[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control



On Wed, Jun 21, 2006 at 11:59:39AM -0400, Aaron Richton wrote:
> Perhaps "slapd -d acl" would be good?

It's miracle. :(
I can't repeate this situation on another server.

My config:
# access to auth fields.
access to
        dn.regex="^(.+)o=oil([^,]+)$"
        attrs=userPassword,sambaLMPassword,sambaNTPassword
        by anonymous auth
        by self write
        by dn.exact,expand="uid=ldap-sync,ou=virtusers,o=oil$2" read
        by dn.exact,expand="uid=fbsd-samba-admin,ou=virtusers,o=oil$2"
read
        by * none

# access to information fields
access to
        dn.regex="^(.+)o=oil([^,]+)$"
        attrs=@inetOrgPerson,cn
        by self write
        by group/groupOfUniqueNames/uniqueMember.expand="cn=Users Editors,ou=groups,o=oil$2" write
        by users read

access to * by * read

My search command:
ldapsearch -LLLZxH ldap://ldap1.oilspace.com -b ou=users,o=oilspace -s one uid=dkirhlarov

My server log:
Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access to "uid=dkirhlarov,ou=users,o=oilspace" "uid" requested 
Jun 22 14:42:13 los02 slapd[4390]: => dnpat: [1] ^(.+)o=oil([^,]+)$ nsub: 2 
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [1] matched 
Jun 22 14:42:13 los02 slapd[4390]: => dnpat: [2] ^(.+)o=oil([^,]+)$ nsub: 2 
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [2] matched 
Jun 22 14:42:13 los02 slapd[4390]: => acl_get: [2] attr uid 
Jun 22 14:42:13 los02 slapd[4390]: => acl_mask: access to entry "uid=dkirhlarov,ou=users,o=oilspace", attr "uid" requested 
Jun 22 14:42:13 los02 slapd[4390]: => acl_mask: to value by "", (=0)  
Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: self 
Jun 22 14:42:13 los02 slapd[4390]: <= check a_dn_pat: users 
Jun 22 14:42:13 los02 slapd[4390]: <= acl_mask: no more <who> clauses, returning =0 (stop) 
Jun 22 14:42:13 los02 slapd[4390]: => access_allowed: search access denied by =0 

When I disabling "access to information fields" ruleset -- all work
fine.

Help!!!

WBR
-- 
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com