[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list problem

To: Nicolas Goy <goyman@goyman.com>
Subject: Re: Access list problem
From: Ziya Suzen <ziya@ripe.net>
Date: Wed, 28 Apr 2004 02:53:26 +0200
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <E5A9CC6C-9870-11D8-B464-000393481E96@goyman.com>
References: <AA1AB550-983B-11D8-8685-000393481E96@goyman.com> <20040427132031.GB1897@x5.ripe.net> <E195B6E1-9851-11D8-A9B3-000393481E96@goyman.com> <20040427140022.GE1897@x5.ripe.net> <E5A9CC6C-9870-11D8-B464-000393481E96@goyman.com>
User-agent: Mutt/1.4.2.1i

Hi Nicolas,

Have you tried turning on debugging for "access control list
processing" on slapd?

--
Ziya

On 2004-04-27 19:32:46 +0000, Nicolas Goy wrote:
> Hello,
> 
> I tried to change the acl, but same result.
> 
> I double checked the bin dn and password in my tests program and they 
> are corect.
> 
> Regards
> 
> Goyman
> On Apr 27, 2004, at 4:00 PM, Ziya Suzen wrote:
> 
> >Hi,
> >
> >Then I guess the last ACL statement needs changing to something like:
> >
> >access to * by * read
> >
> >Which I think the default if you leave it out anyway.
> >
> >After than you need to check your clients if they are actually binding
> >with appropriate DN and password.
> >
> >--
> >Ziya
> >
> >
> >On 2004-04-27 15:50:45 +0000, Nicolas Goy wrote:
> >>Hello,
> >>
> >>ldapsearch -h orphea -x -b "ou=goyman.com sa,dc=goyman,dc=com" -D
> >>"uid=goyman,ou=goyman.com sa,dc=goyman,dc=com" -w "*******"
> >>"(objectClass=inetOrgPerson)"
> >>
> >>Produce the good result with or without ACL. (With ACL, I can't acces
> >>unauthorised resources as well)
> >>
> >>But with other client (Address Book on macosx (v3), mozilla (v3 too I
> >>think)) I have empty result with acl, and good result without.
> >>
> >>Any idea?
> >>
> >>Regards
> >>
> >>G.
> >>On Apr 27, 2004, at 3:20 PM, Ziya Suzen wrote:
> >>
> >>>Hi Nicolas,
> >>>
> >>>ACL looked fine to me. I wonder what your ldapsearch options are. 
> >>>This
> >>>does not look like an ACL problem actually. It can even be the case
> >>>that your other LDAP clients only talks v2.
> >>>
> >>>--
> >>>Ziya Suzen
> >>>
> >>>On 2004-04-27 13:11:43 +0000, Nicolas Goy wrote:
> >>>>Hello,
> >>>>
> >>>>I got only this access list in my configuration:
> >>>>
> >>>>access  to attr=userPassword
> >>>>         by self               read
> >>>>         by anonymous          auth
> >>>>         by *                  none
> >>>>
> >>>>access  to dn.regex="^.*,ou=([^,]+),dc=goyman,dc=com"
> >>>>       by dn.regex="^.*,ou=$1,dc=goyman,dc=com"        read
> >>>>       by *                                            none
> >>>>
> >>>>access to *
> >>>>       by self read
> >>>>       by users none
> >>>>       by * none
> >>>>
> >>>>It work is I use ldapsearch. But whith my ldap clients, (mozilla,
> >>>>address book) I don't have any result when I do a search.
> >>>>
> >>>>I wonder why.
> >>>>
> >>>>What I want is to allow for example user
> >>>>uid=toto,ou=ACompany,dc=goyman,dc=com will be able to read for
> >>>>everything under ou=ACompany,dc=goyman,dc=com.
> >>>>
> >>>>Best Regards
> >>>>
> >>>>Goyman
> >>>>
> >>.::.:..: Celui qui appr?hende le lendemain mourra idiot .:..:::
> >>
> >>				goyman
> >>
> >>
> .::.:..: Celui qui appr?hende le lendemain mourra idiot .:..:::
> 
> 				goyman
>

Follow-Ups:
- Re: Access list problem
  - From: Nicolas Goy <goyman@goyman.com>

References:
- Access list problem
  - From: Nicolas Goy <goyman@goyman.com>
- Re: Access list problem
  - From: Ziya Suzen <ziya@ripe.net>
- Re: Access list problem
  - From: Nicolas Goy <goyman@goyman.com>
- Re: Access list problem
  - From: Ziya Suzen <ziya@ripe.net>
- Re: Access list problem
  - From: Nicolas Goy <goyman@goyman.com>

Prev by Date: RE: multiple attribute search with single return slowness
Next by Date: RE: multiple attribute search with single return slowness
Index(es):
- Chronological
- Thread