[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch -D?

To: "Samir Desai" <samirmdesai@hotmail.com>
Subject: Re: ldapsearch -D?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 02 Aug 1999 08:46:11 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <19990802151235.37585.qmail@hotmail.com>

At 08:12 AM 8/2/99 PDT, Samir Desai wrote:
>Can anyone tell me what is wrong?  When I try to search using ldap tools, I 
>get a message stating "ldap_bind: Insufficient access".
>
>This is my search query;
>ldapsearch -b "ou=OrgUnit,o=OrgName,c=US" -D 
>"cn=FullName,ou=OrgUnit,o=OrgName,c=US" -w "pwd" objectclass=*
>
>Is my slapd.conf file not configured properly;
>
>####################################################################
>
>include  FullPath\\slapd.at.conf
>include  FullPath\\slapd.oc.conf
>schemacheck off
>referral ldap://ldap.itd.umich.edu
>
>database ldbm
>suffix  "ou=OrgUnit,o=Orgname,c=US"
>directory FullPath\\db
>rootdn  "cn=root,ou=OrgUnit,o=Orgname,c=US"
>rootpw  rootpwd
>
>index  cn,ou  eq,sub,approx
>index  sn,uid  eq,sub,approx
>index  objectclass pres,eq
>
>defaultaccess read
>
>access to attr=userpassword
>	by self write
>	by dn="cn=root,ou=OrgUnit,o=Orgname,c=US" write
>	by dn="cn=FullName,ou=OrgUnit,o=Orgname,c=US" write
>	by * compare
>
>access to *
>	by dn="cn=root,ou=OrgUnit,o=Orgname,c=US" write
>	by dn="cn=FullName,ou=OrgUnit,o=Orgname,c=US" write
>	by * none
>
>####################################################################
>
>"defaultaccess" is set to read then how come it doesn't work.  Any form of 
>help would be greatly appreciated.  Thanks.

First, I don't see any use of defaultaccess, both rules have "by *"
and the last rule is "to *"...  there is no implicit defaulting if
you are explicit.

Second, I suspect you are using 2.0-alpha as 1.2 doesn't require
specific access to bind to an entry.  If so, you must grant "anonymous"
"auth" access to any entry (and attribute) needed for authentication.

access to attr=userpassword
	by self write
	by dn="cn=root,ou=OrgUnit,o=Orgname,c=US" write
	by dn="cn=FullName,ou=OrgUnit,o=Orgname,c=US" write
	by * compare
# "by * compare" includes "by anonymous auth"

access to *
	by dn="cn=root,ou=OrgUnit,o=Orgname,c=US" write
	by dn="cn=FullName,ou=OrgUnit,o=Orgname,c=US" write
	by anonymous auth
	by * none

Kurt

Follow-Ups:
- Re: ldapsearch -D?
  - From: Geoff Hibble <ghibble@LastFoot.com>

References:
- ldapsearch -D?
  - From: "Samir Desai" <samirmdesai@hotmail.com>

Prev by Date: ldapsearch -D?
Next by Date: questions on ldap v3
Index(es):
- Chronological
- Thread