[Date Prev][Date Next] [Chronological] [Thread] [Top]

Apologies - ACL question

To: openldap-software@OpenLDAP.org
Subject: Apologies - ACL question
From: Michael Thomas <mike@bedarra.com>
Date: Thu, 15 Jun 2000 11:55:05 -0400
Organization: Bedarra

 I have searched far and wide but couldn't find the answer, so I will
subject the list to yet another ACL question.

  I am trying to connect to a 1.2.9 server from my Netscape client.  I
always get an error indicating mail id invalid or not unique. In looking
at the debug output, the dn that contains the mail address passed is
found, but then it appears that Netscape asks for read access to the
entry(which is disabled for an anonymous bind). Can anyone enlighten me
as to how to write my ACL list to allow Netscape(or any anonymous bound
client) to search on the mail attribute to return the correct dn to use
in a subsequent authenticated bind. Attached are my access rules and
some debug output. Many thanks in advance. Any and all pointers to
quality ACL doc gratefully accepted.


defaultaccess  none

access to attr=userPassword
 by self write
 by dn="cn=Administrator,dc=foo,dc=com" write
 by dn="^$$" compare
 by * none

access to attr=mail
 by dn=".*,ou=Employees,dc=foo,dc=com" write
 by dn="^$$" search
 by * none

access to attr=uid
 by self write
 by dn="cn=Administrator,dc=foo,dc=com" write
 by dn=".*,ou=Employees,dc=foo,dc=com" read
 by dn="^$$" search
 by * none

access to *
 by dn=".*,ou=Employees,dc=foo,dc=com" write
 by * none


DEBUG Output
=> access_allowed: entry (mail=mike@foo.com, ou=Employees, dc=foo,
dc=com) attr (mail)

=> acl_get: entry (mail=mike@foo.com, ou=Employees, dc=foo, dc=com) attr
(mail)
<= acl_get: [2] backend acl mail=mike@foo.com, ou=Employees, dc=foo,
dc=com attr: mail

=> acl_access_allowed: search access to entry "mail=mike@foo.com,
ou=Employees, dc=foo, dc=com"

=> acl_access_allowed: search access to value "MIKE@FOO.COM" by ""
<= acl_access_allowed: matched by clause #2 access granted

=> access_allowed: exit (mail=mike@foo.com, ou=Employees, dc=foo,
dc=com) attr (mail)

=> access_allowed: entry (mail=mike@foo.com, ou=Employees, dc=foo,
dc=com) attr (entry)

=> acl_get: entry (mail=mike@foo.com, ou=Employees, dc=foo, dc=com) attr
(entry)
<= acl_get: [4] backend acl mail=mike@foo.com, ou=Employees, dc=foo,
dc=com attr: entry

=> acl_access_allowed: read access to entry "mail=mike@foo.com,
ou=Employees, dc=foo, dc=com"

=> acl_access_allowed: read access to value "any" by ""
<= acl_access_allowed: matched by clause #2 access denied

=> access_allowed: exit (mail=mike@foo.com, ou=Employees, dc=foo,
dc=com) attr (entry)
acl: access to entry not allowed

Follow-Ups:
- Re: Apologies - ACL question
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: ACL assistance needed ...
Next by Date: Re: basedn is unable to see OUs
Index(es):
- Chronological
- Thread