[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP ACL causing error code 49

To: openldap-technical@openldap.org
Subject: Re: OpenLDAP ACL causing error code 49
From: Matty <matty91@gmail.com>
Date: Mon, 19 Dec 2016 10:33:59 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=dW6j6sxTOIiHPN2Uivo4mon9yztJayGUIJsytp4j4II=; b=iZI4X3r/1XOoDyFQFmdbqQ1SrY9sSfl7UfMEOo7w+AHdu826xNpJWDtf7GMTKZm7gT AQx7zu9SgS6WFb5Z3kHqjYOLU0XStlUdPzhP1fdh5JUDLZBDQSaYd+jm+m197nXx1Kd2 8iJMnj1yCaDsdTh9lOp8OhA4U3xUv6nIlK3VRA6tmw5uluVBn6MGV0wAjFTZqSoXvtd5 ySugg/ohHo7SSC5OVpG1sC28cMRom+y5voLIVVhV6Xo8bxG99Hli5FJkv48KstqVmQ1l X8arDwGOCEqmSgdCE2tEG8HMkeit7ilI8Fe//GusBP1ZYjAEjjwhp/cF0K0HaT1pHuPs rYVA==
In-reply-to: <41EB8BE57660092A045640B1@192.168.1.19>
References: <CALCK1CHAtxxBjAoRXh-AZa8PYJU=7-QgRnj_Lezv3oYNTobnQQ@mail.gmail.com> <69bb768d-f41e-505b-50ea-5326656c654c@stroeder.com> <WM!b3d673fa4a35847ff5fe44dc78e1e274ba84a46d3185cb5c76a78610548df194b8796b4fce0e64f276b8b9126998341b!@mailstronghold-3.zmailcloud.com> <41EB8BE57660092A045640B1@192.168.1.19>

On Mon, Nov 21, 2016 at 12:45 PM, Quanah Gibson-Mount <quanah@symas.com> wrote:
> --On Monday, November 21, 2016 6:41 PM +0100 Michael Ströder
> <michael@stroeder.com> wrote:
>
>> Matty wrote:
>>>
>>> I am testing some OpenLDAP ACLs and stumbled on a weird issue. My
>>> configuration has the following ACL defined:
>>>
>>> access to *
>>>   by users read
>>>   by peername.ip=1.2.3.4 read
>>>   by * none
>>
>>          ^^^^
>> You probably want "auth" in this last <who> clause.
>>
>> Ciao, Michael.
>>
>
> or:
> by anonymous auth
> by * none
>
> may be closer.

That works as well but I'm still not real clear why running:

$ ldapsearch -b 'dc=foo,dc=com' -x -h ldap1 -W -D
'uid=bingo,ou=users,dc=foo,dc=com' '(objectClass=*)'

Results in an anonymous bind:

Nov 16 09:50:02 tulip slapd[17803]: => acl_get: [2] attr userPassword
Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: access to entry
"uid=bingo,ou=users,dc=foo,dc=com", attr "userPassword" requested
Nov 16 09:50:02 tulip slapd[17803]: => acl_mask: to value by "", (=0)

Does anyone happen to know why "acl_mask: to value by" shows ""
instead of the dn of the user passed to the "-D" option? The
suggestions above work but I am still curious why the anonymous bind
is occurring.

Thanks for the awesome feedback,
- Ryan

Prev by Date: RE: Constraint violation when swapping two unique attributes
Next by Date: Re: Constraint violation when swapping two unique attributes
Index(es):
- Chronological
- Thread