[Date Prev][Date Next] [Chronological] [Thread] [Top]

Lunch for the answer: Referral ACL question

To: OpenLDAP-software@OpenLDAP.org
Subject: Lunch for the answer: Referral ACL question
From: Steve Sullivan <sullivan@mathcom.com>
Date: Wed, 3 Dec 2003 08:32:07 -0700 (MST)

Hi - I'd be glad to send US $15.00 to the first person providing
a solution to the following problem.  While I'd rather buy you
lunch in person, that's probably impractical ...
hopefully $15.00 will buy a reasonable lunch where you live :-)

We're setting up a distributed OpenLDAP service, with a "local"
root server and a "remote" server for a subtree, but I'm having
trouble with the ACLs.

I present ldapsearch -C queries to the local server, and for entries held
in the remote subtree ldapsearch successfully follows the referral.
It all works fine when both local and remote ACLs have:
    access to * by * read

But if I use something more reasonable, like:
    access to *
        by users read
        by anonymous auth

then the ldapsearch fails (no error msg, just no results).

The ldapsearch command I'm using is:

ldapsearch -C -P 3 -x -LLL -S "" -b 'dc=alaska,ou=remotes,dc=dlese,dc=org' \
  -H 'ldap://localhost:3890' -D 'cn=mainAdmin,ou=people,dc=dlese,dc=org' \
  -w xxx -s sub '(cn=alaskaAdmin)' '*' '+'

When I present this same search command directly to the remote server
it succeeds and returns the matching entry.

Looking at the debug log on the remote server, it appears that
when I issue ldapsearch -C to the local server, when ldapsearch
follows the referral it isn't presenting any credentials
to the remote server ...

    ...
    ber_scanf fmt (m}) ber:
    >>> dnPrettyNormal: <>
    <<< dnPrettyNormal: <>, <>
    do_bind: version=3 dn="" method=128
    send_ldap_result: conn=0 op=0 p=3
    send_ldap_response: msgid=4 tag=97 err=0
    ber_flush: 14 bytes to sd 7
    do_bind: v3 anonymous bind
    ...

(I'm not sure exactly what this debug log means, but that's what
it looks like to me).

How can I get this working with a reasonable ACL?

Many thanks,


Steve



========================================
Steve Sullivan    sullivan@mathcom.com

   Mathcom Solutions Inc.: Custom Software Development.
    * Mathematical optimization, simulation, and modeling.
    * Data mining, information retrieval.
    * Java, XML, C++, Mathematica, Matlab, XSLT, XQuery, SOAP, RMI, ...

http://www.mathcom.com    303-494-7115
========================================

Follow-Ups:
- RE: Lunch for the answer: Referral ACL question
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: OpenLdap
Next by Date: FW: Naming Violation (64) -- help!!
Index(es):
- Chronological
- Thread