[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Data access issue



On 02/11/2009 21:01, Vincent DEBOUT wrote:
Hi,

I have an issue to get data from my LDAP server. With root account
everything is fine:

[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D
"cn=Directory Manager,dc=morinie,dc=fr" -b
"ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: #
extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with
scope subtree # filter: uid=vincent # requesting: ALL #

# vincent, personnes, morinie.fr dn:
uid=vincent,ou=personnes,dc=morinie,dc=fr ...

# search result search: 2 result: 0 Success

# numResponses: 2 # numEntries: 1

But when I try with my own account, I get no result:

[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D
"uid=vincent,ou=personnes,dc=morinie,dc=fr" -b
"ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: #
extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with
scope subtree # filter: uid=vincent # requesting: ALL #

# search result search: 2 result: 32 No such object

# numResponses: 1

Here is my access configuration file:

# The root DIT should be accessible to all clients access to
dn.exact="" by * read

# So should the schema access to dn.subtree="cn=Subschema" by * read

access to attr=userpassword by self write by anonymous auth by *
none

access to attr=x500uniqueIdentifier by self write by * none

access to dn.one="ou=personnes, dc=morinie, dc=fr" by anonymous auth
 by self write by users write

I don't understand why I can't get the data!

Can you help me on this?

Hi Vincent,

This is because you don't have the right search on the base
"ou=personnes, dc=morinie, dc=fr".

Your ACL gives access to all attributes in all entries *one level below*
this entry. But no access to "ou=personnes" entry itself.

From the admin guide:
There are two special pseudo attributes entry and children. [...] To
perform a search, the subject must have search access to the search
base's entry attribute.
(see http://www.openldap.org/doc/admin24/access-control.html for more)

Hope this helps,
Jonathan