/2011 09:13 AM, Axel Birndt wrote:
You should expect a response exactly like this (unless your database
suffix is set to ""):

ldapsearch -x -D "" -s base -b "" -h localhost


ldapsearch -x -D "" -s base -b "" -h localhost
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Most likely you'll need to put something like
this as the very first rule there:
olcAccess: {0}to dn.base="" by * read

Ok, thanks for your really quick help. I set the rule from above and gotthe following result:


ldapsearch -x -h localhost -b "" -s base +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=2axels-company,dc=de
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Yeah!! This looks much better!


At least, of course. Some of the other ACL statements you listed in
olcDatabase={1}hdb,cn=config should also be under
olcDatabase={-1}frontend,cn=config to allow access to the schema.


This is the  next step, give me some time.

Thanks @All for your mind and time ;-)

--


Gruß Axel

------------------------------

Follow-Ups:
- Solved: Re: Possible ACL Issue while try to read Root DSE
  - From: Axel Birndt <towerlexa@gmx.de>

References:
- Possible ACL Issue while try to read Root DSE
  - From: Axel Birndt <towerlexa@gmx.de>
- Re: Possible ACL Issue while try to read Root DSE
  - From: Ondrej Kuznik <ondrej.kuznik@acision.com>
- Re: Possible ACL Issue while try to read Root DSE
  - From: Axel Birndt <towerlexa@gmx.de>
- Re: Possible ACL Issue while try to read Root DSE
  - From: Ondrej Kuznik <ondrej.kuznik@acision.com>

Prev by Date: RE: multi-byte utf8 characters in DNs
Next by Date: Trust between two server
Index(es):
- Chronological
- Thread