[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs for anonymous access?

To: "James K. McConnell" <jkm@tbred.com>
Subject: Re: ACLs for anonymous access?
From: nazard@dragoninc.on.ca
Date: Wed, 10 May 2000 02:51:04 -0400 (EDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <NKEMKPHPNEGJLCLPELEKCENJCCAA.jkm@tbred.com>

On 10 May, James K. McConnell wrote:
> However, I'm planning on extending the function of the LDAP tree to allow
> 2 additional things:  First, allow anonymous search of cn, sn, and mail
> attributes to create a sort of "global addressbook" for my mail users.
> Second, begin using the LDAP server with nss_ldap, pam_ldap, & auth_ldap
> to authenticate users to Linux systems, web servers, etc.  To facilitate
> these additions, I've also made sure to that I can easily use the
> posixAccount and shadowAccount objectclasses, and in fact, most of this
> information is in the tree and currently unused.
> 
> My next step is to allow the anonymous search to a specific part of the
> tree, and only specific attributes at that.  I've added an ACL that I had
> hoped would be correct, but after tweaking it for far too long, I believe
> I've confused myself more than anything.  I really need an explanation for
> why this isn't working, and be told how to properly read the acl processing
> logs.  I'm quite sure I'm missing something obvious, but after taking a
> long break and trying again, it didn't seem any clearer.  Perhaps I need
> to grant read, and not search access?
> 
> My current ACLs and an appropriate log entry follow.  The log entry is from
> the following command, which returns an empty result set:
> 
> ldapsearch "mail=jkm@tbred.com"
> 
> Here are the ACLs:
> 
> # Set the default access level
> defaultaccess   none
> 
> # Allow anonymous search to mail,cn,sn in base(ou=people,dc=tbred,dc=com)
> access to dn=".+,ou=people,dc=tbred,dc=com"
>         attr=mail,cn,sn
>         by self write
>         by * search

Ok, the problem is that even though you can "search" on those
attributes, you don't actually have "read" access for anything. Hence,
slapd finds the entry bu doesn't return any results <g>. Try using
"read" and that should do what you want.
 
> :  => access_allowed: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr
> (mail)
> :  => acl_get: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr (mail)
> : <= acl_get: [2] backend acl uid=jkm, ou=People, dc=tbred, dc=com attr:
> mail
> :  => acl_access_allowed: search access to entry "uid=jkm, ou=People,
> dc=tbred, dc=com"
> :  => acl_access_allowed: search access to value "JKM@TBRED.COM" by ""
> : <= acl_access_allowed: matched by clause #2 access granted

Found and entry

> :  => access_allowed: exit (uid=jkm, ou=People, dc=tbred, dc=com) attr
> (mail)
> :  => access_allowed: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr
> (entry)
> :  => acl_get: entry (uid=jkm, ou=People, dc=tbred, dc=com) attr (entry)
> : <= acl_get: [3] backend acl uid=jkm, ou=People, dc=tbred, dc=com attr:
> entry
> :  => acl_access_allowed: read access to entry "uid=jkm, ou=People,
> dc=tbred, dc=com"
> :  => acl_access_allowed: read access to value "any" by ""
> : <= acl_access_allowed: matched by clause #4 access denied

denied to read

> :  => access_allowed: exit (uid=jkm, ou=People, dc=tbred, dc=com) attr
> (entry)
> : acl: access to entry not allowed

-- 
Doug Nazar
Dragon Computer Consultants Inc.
Tel: (416) 708-1578     Fax: (416) 708-8081

References:
- ACLs for anonymous access?
  - From: "James K. McConnell" <jkm@tbred.com>

Prev by Date: ACLs for anonymous access?
Next by Date: Re: Viability of OpenLDAP
Index(es):
- Chronological
- Thread