On 02/11/2009 21:01, Vincent DEBOUT wrote:
Hi,
I have an issue to get data from my LDAP server. With root account everything is fine:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "cn=Directory Manager,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# vincent, personnes, morinie.fr dn: uid=vincent,ou=personnes,dc=morinie,dc=fr ...
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But when I try with my own account, I get no result:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "uid=vincent,ou=personnes,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
Here is my access configuration file:
# The root DIT should be accessible to all clients access to dn.exact="" by * read
# So should the schema access to dn.subtree="cn=Subschema" by * read
access to attr=userpassword by self write by anonymous auth by * none
access to attr=x500uniqueIdentifier by self write by * none
access to dn.one="ou=personnes, dc=morinie, dc=fr" by anonymous auth by self write by users write
I don't understand why I can't get the data!
Can you help me on this?
Hi Vincent,
This is because you don't have the right search on the base "ou=personnes, dc=morinie, dc=fr".
Your ACL gives access to all attributes in all entries *one level below* this entry. But no access to "ou=personnes" entry itself.
From the admin guide:
There are two special pseudo attributes entry and children. [...] To perform a search, the subject must have search access to the search base's entry attribute.
(see http://www.openldap.org/doc/admin24/access-control.html for more)
Hope this helps, Jonathan