Re: Help for special ACL needed

[Florian Götz <f.goetz@hs-mannheim.de>]

Hi Ralf,

that userpassword clause completely got lost on my reading for the first time. 
Now it´s added and so far working.

Now I can bind with the specific User via UID and start some searches.
ACLs look like this now:




# (1) Zugang zum eigenen Passwort. Wichtig, sonst keine Auth möglich !!!
access to attrs=userpassword
  by self write
  by anonymous auth

# (2) Zugang zu den Subschemas für Admin (erstellen von Einträgen in JXplorer)
access to dn.base="cn=Subschema"
  by dn="cn=admin,dc=justushere,dc=de" read

# (3) Zugang für User zu einigen seiner Profildaten
access to dn.regex="uid=(.+),ou=Users,dc=justushere,dc=de$"
        attrs=cn,description,telephoneNumber,facsimileTelephoneNumber,street,postOfficeBox,postalCode,postalAddress,<cut>
        by dn.exact="uid=$1,ou=Users,dc=hs-mannheim,dc=de" write
        by * none

#(4) Restliche Zugriffe verbieten
access to *
        by self write
        by * none



No matter what I´m searching for, I always get result 32: No such object.
The user object itself (at least the attributes listed in ACL 3) should now be 
read/writeable for the owner.
It seems that I can only bind and can´t get any information from the 
directory, no matter what I´m searching for.


Florian




On Monday 04 May 2009 11:46:44 Ralf Haferkamp wrote:
> Am Montag 04 Mai 2009 10:32:42 schrieb Florian Götz:
> > Hi Dieter,
> >
> > as I was trying to implement your ACL a more fundamental problem arose.
> >
> > The structure at the moment is
> > dc=justushere,dc=de
> > -> ou= Users
> >   -> Some users in here with their data
> >
> >
> > If I do a ldapsearch with the admin DN I can get all the data from
> > everything I want. The way it should be.
> >
> > For example:
> > ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=goetzf
> > gives me all the information about my own user.
> >
> > If I try
> > ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf
> > I get "ldap_bind: Invalid credentials (49)" as answer.
> >
> >
> > The only ACL left in the system now are the following:
> >
> > #1 .Publishing subschemas for JXplorer
> > access to dn.base="cn=Subschema"
> >   by dn="cn=admin,dc=justushere,dc=de" read
> >
> > #2. Your ACL, now commented out for testing
> > #access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
> > #       attrs=entry,sn,cn,userPassword,mail
> > #       by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
> > #       by * none
> >
> > #3. Deny any other access
> > access to *
> >   by none
> >
> >
> > I got no clue why I get a "invalid credential" message when using my own
> > password. There are no ACLs restricting access. No matter if I you your
> > ACL above or not, I´m not getting access with my password.
> >
> > If I just use ACL Nr 1 and another
> > access to * by self read
> > I can´t get any info as well, no matter if i use
> > ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf  or
> > even ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de
> > uid=goetzf,ou=Users,dc=justushere,dc=de
> >
> > If I rewrite that to
> > access to * by * read
> > I get all information with my password.
> >
> > As I mentioned above, I got no more clues how to handle that :(
>
> In order to be able to authenticate using simple bind, you need to have
> "auth" privileges on the "userPassword" attribute. As none of your ACLs
> grants that right, your ldapsearch -x.... currently fails with "ldap_bind:
> Invalid credentials (49)".
> Please try to add the following ACL as the first in your list:
>
> access to attr=userpassword
>   by self =xw
>   by anonymous auth
>
> Addtionally you should have a look at:
> http://www.openldap.org/faq/data/cache/320.html
> and
> http://www.openldap.org/faq/data/cache/189.html
> and the admin guide for more information.
>
> [..]

-----