[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL : ldap_bind: Insufficient access (50)

To: <kader.seddak@bull.net>, <openldap-software@OpenLDAP.org>
Subject: RE: ACL : ldap_bind: Insufficient access (50)
From: Francois Beretti <francois.beretti@enatel.com>
Date: Thu, 26 Jun 2003 17:08:00 +0200
Importance: Normal
In-reply-to: <OF36AE068C.63AD7846-ONC1256D51.004C6850@frlv.bull.fr>

Before beeing authenticated, you are anonymous
to be the "self" of your acl you need to authenticate yourself
to authenticate you need to access the userPassword attribute of your entry
with "auth" access
but as your ACL say, anonymous has no access to the userPassword atribute of
any entry
so anonymous can't do authentication
so you can't authenticate yourself
so you can't be the "self" of any entry
only "self" has access to any data in your directory
so you can't access your entry

you need to add "by anonymous auth" in your acl

regards

Francois

> -----Message d'origine-----
> De : owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]De la part de
> kader.seddak@bull.net
> Envoye : jeudi 26 juin 2003 16:06
> A : openldap-software@OpenLDAP.org
> Objet : ACL : ldap_bind: Insufficient access (50)
>
>
>
> Hello,
> in my slapd.conf, i write this ACL to allow all entry to access
> in her self
> entry :
>
> access to *
>         by self write
>
>
> and when i make a search in my database with this command, i have this
> error :
> ./ldapsearch -h "HOST" -p PORT -D
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" -W -b
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" "(objectclass=*)"
> Enter LDAP Password:
> ldap_bind: Insufficient access (50)
>
>
> slapd debug with -d 255 :
>
> >>> dnPrettyNormal: <uid=lpfadmin,ou=LpfAdministrators,o=lpfroot>
> => ldap_bv2dn(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot,0)
> <= ldap_bv2dn(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot,0)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot,272)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(uid=lpfadmin,ou=lpfadministrators,o=lpfroot,272)=0
> <<< dnPrettyNormal:
> <uid=lpfadmin,ou=LpfAdministrators,o=lpfroot>,
> <uid=lpfadmin,ou=lpfadministrators,o=lpfroot>
> do_bind: version=3
> dn="uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" method=128
> ==> bdb_bind: dn: uid=lpfadmin,ou=LpfAdministrators,o=lpfroot
> bdb_dn2entry_rw("uid=lpfadmin,ou=lpfadministrators,o=lpfroot")
> => bdb_dn2id_matched( "uid=lpfadmin,ou=lpfadministrators,o=lpfroot" )
> <= bdb_dn2id_matched: id=0x00000018: entry
> uid=lpfadmin,ou=lpfadministrators,o=lpfroot
> entry_decode: "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot"
> <= entry_decode(uid=lpfadmin,ou=LpfAdministrators,o=lpfroot)
> => access_allowed: auth access to
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot" "userPassword" requested
> => acl_get: [1] check attr userPassword
> <= acl_get: [1] acl uid=lpfadmin,ou=LpfAdministrators,o=lpfroot
> attr: userPassword
> => acl_mask: access to entry
> "uid=lpfadmin,ou=LpfAdministrators,o=lpfroot", attr
> "userPassword" requested
> => acl_mask: to all values by "", (=n)
> <= check a_dn_pat: self
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: auth access denied by =n
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_result: err=50 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=50
> ber_flush: 14 bytes to sd 16
>
> Thanks in advance
>
>
>

References:
- ACL : ldap_bind: Insufficient access (50)
  - From: kader.seddak@bull.net

Prev by Date: Re: Drawbacks of Berkeley DB cache settings?
Next by Date: Re: solaris 9 ldap client with tls?
Index(es):
- Chronological
- Thread