Re: access directive

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Jan 07, 2013 at 01:21:23PM -0200, Friedrich Locke wrote:

> sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory
> SASL/GSSAPI authentication started
> SASL username: sioux@UFV.BR

You appear to be binding as the entry that you want to read, so 'self'
rules will match...

> But if i comment the 5th rule (I keep the others, giving access to the
> homedirectory attribute), it does not work:
> 
> sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory
> SASL/GSSAPI authentication started
> SASL username: sioux@UFV.BR

> result: 32 No such object

> Does anybody here know why ?

No such object means that you do not have access to the base
object for the search (uid=sioux,ou=people,dc=ufv,dc=br in this
case).

Your rule 5 said:

> access to dn.one="ou=people,dc=ufv,dc=br"
>         by self read
>         by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
>         by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read

so it gives 'self' access to all attributes. The critical
thing here is the pseudo-attribute 'entry' - you need to give
access to that if you want to use the entry as the base of a
search or if it is to be listed in a search result.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------