[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with ACLs..

To: "Mayers, Philip J" <p.mayers@ic.ac.uk>
Subject: Re: Problems with ACLs..
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 16 Sep 2000 12:10:32 -0700
Cc: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
In-reply-to: <A0F836836670D41183A800508BAF190B35E086@icex1.cc.ic.ac.uk>

At 05:50 PM 9/16/00 +0100, Mayers, Philip J wrote:
>I've got an ACL like this:
>
># Sasl stuff
>sasl-realm NET.IC.AC.UK

Note that you may not need to specify this option and
specifying it may have affect the authorization DN.
Whether or not you set this, check the logs for the
DN form beginning generated for your configuration and
the implement ACLs accordingly.


># Access control
>defaultaccess read

Note, unlike 1.2, defaultaccess only affects systems which
have zero access controls.  All ACL end with an implicit
"by * none" and the list ends with an implicit
"access * by * none".  That is, if you ACLs, all access
is denied until you explicitly enable it.

>access to dn="^uid=([^,]+),ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk"
>  by self write
>  by dn="uid=$1 \+ realm=NET\.IC\.AC\.UK" write

remove the spaces from the DN regex...

>  by * auth

>This ACL doesn't seem to work. Without the ACL, everything works as
>expected, including SASL (both GSSAPI and CRAM-MD5). I get:
>
>ldapsearch -b 'dc=net,dc=ic,dc=ac,dc=uk' 'objectclass=*' -x -D
>'uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk' -W
><supply password>
>
># net,dc=ic,dc=ac,dc=uk
>dn: dc=net,dc=ic,dc=ac,dc=uk
>objectClass: top
>objectClass: domain
>dc: net
>
># Directory,dc=net,dc=ic,dc=ac,dc=uk
>dn: ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
>objectClass: top
>objectClass: organizationalUnit
>ou: Directory
>
># People,Directory,dc=net,dc=ic,dc=ac,dc=uk
>dn: ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
>objectClass: top
>objectClass: organizationalUnit
>ou: People
>
><blah>
>
>With the ACL, basic authentication works - *BUT*, I don't get the objects
>above me in the hierarchy, I just get:

Because of the implicit "access * by * none" access control.



>dn: uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
>objectClass: top
>objectClass: posixAccount
>objectClass: shadowAccount
>uid: pjm3
>cn: pjm3
>uidNumber: 26406
>gidNumber: 6572
>homeDirectory: /tmp
>loginShell: /bin/sh
>gecos: Mayers, Mr Philip
>description: Mayers, Mr Philip
>userPassword:: <blah>
>
>With SASL and the ACL (GSSAPI or CRAM-MD5, both of which work fine without
>the ACL), I get no output, and "ldap_sasl_interactive_bind_s: DSA is
>unavailable". If I supply a "-Y mech" argument, I simply get no results, but
>no errors either.

Yes, because of the access controls don't allow any return of
anything.

References:
- Problems with ACLs..
  - From: "Mayers, Philip J" <p.mayers@ic.ac.uk>

Prev by Date: Problems with ACLs..
Next by Date: Re: Atrribute Types/ ObjectClass
Index(es):
- Chronological
- Thread