[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
access directive
- To: openldap-technical@openldap.org
- Subject: access directive
- From: Friedrich Locke <friedrich.locke@gmail.com>
- Date: Mon, 7 Jan 2013 13:21:23 -0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=jBmwmvQaTgn6CUb0s9sUOdENghSc6qs2fVvziHVHpQQ=; b=uY4JT0lc9SbpXriqQzUK7Q46DQ7c8pT94/+UA1q6n6uik3TOl/XyoEMWHKVBB1fsdw dx67NBulhH8Y2RlSzahcxv4gIe29xz9BMhI7Dwrf7YOsJD/tfdXFxob8pR1zSLaWzKuT DGa1JC9epDX/8FXNreOC7SRjutFFm82peS1GIMVyqDO7w0GNsmPyjr25PkJ+lSTPtZAd DNDh5DDVwdBudTCjV6+n9vJHG95yqdvCwCoVQfJbItTpUARyVOdj+J+XQgBi6mml5EA5 xEVfJtcOJBo5bDB36NuUeHIGFWEXK5Jyuj5m8rnXRTJYfegh3ZKOc7pZCqr44WKlunqo 3Ycw==
Hi folks,
i have just installed openldap and i am having trouble to understand access directive:
I have 6 access rules :
################################################################################
# access definition on ou=people,dc=ufv,dc=br
################################################################################
access to dn. attrs=userPassword
by self read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
by anonymous auth
by * none
access to dn. attrs=uid,homeDirectory
by self read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
access to dn. attrs=cn,uidNumber,gidNumber,loginShell,gecos,description
by self read
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
access to dn. attrs=mail,mailMessageStore,mailAlternateAddress,qmailUID,qmailGID,mailHost,mailForwardingAddress,deliveryProgramPath,qmailDotMode,deliveryMode,mailReplyText,accountStatus,qmailAccountPurge,mailQuotaSize,mailQuotaCount,mailSizeMax
by self read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
access to dn.> by self read
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
access to dn.base="ou=people,dc=ufv,dc=br"
by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
I have some rules, as you can see, giving acess to certain attributes of anything below (one level) ou=people,dc=ufv,dc=br. I have another rule given access to everything on the same level, this is the rule 5th.
Everything works ok, for instance:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory
SASL/GSSAPI authentication started
SASL username: sioux@UFV.BR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree
# filter: (objectclass=*)
# requesting: homedirectory
#
# sioux, people, ufv.br
dn: uid=sioux,ou=people,dc=ufv,dc=br
homeDirectory: /home/sioux
# search result
search: 5
result: 0 Success
# numResponses: 2
# numEntries: 1
sioux@gustav$
But if i comment the 5th rule (I keep the others, giving access to the homedirectory attribute), it does not work:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory
SASL/GSSAPI authentication started
SASL username: sioux@UFV.BR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree
# filter: (objectclass=*)
# requesting: homedirectory
#
# search result
search: 5
result: 32 No such object
# numResponses: 1
sioux@gustav$
Does anybody here know why ?
Thanks in advance.