[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list problem

To: Ziya Suzen <ziya@ripe.net>
Subject: Re: Access list problem
From: Nicolas Goy <goyman@goyman.com>
Date: Wed, 28 Apr 2004 12:28:56 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20040428005326.GA25202@cow.ripe.net>
References: <AA1AB550-983B-11D8-8685-000393481E96@goyman.com> <20040427132031.GB1897@x5.ripe.net> <E195B6E1-9851-11D8-A9B3-000393481E96@goyman.com> <20040427140022.GE1897@x5.ripe.net> <E5A9CC6C-9870-11D8-B464-000393481E96@goyman.com> <20040428005326.GA25202@cow.ripe.net>

After debugging I saw that the macosx ldap client connect anonymously even with authentification attribute specified.

I don't know why this happen, this client bind correctly on other ldap server with simple authentification.

Is there anyway to forbid any anonymous connection? Perhaps that will make AddressBook happy.

Regards

Goyman
On Apr 28, 2004, at 2:53 AM, Ziya Suzen wrote:

Hi Nicolas,

Have you tried turning on debugging for "access control list
processing" on slapd?

--
Ziya

On 2004-04-27 19:32:46 +0000, Nicolas Goy wrote:

Hello,

I tried to change the acl, but same result.

I double checked the bin dn and password in my tests program and they
are corect.

Regards

Goyman
On Apr 27, 2004, at 4:00 PM, Ziya Suzen wrote:

Hi,

Then I guess the last ACL statement needs changing to something like:

access to * by * read

Which I think the default if you leave it out anyway.

After than you need to check your clients if they are actually binding with appropriate DN and password.

--
Ziya

On 2004-04-27 15:50:45 +0000, Nicolas Goy wrote:

Hello,

ldapsearch -h orphea -x -b "ou=goyman.com sa,dc=goyman,dc=com" -D
"uid=goyman,ou=goyman.com sa,dc=goyman,dc=com" -w "*******"
"(objectClass=inetOrgPerson)"

Produce the good result with or without ACL. (With ACL, I can't acces unauthorised resources as well)

But with other client (Address Book on macosx (v3), mozilla (v3 too I think)) I have empty result with acl, and good result without.

Any idea?

Regards

G.
On Apr 27, 2004, at 3:20 PM, Ziya Suzen wrote:

Hi Nicolas,

ACL looked fine to me. I wonder what your ldapsearch options are.
This
does not look like an ACL problem actually. It can even be the case
that your other LDAP clients only talks v2.

--
Ziya Suzen

On 2004-04-27 13:11:43 +0000, Nicolas Goy wrote:

Hello,

I got only this access list in my configuration:

access  to attr=userPassword
        by self               read
        by anonymous          auth
        by *                  none

access  to dn.regex="^.*,ou=([^,]+),dc=goyman,dc=com"
      by dn.regex="^.*,ou=$1,dc=goyman,dc=com"        read
      by *                                            none

access to *
      by self read
      by users none
      by * none

It work is I use ldapsearch. But whith my ldap clients, (mozilla,
address book) I don't have any result when I do a search.

I wonder why.

What I want is to allow for example user
uid=toto,ou=ACompany,dc=goyman,dc=com will be able to read for
everything under ou=ACompany,dc=goyman,dc=com.

Best Regards

Goyman

.::.:..: Celui qui appr?hende le lendemain mourra idiot .:..:::

				goyman

.::.:..: Celui qui appr?hende le lendemain mourra idiot .:..:::

				goyman

.::.:..: Celui qui appréhende le lendemain mourra idiot .:..:::

				goyman

References:
- Access list problem
  - From: Nicolas Goy <goyman@goyman.com>
- Re: Access list problem
  - From: Ziya Suzen <ziya@ripe.net>
- Re: Access list problem
  - From: Nicolas Goy <goyman@goyman.com>
- Re: Access list problem
  - From: Ziya Suzen <ziya@ripe.net>
- Re: Access list problem
  - From: Nicolas Goy <goyman@goyman.com>
- Re: Access list problem
  - From: Ziya Suzen <ziya@ripe.net>

Prev by Date: Re: Capacity of openLDAP
Next by Date: Re: Capacity of openLDAP
Index(es):
- Chronological
- Thread