ben thielsen btb@bitrate.net writes:
On Jun 27, 2010, at 22.47, masarati@aero.polimi.it wrote:
i just happened to notice that the following search(es) don't return the expected results:
ldapsearch -xs base -b '' +
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + #
# search result search: 2 result: 0 Success
# numResponses: 1
i'm using 2.4.21, courtesy of ubuntu.
[...]
conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=1000 op=1 SRCH attr=+ => test_filter PRESENT => access_allowed: search access to "" "objectClass" requested => acl_get: [1] attr objectClass => acl_mask: access to entry "", attr "objectClass" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= check a_dn_pat: * <= acl_mask: [2] applying +0 (break) <= acl_mask: [2] mask: =0 <= acl_get: done. => slap_access_allowed: no more rules => access_allowed: no more rules <= test_filter 50
This 50 means insufficient access, as pointed out by the above logs. Your ACLs prevent searching the rootDSE entry.
i see, thank you. where can i read more about possible values used here and what they mean?
below are my current acls. olcAccess: to dn.base="" by * read is what i'd expected would allow such searches - but, it occurs to me now that defining that in the context of a specific database/suffix is perhaps not right?
#>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase olcaccess olcsuffix Enter LDAP Password: dn: cn=config
dn: olcDatabase={-1}frontend,cn=config olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
this rule only allows root to access rootDSE via local socket, that is ldapi:/// that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base +
[...]
-Dieter