[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Search access does not return any result

sim123 wrote:

On Mon, Nov 14, 2011 at 1:37 PM, sim123 <Sim3159@gmail.com
<mailto:Sim3159@gmail.com>> wrote:

    Hi All,

    I am playing with access controls on openldap 2.4.26, I have a user with
    search access on everything

    access to *
             by anonymous auth
             by dn="uid=102,ou=system,dc=example,dc=com" search

    And when I perform search I get nothing

    ldapsearch -H "ldap://testldap:389"; -D
    "uid=102,ou=system,dc=example,dc=com" -b "ou=users,dc=example,dc=com" -x
    -W '(uid=1)' mail cn dn

    Enter LDAP Password:
    # extended LDIF
    # LDAPv3
    # base <ou=users,dc=example,dc=com> with scope subtree
    # filter: (uid=1)
    # requesting: mail cn dn

    # search result
    search: 2
    result: 0 Success

    # numResponses: 1

    so I get a success but no value, is it a valid response?

Yes, it's a valid response. You haven't given Read access to anything, so no values can be returned. But the search base existed and you had search access to it, so the search request succeeded.

I want to control
    access so that the "uid=102" user can do lookup from given attributes but
    can not do (objectClass=*) to get a list of every entry in the ldap.

    Thanks for the help

Other way of stating my problem is I want to control query filters on the
server side so the user with "uid=102" can only do query using filter (uid=.+)
,  all other filters should be restricted. I tried this regular expression but
getting no such object error.

It seems to me that what you want cannot be done. You need Read access in order to retrieve any values. Read access includes Search access. So if you are able to read the value of an attribute, you are allowed to Search for it as well.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/