[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Group access in LDAP
> I'm sorry...
>
> This is the debuglevel 128 output on a search:
>
> => acl_access_allowed: search access to entry "cn=Sadi Chenini, o=elex,
> c=be"
>
> => acl_access_allowed: search access to value "KBO" by "CN=KOEN
> BOSMANS,O=ELEX,C=BE"
> <= ldbm_back_group: "CN=KOEN BOSMANS,O=ELEX,C=BE" not in
> "CN=ADMIN,O=ELEX,C=BE": member
> <= acl_access_allowed: matched by clause #2 access denied
> ...
You can see that slapd search for "CN=KOEN BOSMANS,O=ELEX,C=BE"
into member list of group, without spaces after commas, because...
> ldapsearch -b "o=elex,c=be" -D "cn=Koen Bosmans, o=elex, c=be" -W
> "uid=kbo"
"CN=KOEN BOSMANS,O=ELEX,C=BE" is normalized version of you bind
DN, but...
> dn: cn=admin, o=elex, c=be
> objectclass: top
> objectclass: groupOfNames
> cn: admin
> description: Administrators of the LDAP database
> member: cn=Peter Tillemans, o=elex, c=be
> member: cn=Koen Bosmans, o=elex, c=BE
>
in your data, member containt "cn=Koen Bosmans, o=elex, c=BE" (with " "
after ","), so "cn=Koen Bosmans, o=elex, c=BE" != "CN=KOEN
BOSMANS,O=ELEX,C=BE" (match is case insensitive).
Because every match is done with normalized DN value, every attribute
containg a DN must be normalized.
Bye.
--------------------------------------------------------
Marco Ferrante (ferrante@unige.it)
CSITA (Centro Servizi Informatici e Telematici d'Ateneo)
Università degli Studi di Genova - Italy
Viale Brigata Salerno - 16147 Genova
tel (+39) 0103532621 (interno tel. 2621)
--------------------------------------------------------