[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list problem

After debugging I saw that the macosx ldap client connect anonymously even with authentification attribute specified.

I don't know why this happen, this client bind correctly on other ldap server with simple authentification.

Is there anyway to forbid any anonymous connection? Perhaps that will make AddressBook happy.


On Apr 28, 2004, at 2:53 AM, Ziya Suzen wrote:

Hi Nicolas,

Have you tried turning on debugging for "access control list
processing" on slapd?


On 2004-04-27 19:32:46 +0000, Nicolas Goy wrote:

I tried to change the acl, but same result.

I double checked the bin dn and password in my tests program and they
are corect.


On Apr 27, 2004, at 4:00 PM, Ziya Suzen wrote:


Then I guess the last ACL statement needs changing to something like:

access to * by * read

Which I think the default if you leave it out anyway.

After than you need to check your clients if they are actually binding
with appropriate DN and password.


On 2004-04-27 15:50:45 +0000, Nicolas Goy wrote:

ldapsearch -h orphea -x -b "ou=goyman.com sa,dc=goyman,dc=com" -D
"uid=goyman,ou=goyman.com sa,dc=goyman,dc=com" -w "*******"

Produce the good result with or without ACL. (With ACL, I can't acces
unauthorised resources as well)

But with other client (Address Book on macosx (v3), mozilla (v3 too I
think)) I have empty result with acl, and good result without.

Any idea?


On Apr 27, 2004, at 3:20 PM, Ziya Suzen wrote:

Hi Nicolas,

ACL looked fine to me. I wonder what your ldapsearch options are.
does not look like an ACL problem actually. It can even be the case
that your other LDAP clients only talks v2.

Ziya Suzen

On 2004-04-27 13:11:43 +0000, Nicolas Goy wrote:

I got only this access list in my configuration:

access  to attr=userPassword
        by self               read
        by anonymous          auth
        by *                  none

access  to dn.regex="^.*,ou=([^,]+),dc=goyman,dc=com"
      by dn.regex="^.*,ou=$1,dc=goyman,dc=com"        read
      by *                                            none

access to *
      by self read
      by users none
      by * none

It work is I use ldapsearch. But whith my ldap clients, (mozilla,
address book) I don't have any result when I do a search.

I wonder why.

What I want is to allow for example user
uid=toto,ou=ACompany,dc=goyman,dc=com will be able to read for
everything under ou=ACompany,dc=goyman,dc=com.

Best Regards


.::.:..: Celui qui appr?hende le lendemain mourra idiot .:..:::


.::.:..: Celui qui appr?hende le lendemain mourra idiot .:..:::


.::.:..: Celui qui appréhende le lendemain mourra idiot .:..:::