LDAP search issue.

List overview All Threads
Download

newer

older

OpenLDAP Search Problem

Unable to add non root DNs

Gökhan

20 Nov 2006 20 Nov '06

1 a.m.

Hello;

I have a question on LDAP search issue. I want to disable full search on the LDAP tree.

Eg:

My LDAP Tree is:

c=US, o=Dept1, cn=John Smith c=US, o=Dept1, cn=Ann Adams

I want to deny to read full listing of the tree but only allow when the search condition meets only the required person. In the example above I want nobody to be listed. But when the search criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. When a search on "c=US" comes, nothing must be listed.

What is the correct Access Control Information for this request??

Thanks.

Attachments:

attachment.htm (text/html — 657 bytes)

Show replies by date

Dmitriy Kirhlarov

20 Nov 20 Nov

10:23 a.m.

On Mon, Nov 20, 2006 at 11:00:46AM +0200, G?khan wrote:

...

Hello;

I have a question on LDAP search issue. I want to disable full search on the LDAP tree.

Eg:

My LDAP Tree is:

c=US, o=Dept1, cn=John Smith c=US, o=Dept1, cn=Ann Adams

I want to deny to read full listing of the tree but only allow when the search condition meets only the required person. In the example above I want nobody to be listed. But when the search criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. When a search on "c=US" comes, nothing must be listed.

What is the correct Access Control Information for this request??

Something like: access to dn.children=c=US, o=Dept1 by * read access to dn.children=c=US, o=Dept2 by * read access to dn.sub=c=US by * deny

It's just untested idea. For details read slapd.access(5) about dnstyle

WBR

-- Dmitriy Kirhlarov OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia P:+7 495 105 7247 ext.208 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com OILspace - The resource enriched - www.oilspace.com

Dieter Kluenter

10:40 a.m.

Hi,

"Gökhan" gokhan.afacan@gmail.com writes:

...

Hello; I have a question on LDAP search issue. I want to disable full search on the LDAP tree. Eg: My LDAP Tree is: c=US, o=Dept1, cn=John Smith c=US, o=Dept1, cn=Ann Adams I want to deny to read full listing of the tree but only allow when the search condition meets only the required person. In the example above I want nobody to be listed. But when the search criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. When a search on "c=US" comes, nothing must be listed. What is the correct Access Control Information for this request??

There are lots of examples in the FAQ http://www.openldap.org/faq/data/cache/189.html

-Dieter

-- Dieter Klünter | Systemberatung http://www.dkluenter.de N 53°37'10.08" E 10°08'02.82" GPG Key ID:8EF7B6C6

Quanah Gibson-Mount

10:54 a.m.

--On Monday, November 20, 2006 11:00 AM +0200 Gökhan gokhan.afacan@gmail.com wrote:

...

Hello;

I have a question on LDAP search issue. I want to disable full search on the LDAP tree.

Eg:

My LDAP Tree is:

c=US, o=Dept1, cn=John Smith c=US, o=Dept1, cn=Ann Adams

Out of curiosity, is this really how your tree is laid out in DN syntax? It is the reverse of how things are generally done in LDAP. What I'd expect is something like:

cn=John Smith,o=Dept1,c=US cn=Ann Adams,o=Dept1,c=US

--Quanah

-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

6607

Age (days ago)

6607

Last active (days ago)

openldap-software@openldap.org

3 comments

4 participants

tags (0)

participants (4)

Dieter Kluenter
Dmitriy Kirhlarov
Gökhan
Quanah Gibson-Mount