Hi,
I have an issue to get data from my LDAP server. With root account everything is fine:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "cn=Directory Manager,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# vincent, personnes, morinie.fr dn: uid=vincent,ou=personnes,dc=morinie,dc=fr ...
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But when I try with my own account, I get no result:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "uid=vincent,ou=personnes,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
Here is my access configuration file:
# The root DIT should be accessible to all clients access to dn.exact="" by * read
# So should the schema access to dn.subtree="cn=Subschema" by * read
access to attr=userpassword by self write by anonymous auth by * none
access to attr=x500uniqueIdentifier by self write by * none
access to dn.one="ou=personnes, dc=morinie, dc=fr" by anonymous auth by self write by users write
I don't understand why I can't get the data!
Can you help me on this?
Best regards, Vincent
On 02/11/2009 21:01, Vincent DEBOUT wrote:
Hi,
I have an issue to get data from my LDAP server. With root account everything is fine:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "cn=Directory Manager,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# vincent, personnes, morinie.fr dn: uid=vincent,ou=personnes,dc=morinie,dc=fr ...
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But when I try with my own account, I get no result:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "uid=vincent,ou=personnes,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
Here is my access configuration file:
# The root DIT should be accessible to all clients access to dn.exact="" by * read
# So should the schema access to dn.subtree="cn=Subschema" by * read
access to attr=userpassword by self write by anonymous auth by * none
access to attr=x500uniqueIdentifier by self write by * none
access to dn.one="ou=personnes, dc=morinie, dc=fr" by anonymous auth by self write by users write
I don't understand why I can't get the data!
Can you help me on this?
Hi Vincent,
This is because you don't have the right search on the base "ou=personnes, dc=morinie, dc=fr".
Your ACL gives access to all attributes in all entries *one level below* this entry. But no access to "ou=personnes" entry itself.
From the admin guide:
There are two special pseudo attributes entry and children. [...] To perform a search, the subject must have search access to the search base's entry attribute.
(see http://www.openldap.org/doc/admin24/access-control.html for more)
Hope this helps, Jonathan
Jonathan Clarke a écrit :
On 02/11/2009 21:01, Vincent DEBOUT wrote:
Hi,
I have an issue to get data from my LDAP server. With root account everything is fine:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "cn=Directory Manager,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# vincent, personnes, morinie.fr dn: uid=vincent,ou=personnes,dc=morinie,dc=fr ...
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But when I try with my own account, I get no result:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "uid=vincent,ou=personnes,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
Here is my access configuration file:
# The root DIT should be accessible to all clients access to dn.exact="" by * read
# So should the schema access to dn.subtree="cn=Subschema" by * read
access to attr=userpassword by self write by anonymous auth by * none
access to attr=x500uniqueIdentifier by self write by * none
access to dn.one="ou=personnes, dc=morinie, dc=fr" by anonymous auth by self write by users write
I don't understand why I can't get the data!
Can you help me on this?
Hi Vincent,
This is because you don't have the right search on the base "ou=personnes, dc=morinie, dc=fr".
Your ACL gives access to all attributes in all entries *one level below* this entry. But no access to "ou=personnes" entry itself.
Hi,
I added a new ACL for "ou=personnes, dc=morinie, dc=fr" to allow search and now it is working.
Thank you.
Vincent
Hi Vincent,
Hi,
I have an issue to get data from my LDAP server. With root account everything is fine:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "cn=Directory Manager,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# vincent, personnes, morinie.fr dn: uid=vincent,ou=personnes,dc=morinie,dc=fr ...
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But when I try with my own account, I get no result:
[vincent@titan ~]$ ldapsearch -x -h ldap.morinie.fr -W -D "uid=vincent,ou=personnes,dc=morinie,dc=fr" -b "ou=personnes,dc=morinie,dc=fr" uid=vincent Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=personnes,dc=morinie,dc=fr> with scope subtree # filter: uid=vincent # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1
Here is my access configuration file:
# The root DIT should be accessible to all clients access to dn.exact="" by * read
# So should the schema access to dn.subtree="cn=Subschema" by * read
access to attr=userpassword by self write by anonymous auth by * none
access to attr=x500uniqueIdentifier by self write by * none
access to dn.one="ou=personnes, dc=morinie, dc=fr"
Remove the spaces: access to dn.one="ou=personnes,dc=morinie,dc=fr"
by anonymous auth by self write by users writeI don't understand why I can't get the data!
A space is a regular and valid character :-( .
Can you help me on this?
Best regards, Vincent
Harry Jede walk2sun@arcor.de writes:
Hi Vincent,
Hi,
[...]
access to dn.one="ou=personnes, dc=morinie, dc=fr"
Remove the spaces: access to dn.one="ou=personnes,dc=morinie,dc=fr"
by anonymous auth by self write by users writeI don't understand why I can't get the data!
A space is a regular and valid character :-( .
No, the protocol and OpenLDAP is tolerant and accepts spaces.
-Dieter
Harry Jede walk2sun@arcor.de writes:
Hi Vincent,
Hi,
[...]
access to dn.one="ou=personnes, dc=morinie, dc=fr"
Remove the spaces: access to dn.one="ou=personnes,dc=morinie,dc=fr"
by anonymous auth by self write by users writeI don't understand why I can't get the data!
A space is a regular and valid character :-( .
To elaborate a bit more on this:
the access rule dn.one=ou=personnes, dc=morinie, dc=fr is acceptable, as I just have tested with my own setup:
olcAccess: {1}to dn.subtree="ou=adressbuch, o=avci,c=de" by * read
a search without spaces will provide the requested result: ldapsearch -x -H ldap://localhost:9004 -b ou=adressbuch,o=avci,c=de
a search with spaces ldapsearch -x -H ldap://localhost -b ou=adressbuch, o=avci,c=de will result in error code 34 invalid DN syntax
-Dieter
Dieter Kluenter wrote:
Harry Jede walk2sun@arcor.de writes:
Hi Vincent,
Hi,
[...]
access to dn.one="ou=personnes, dc=morinie, dc=fr"
Remove the spaces: access to dn.one="ou=personnes,dc=morinie,dc=fr"
by anonymous auth by self write by users writeI don't understand why I can't get the data!
A space is a regular and valid character :-( .
To elaborate a bit more on this:
the access rule dn.one=ou=personnes, dc=morinie, dc=fr is acceptable, as I just have tested with my own setup:
olcAccess: {1}to dn.subtree="ou=adressbuch, o=avci,c=de" by * read
a search without spaces will provide the requested result: ldapsearch -x -H ldap://localhost:9004 -b ou=adressbuch,o=avci,c=de
a search with spaces ldapsearch -x -H ldap://localhost -b ou=adressbuch, o=avci,c=de will result in error code 34 invalid DN syntax
You've failed to take into account the shell's parsing behavior. Use: -b "ou=adressbuch, o=avci,c=de" and you'll see that spaces are insignificant.
--On Monday, November 02, 2009 9:01 PM +0100 Vincent DEBOUT vincent.debout@morinie.fr wrote:
Hi,
I have an issue to get data from my LDAP server. With root account everything is fine:
access to dn.one="ou=personnes, dc=morinie, dc=fr"
Don't you want dn.subtree here?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org
-
Dieter Kluenter -
Harry Jede -
Howard Chu -
Jonathan Clarke -
Quanah Gibson-Mount -
Vincent DEBOUT