[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with ACL

To: Marian Steinbach <marian@ds.fh-koeln.de>
Subject: Re: Problems with ACL
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 14 Jun 2000 19:18:41 -0700
Cc: OpenLDAP Software <openldap-software@OpenLDAP.org>
In-reply-to: <394673CA.4E66316F@ds.fh-koeln.de>

At 07:47 PM 6/13/00 +0200, Marian Steinbach wrote:
>Hello!
>
>Sorry, I don´t understand the access control result.
>
>I want to: Make cn and mail world search- and readable, as I
>hoped to define in line 26 (access to attr=cn,mail by self write
>by * read). Everything else at least partly restricted.

You must grant read permission the "entry" for the entry
to be returned.

That is:

access to attrs=cn,mail,entry
	by self write
	by * read


>I get the messages below. This means, I don´t get any result
>when binding anonymously and searching fo cn=*marian*
>
>Can anybody explain to me what happens and what I am doing
>wrong?
>
>Thanks a lot!
>
>Marian
>
>
>
>line 14 (defaultaccess none)
>line 18 (access to attr=matrikelnr by self read by * none)
>ACL: access to
> attrs=matrikelnr
>        by dn=self
>        by dn=.*
>
>line 22 (access to attr=userpassword by self write by * none)
>ACL: access to
> attrs=userpassword
>        by dn=self
>        by dn=.*
>
>line 26 (access to attr=cn,mail by self write by * read)
>ACL: access to
> attrs=cn,mail
>        by dn=self
>        by dn=.*
>
>line 31 (access to * by self write by dn=".+" read by * none)
>ACL: access to dn=.*
>        by dn=self
>        by dn=.+
>        by dn=.*
>
>line 37 (database       ldbm)
>line 39 (suffix         "ou=Design, o=Fachhochschule Koeln,
>c=DE")
>line 41 (directory      /usr/local/ldap)
>line 43 (index          cn,sn,givenname,uid)
>line 45 (rootdn         "cn=root, ou=Design, o=Fachhochschule
>Koeln, c=DE")
>line 47 (rootpw         *****)
>line 49 (updatedn       "cn=root, ou=Design, o=Fachhochschule
>Koeln, c=DE")
>slapd starting
>conn=0 fd=7 connection from localhost (127.0.0.1) accepted.
>conn=0 op=0 BIND dn="" method=128
>conn=0 op=0 RESULT err=0 tag=97 nentries=0
>conn=0 op=1 SRCH base="OU=DESIGN,O=FACHHOCHSCHULE KOELN,C=DE"
>scope=2 filter="(cn=*MARIAN*)"
>
>=> access_allowed: entry (uid=marian, ou=Design,
>o=Fachhochschule Koeln, c=DE) attr (cn)
>
>=> acl_get: entry (uid=marian, ou=Design, o=Fachhochschule
>Koeln, c=DE) attr (cn)
><= acl_get: [3] global acl uid=marian, ou=Design,
>o=Fachhochschule Koeln, c=DE attr: cn
>
>=> acl_access_allowed: search access to entry "uid=marian,
>ou=Design, o=Fachhochschule Koeln, c=DE"
>
>=> acl_access_allowed: search access to value "any" by ""
><= acl_access_allowed: matched by clause #2 access granted
>
>=> access_allowed: exit (uid=marian, ou=Design, o=Fachhochschule
>Koeln, c=DE) attr (cn)
>
>=> access_allowed: entry (uid=marian, ou=Design,
>o=Fachhochschule Koeln, c=DE) attr (entry)
>
>=> acl_get: entry (uid=marian, ou=Design, o=Fachhochschule
>Koeln, c=DE) attr (entry)
><= acl_get: [4] global acl uid=marian, ou=Design,
>o=Fachhochschule Koeln, c=DE attr: entry
>
>=> acl_access_allowed: read access to entry "uid=marian,
>ou=Design, o=Fachhochschule Koeln, c=DE"
>
>=> acl_access_allowed: read access to value "any" by ""
><= acl_access_allowed: matched by clause #3 access denied
>
>=> access_allowed: exit (uid=marian, ou=Design, o=Fachhochschule
>Koeln, c=DE) attr (entry)
>acl: access to entry not allowed
>
>

Follow-Ups:
- Re: Problems with ACL
  - From: Marian Steinbach <marian@ds.fh-koeln.de>

References:
- Problems with ACL
  - From: Marian Steinbach <marian@ds.fh-koeln.de>

Prev by Date: Re: basedn is unable to see OUs
Next by Date: Re: base suffix not working
Index(es):
- Chronological
- Thread