[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch not returning namingContexts

On Jun 27, 2010, at 22.47, masarati@aero.polimi.it wrote:

>> i just happened to notice that the following search(es) don't return the
>> expected results:
>> 
>>> ldapsearch -xs base -b '' +
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope baseObject
>> # filter: (objectclass=*)
>> # requesting: +
>> #
>> 
>> # search result
>> search: 2
>> result: 0 Success
>> 
>> # numResponses: 1
>> 
>> i'm using 2.4.21, courtesy of ubuntu.
> 
> [...]
> 
>> conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
>> conn=1000 op=1 SRCH attr=+
>> => test_filter
>>    PRESENT
>> => access_allowed: search access to "" "objectClass" requested
>> => acl_get: [1] attr objectClass
>> => acl_mask: access to entry "", attr "objectClass" requested
>> => acl_mask: to all values by "", (=0)
>> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> <= check a_dn_pat: *
>> <= acl_mask: [2] applying +0 (break)
>> <= acl_mask: [2] mask: =0
>> <= acl_get: done.
>> => slap_access_allowed: no more rules
>> => access_allowed: no more rules
>> <= test_filter 50
> 
> This 50 means insufficient access, as pointed out by the above logs.  Your
> ACLs prevent searching the rootDSE entry.

i see, thank you.  where can i read more about possible values used here and what they mean?

below are my current acls.  olcAccess: to dn.base="" by * read is what i'd expected would allow such searches - but, it occurs to me now that defining that in the context of a specific database/suffix is perhaps not right?

#>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase olcaccess olcsuffix
Enter LDAP Password: 
dn: cn=config

dn: olcDatabase={-1}frontend,cn=config
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

dn: olcDatabase={0}config,cn=config
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

dn: olcDatabase={1}monitor,cn=config
olcDatabase: {1}monitor

dn: olcDatabase={2}bdb,cn=config
olcDatabase: {2}bdb
olcSuffix: dc=dipswitch,dc=net
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to attrs=userPassword
		by self =xw
		by anonymous auth
		by * none
olcAccess: {2}to filter=(&(objectclass=iphost)(cn=flip.dipswitch.net)) attrs=authorizedservice val.exact=sshd
		by group.exact="cn=ssh,ou=all_servers,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
		by group.exact="cn=ssh,ou=flip,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
		by * =dxrs
olcAccess: {3}to filter=(&(objectclass=iphost)(cn=flip.dipswitch.net)) attrs=authorizedservice val.exact=login
		by group.exact="cn=console,ou=all_servers,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
		by group.exact="cn=console,ou=flip,ou=servers,ou=groups,dc=dipswitch,dc=net" compare
		by * =dxrs
olcAccess: {4}to *
		by self write
		by group.exact="cn=directory_administrators,ou=general,ou=groups,dc=dipswitch,dc=net" manage
		by users read
		by * none