Re: 2.0.6 and acl

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:45 PM 10/19/00 +0200, Trapp, Michael wrote:
>hi,
>
>i still have some problems with acl's and openldap-2.0.6.
>
>ldapsearch -D 'cn=admin,ou=corp,o=test' -w ...
>produces the folowing debug messages:
>8<---logfile---
>=> access_allowed: auth access to "cn=admin,ou=corp,o=test" "userPassword"
>requested
>=> dn: [1] OU=CORP,O=TEST
>=> acl_get: [1] matched
>=> acl_get: [1] check attr userPassword
><= acl_get: [1] acl cn=admin,ou=corp,o=test attr: userPassword
>=> acl_mask: access to entry "cn=admin,ou=corp,o=test", attr "userPassword"
>requested
>=> acl_mask: to all values by "", (=n) 
><= check a_dn_pat: cn=admin,ou=corp,o=test
><= check a_dn_pat: self
><= acl_mask: no more <who> clauses, returning =n (stop)
>=> access_allowed: auth access denied by =n
>8<---logfile---
>
>... looks like acl_mask() checks the right section and the corresponding
>entries inside the section
>8< -----slapd.conf
>access to dn.child="ou=corp,o=test"
>        by dn.regex="cn=test,ou=corp,o=test" write
>        by self read
>8< -----slapd.conf
>
>but the regex doesn't match the dn!
>as far as i can see, the op->o_ndn isn't set  so it can't match at all.

The bind request is processed as "anonymous" so op->o_ndn. You
must grant "anonymous" "auth" access to "userPassword" to authorize
authentication.  See the Admin Guide which demonstrates such an
ACL.

>is there any failure in the config? (i'm still looking for the corresponding
>documentation,

Yes, you need something like:

access to attrs=userPassword
        by self write
        by anonymous auth

in your ACLs.  Note that placement counts.

>the admin-guide doesn't tell anything about target-style, subject-style or
>controls :-(

There is some additional info in the developer's FAQ... an volunteer
is needed to update the Admin Guide with additional ACL info.