[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with access directive

To: "Timothy R. Robnett" <tim@robnett.net>
Subject: Re: Problems with access directive
From: suomi hasler <schlubediwup@ayni.com>
Date: Thu, 04 Sep 2003 19:50:42 +0200
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <20030904071127.GD22980@polycarp.robnett.net>
References: <20030904071127.GD22980@polycarp.robnett.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030529

Hi Tim remember that the access directives are applied from the begin of your slapd.conf down to the end and whichever matches first is applied. So if the access to below happens to be the first one applied, then access gets restricted according to this access to directive. if for a DN you want to give full access then you need to have an access to directive before this one which opens everything. but do not forget, that potentially everybody needs to have auth access to the entire directory in order to get a higher access right class. if you apply the access to below to a user who has identified himself against the directory (i.e. who is a "user") then this one will have no access to nothing (by * none), because he does not belong to self and to anonymous neither.

suomi


Timothy R. Robnett wrote:

As the subject line eludes to I am having difficulty with the access
directive. Bottom line is this, if I place any access directive into
my slapd.conf file I can no longer browse the directory. For example
the following directive causes me to no longer see the attributes of
the base DN or anything else for that matter.
access to dn.subtree="dc=ca,dc=myrealdomain,dc=com" attrs=userPassword
       by self write
       by anonymous auth
	by * none
Here is the output from the logfile starting from right after I made
the change, restarted the service and attached to the LDAP service
slapd[20313]: bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002) slapd[20313]: bdb_db_init: Initializing BDB database slapd[20314]: slapd starting slapd[20314]: => access_allowed: search access to "" "objectClass" requested slapd[20314]: => acl_get: [1] check attr objectClass slapd[20314]: <= acl_get: [1] acl attr: objectClass slapd[20314]: => acl_mask: access to entry "", attr "objectClass" requested slapd[20314]: => acl_mask: to all values by "", (=n) slapd[20314]: <= check a_dn_pat: self slapd[20314]: <= check a_dn_pat: users slapd[20314]: <= check a_dn_pat: anonymous slapd[20314]: <= acl_mask: [3] applying auth(=x) (stop) slapd[20314]: <= acl_mask: [3] mask: auth(=x) slapd[20314]: => access_allowed: search access denied by auth(=x)
OS is RedHat ver. 9
OpenLDAP is ver. 2.1.22
This is a very vanilla install, there is no TLS, SASL or other obvious factors that are complicating this matter. Thanks in advance for any help.

Follow-Ups:
- Re: Problems with access directive
  - From: "Timothy R. Robnett" <tim@robnett.net>

References:
- Problems with access directive
  - From: "Timothy R. Robnett" <tim@robnett.net>

Prev by Date: "children" keyword in the field <what> of an ACL
Next by Date: Re: Problems with access directive
Index(es):
- Chronological
- Thread