[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: slapd.conf - acl question
ok but you probably need at least search access to the base of the tree.
Try one or both of these:
# allows access to rootDSE (capabilities of server)
access to dn=""
by peername=127.0.0.1 read
by peername=a.b.c.* read
by any other restriction you want here
by * none
# allows access to the base dn
access to dn.base="dc=gpc,dc=edu"
by peername=127.0.0.1 read
by peername=a.b.c.* read
by any other restriction you want here
by * none
to see what these are, allow read access to everything and perform the
following searches:
ldapsearch [-xZ] -H ldap://<your host>/ -b "" -s base
ldapsearch [-xZ] -H ldap://<your host>/ -b <your base> -s base
where a.b.c.* is your ip domain. note this is read access but search
*may* be enough. Ethereal is very useful for discovering exactly what
your client is asking.
hth
GREG
On Wed, 2003-09-17 at 20:32, Douglas B. Jones wrote:
> Hi,
>
> Ok, I did:
>
> access to dn.base="uid=douglas,dc=gpc,dc=edu"
> attrs=uid,sn
> by self write
> by * read
>
> but no luck. All I am trying to do is set up the most basic
> access to be able to read one or two attributes and then once
> that works to build from there....But, I do not want 'read *'.
>
> Thanks,
> Cheers,
> Douglas
>
> -----Original Message-----
> From: Greg Matthews [mailto:gmatt@nerc.ac.uk]
> Sent: Wednesday, September 17, 2003 10:56 AM
> To: Douglas B. Jones
> Cc: OpenLDAP-software@OpenLDAP.org
> Subject: RE: slapd.conf - acl question
>
>
> On Wed, 2003-09-17 at 13:53, Douglas B. Jones wrote:
>
> >
> > access to attrs=uid,sn
> > by self write
> > by users read
> > by anonymous read
>
> I think you have to allow access to the entry that contains these
> attributes...
>
> >
> > If I do a 'ldapsearch -LLL '(uid=douglas)' sn', I get nothing back
> > with an exit status of 0. Here is the log file with loglevel set at
> > 128 (minus the date pid stamp):
> >
> > => access_allowed: search access to "uid=douglas,dc=gpc,dc=edu" "sn"
> > requested
> > => acl_get: [1] check attr sn
> > <= acl_get: [1] acl uid=douglas,dc=gpc,dc=edu attr: sn
> > => acl_mask: access to entry "uid=douglas,dc=gpc,dc=edu", attr "sn"
> > requested
> > => acl_mask: to value by "", (=n)
> > <= check a_dn_pat: self
> > <= check a_dn_pat: users
> > <= check a_dn_pat: anonymous
> > <= acl_mask: [3] applying read(=rscx) (stop)
> > <= acl_mask: [3] mask: read(=rscx)
> > => access_allowed: search access granted by read(=rscx)
> > => access_allowed: read access to "uid=douglas,dc=gpc,dc=edu" "entry"
> > requested
> > => acl_get: [1] check attr entry
> > <= acl_get: done.
> > => access_allowed: no more rules send_search_entry: access to entry not
> > allowed
>
> the server has allowed you to search for that attribute but has no
> access directives to allow you to read the entry. (as I understand it).
>
> this might be what you want:
> access to dn.base="uid=douglas,dc=gpc,dc=edu" attrs=uid,sn
> by self write
> by * read
>
> The man pages in the latest versions of openldap (ie not the redhat
> 2.0.x version) are pretty good - slapd.access(5). You need to apply a
> number of ACLs before you get good access control. I currently have 10
> access directives on a simple authentication server.
>
> GREG
--
Greg Matthews
iTSS Wallingford 01491 692445