[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: About ldapwhoami

To: Jacques Foucry <jacques.foucry@novasparks.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: About ldapwhoami
From: Michael StrÃder <michael@stroeder.com>
Date: Fri, 31 May 2013 16:31:31 +0200
In-reply-to: <51A8A5E4.6000101@novasparks.com>
References: <51A75DEA.6050003@novasparks.com> <20130530145009.GD7171@dan.olp.net> <51A8A5E4.6000101@novasparks.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 SeaMonkey/2.17.1

Jacques Foucry wrote:
> Le 30/05/2013 16:50, Dan White a Ãcrit :
> Hello Dan,
> 
>> Does ldapsearch work using the same credentials?
> 
> Definitely no.
> 
> It work with the rootdn:
> 
> ldapsearch -x -D cn=admin,dc=example,dc=com -W
> 
> but it did not work with a user. Sound like an acl issue.
> 
> Here is my ACL
> 
> access to attrs=userPassword
>         by self write
>     by dn="cn=syncuser,dc=example,dc=com" read
>         by anonymous auth
>         by * none
> 
> access to attrs=userPassword
>         by self write
>         by anonymous auth
>         by * none

Do you really have two clauses for 'userPassword'? Why?

You can find some ACL recipes in the FAQ:
http://www.openldap.org/faq/data/cache/189.html

Also see man page slapd.access(5):
http://www.openldap.org/software/man.cgi?query=slapd.access

I'd just go for:

access to attrs=userPassword
    by self write
    by dn="cn=syncuser,dc=example,dc=com" read
    by * auth

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- About ldapwhoami
  - From: Jacques Foucry <jacques.foucry@novasparks.com>
- Re: About ldapwhoami
  - From: Dan White <dwhite@olp.net>
- Re: About ldapwhoami
  - From: Jacques Foucry <jacques.foucry@novasparks.com>

Prev by Date: Re: About ldapwhoami
Next by Date: Re: use ldif backup with operational attributes in conjunction with slapadd?
Index(es):
- Chronological
- Thread