On 01-04-14 16:16, Hallvard Breien Furuseth wrote:
On Tue, 2014-04-01 at 09:58 +0200, Jonas Kellens wrote:
On 31-03-14 12:52, Hallvard Breien Furuseth wrote:
(...)  Append something like this to access list:

access to * by * search
even if I add at the beginning of slapd.conf the following :

access to * by *

I still get no results with the user 'cn=U101001,ou=101001,dc=mydomain'
Quite.  access controls at the beginning of slapd.conf
become the global access list, which are overridden by
the database's access list.  The latter ends with a default
'access to * by * none'.

Also you didn't say what kind of access - read, write,
search or whatever.  The default is '+0', i.e. no change.

This is all as described in man slapd.access.

*Append* access to * by * search (or something like it)
to the database's access list.  That means, after the
other access statements.  Then it'll apply to the entries
not described by those statements.  My guess is your
previous attempt put it in front, thus hiding most
access controls.


I have now put "access to * by *" at the end of the ACL statements. My slapd.conf looks like this :

access to dn.regex="ou=tbook[12345],ou=contacten,ou=101001,dc=mydomain" attrs=children
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by * none break

access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.one="ou=tbook2,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook2,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.one="ou=tbook3,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook3,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.one="ou=tbook4,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook4,ou=gebruikers,ou=101001,dc=mydomain" read

access to dn.one="ou=tbook5,ou=contacten,ou=101001,dc=mydomain"
        by group.exact="cn=admins,ou=101001,dc=mydomain" write
        by group.exact="cn=tbook5,ou=gebruikers,ou=101001,dc=mydomain" read

access to *
        by * search

access to attrs=userPassword
        by * auth

But still no results :

[root@slap01 ]# ldapsearch -x -D 'cn=U101001,ou=101001,dc=mydomain' -b "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" -W
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <ou=tbook1,ou=contacten,ou=101001,dc=mydomain> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# search result
search: 2
result: 0 Success

# numResponses: 1

Kind regards,