[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf - acl question

--On Monday, September 15, 2003 6:35 PM -0400 "Aaron J. Angel" <uberfreak@darkphuture.org> wrote:

Also, * does not include anonymous, does it?

Star (*) is everything, anonymous or not.


On Mon, 15 Sep 2003 21:42:24 +0200, Peter Marschall <peter@adpm.de> wrote:


see http://www.openldap.org/doc/admin21/slapdconfig.html#Access%20Control
especially section 5.3.4 ASccess Control Evaluation that states

Within this priority, access directives are examined in the order in
they appear in the config file. Slapd stops with the first <what>
that matches the entry and/or attribute. The corresponding access
is the one slapd will use to evaluate access


Finally, slapd compares the access granted in the selected <access>
clause to
the access requested by the client. If it allows greater or equal access,
access is granted. Otherwise, access is denied.

These two paragraphs should answer your questions.


On Monday 15 September 2003 16:29, Douglas B. Jones wrote:

We are on 2.1.22 and I appear to have an acl problem. I have one access
line (for test purposes) in my slapd.conf file with one db (bdb):

access to attr=sn
	by * read

When I do:

ldapsearch -LLL '(uid=douglas)' sn

I get no results. Here is the log file (I have loglevel set to 128):

Sep 15 09:45:25 c01 slapd[17314]: bdb_initialize: Sleepycat Software:
Berkeley D
B 4.1.25: (December 19, 2002)
Sep 15 09:45:25 c01 slapd[17314]: bdb_db_init: Initializing BDB database
Sep 15 09:45:25 c01 slapd[17418]: slapd starting
Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: search access to
as,ou=employee,dc=gpc,dc=edu" "uid" requested
Sep 15 09:45:26 c01 slapd[17418]: => acl_get: [1] check attr uid
Sep 15 09:45:26 c01 slapd[17418]: <= acl_get: done.
Sep 15 09:45:26 c01 slapd[17418]: => access_allowed: no more rules

Any ideas why I get no results? If I stick 'access to * by * read',
I get a result line as I expect:

ldapsearch -LLL '(uid=douglas)' sn
dn: uid=douglas,ou=employee,dc=gpc,dc=edu
sn: Jones

This leads me to believe I have to open all then restrict. I would
rather have it closed and then open up as needed.

I just did another test. In slapd.conf I have:

access to *
	by * read

access to *
	by * none

I would think this would turn everything on then everything off, yet
when I do a ldapsearch, I can see ALL attributes of who I look at.
If I try it with no access line, then the default takes over that gives
read access to anonymous.

My main question is the one at the beginning, why if I have one access
line of:

access to attr=sn by * read

not appear not to work?


-- Quanah Gibson-Mount Principal Software Developer ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html