[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help with ACL

Please excuse the verbose email.

> At 11:22 AM 10/26/99 -0600, Giri Raichur wrote:
> >> access to dn=".*,o=Los Alamos National Laboratory,c=US"
> >>         by dn="^$$" none
> >>         by dn=".*,o=Los Alamos National Laboratory,c=US" read
> >>         by *    none
> >Thank you. However, I am still confused about the default access line in
> >the access list.
> >should that be included in the access list or is "by * none" in the
> >access clause sufficient.
>
> by * none does match everything and hence you could drop the first
> who clause.  However, I doubt this is your problem.  It appears as
> the implicit, last ACL:
>
>         access to * by * default
>
> rules is being applied (where default is whatever you set default
> access to).
>
> I suspect, a DN mismatch (your entries/targets are not under
> "o=Los Alamos National Laboratory,c=US") or that you are not accessing
> the directory in a manner consist with the ACLs.
>
> Is this your only ACL?  If not, provide the complete list.

Yes this is my only ACL.

>
>
> >When I type "defaultaccess none" above the access clause, all searches
> >fail.
>
> Duplicate the problem using ldapsearch.  Post a copy of the exact
> command line issued and the results.
>
> You might also peak at the log files to see if offers any hints.
> You might enable ARGS, TRACE, and ACL debugging as well.  This will
> generate a huge amount of output.
>

ldapsearch cn=giri*

The debug output -new connection on 8
activity on:
listening for connections on 7, activity on: 8r
before select active_threads 0
select activity on 1 descriptors
activity on: 8r
read activity on 8
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf 0x8099bc8, ptr 0x8099bc8, end 0x8099bd4
          current len 12, contents:
        02 01 01  ` 07 02 01 02 04 00 80 00
do_bind
do_bind: version 2 dn () method 128
send_ldap_result 0::
ber_flush: 14 bytes to sd 8
         0 0c 02 01 01  a 07 0a 01 00 04 00 04 00
listening for connections on 7, activity on: 8r
before select active_threads 0
select activity on 1 descriptors
activity on: 8r
read activity on 8
ber_get_next
ber_get_next: tag 0x30 len 38 contents:
ber_dump: buf 0x807b938, ptr 0x807b938, end 0x807b95e
          current len 38, contents:
        02 01 02  c  ! 04 00 0a 01 02 0a 01 00 02 01 00
        02 01 00 01 01 00 a4 0c 04 02  c  n  0 06 80 04
         g  i  r  i  0 00
do_search
SRCH "" 2 0    0 0 0
begin get_filter
SUBSTRINGS
begin get_substring_filter
  INITIAL
end get_substring_filter
end get_filter 0
    filter: (cn=GIRI*)
    attrs:
=> ldbm_back_search
using base ""
subtree_candidates: base: "" lookupbase
=> filter_candidates
        OR
=> list_candidates 0xa1
=> filter_candidates
        EQUALITY
=> ava_candidates 0xa3
=> index_read( "objectclass" "=" "REFERRAL" )
=> ldbm_cache_open( "/usr/local/lib/openldap/objectclass.dbb", 66, 600 )
<= ldbm_cache_open (cache 0)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
=> filter_candidates
        SUBSTRINGS
=> substring_candidates
=> substring_comp_candidates
=> index_read( "cn" "*" "^GI" )
=> ldbm_cache_open( "/usr/local/lib/openldap/cn.dbb", 66, 600 )
<= ldbm_cache_open (cache 1)
<= index_read 79 candidates
=> index_read( "cn" "*" "GIR" )
=> ldbm_cache_open( "/usr/local/lib/openldap/cn.dbb", 66, 600 )
<= ldbm_cache_open (cache 1)
<= index_read 14 candidates
=> index_read( "cn" "*" "IRI" )
=> ldbm_cache_open( "/usr/local/lib/openldap/cn.dbb", 66, 600 )
<= ldbm_cache_open (cache 1)
<= index_read 21 candidates
<= substring_comp_candidates 1
<= substring_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
=> id2entry_r( 55945 )
====> cache_find_entry_dn2id: found id: 55945 rw: 0
entry_rdwr_rtrylock: ID: 55945
<= id2entry_r 0x8099a18 (cache)
=> test_filter
    SUBSTRINGS
begin test_substring_filter

=> access_allowed: entry (x-pid=12128, o=Los Alamos National Laboratory,
c=US) a
ttr (cn)

=> acl_get: entry (x-pid=12128, o=Los Alamos National Laboratory, c=US) attr
(cn
)
=> acl_get: edn X-PID=12128,O=LOS ALAMOS NATIONAL LABORATORY,C=US
=> dnpat: [1] .*,O=LOS ALAMOS NATIONAL LABORATORY,C=US nsub: 0
=> acl_get: [1] global ACL match
=> acl_get: [1] check attr
<= acl_get: [1] global acl x-pid=12128, o=Los Alamos National Laboratory,
c=US a
ttr: cn

=> acl_access_allowed: search access to entry "x-pid=12128, o=Los Alamos
Nationa
l Laboratory, c=US"

=> acl_access_allowed: search access to value "any" by ""
<= check a_dnpat: ^$$
=> string_expand: pattern:  ^$$
=> string_expand: expanded: ^$
=> regex_matches: string:
=> regex_matches: rc: 0 matches
<= acl_access_allowed: matched by clause #1 access denied

=> access_allowed: exit (x-pid=12128, o=Los Alamos National Laboratory,
c=US) at
tr (cn)
<= test_filter -2
====> cache_return_entry_r
entry_rdwr_runlock: ID: 55945
listening for connections on 7, activity on: 8r
before select active_threads 1
send_ldap_result 0::
ber_flush: 14 bytes to sd 8
         0 0c 02 01 02  e 07 0a 01 00 04 00 04 00
select activity on 1 descriptors
activity on: 8r
read activity on 8
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf 0x8099bc8, ptr 0x8099bc8, end 0x8099bcd
          current len 5, contents:
        02 01 03  B 00
do_unbind
listening for connections on 7, activity on:
before select active_threads 0

Looks like the regex matches the null bind entry

Thanks.