Hi folks,
i have just installed openldap and i am having trouble to understand access directive:
I have 6 access rules :
################################################################################ # access definition on ou=people,dc=ufv,dc=br ################################################################################
access to dn.one="ou=people,dc=ufv,dc=br" attrs=userPassword by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read by anonymous auth by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=uid,homeDirectory by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
access to dn.one="ou=people,dc=ufv,dc=br" attrs=cn,uidNumber,gidNumber,loginShell,gecos,description by self read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
access to dn.one="ou=people,dc=ufv,dc=br" attrs=mail,mailMessageStore,mailAlternateAddress,qmailUID,qmailGID,mailHost,mailForwardingAddress,deliveryProgramPath,qmailDotMode,deliveryMode,mailReplyText,accountStatus,qmailAccountPurge,mailQuotaSize,mailQuotaCount,mailSizeMax by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
access to dn.one="ou=people,dc=ufv,dc=br" by self read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
access to dn.base="ou=people,dc=ufv,dc=br" by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
I have some rules, as you can see, giving acess to certain attributes of anything below (one level) ou=people,dc=ufv,dc=br. I have another rule given access to everything on the same level, this is the rule 5th.
Everything works ok, for instance:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux@UFV.BR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree # filter: (objectclass=*) # requesting: homedirectory #
# sioux, people, ufv.br dn: uid=sioux,ou=people,dc=ufv,dc=br homeDirectory: /home/sioux
# search result search: 5 result: 0 Success
# numResponses: 2 # numEntries: 1 sioux@gustav$
But if i comment the 5th rule (I keep the others, giving access to the homedirectory attribute), it does not work:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux@UFV.BR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree # filter: (objectclass=*) # requesting: homedirectory #
# search result search: 5 result: 32 No such object
# numResponses: 1 sioux@gustav$
Does anybody here know why ?
Thanks in advance.