Hi folks,

i have just installed openldap and i am having trouble to understand access directive:

I have 6 access rules :

################################################################################
# access definition on ou=people,dc=ufv,dc=br
################################################################################

access to dn.one="ou=people,dc=ufv,dc=br" attrs=userPassword
        by self read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
        by anonymous auth
        by * none

access to dn.one="ou=people,dc=ufv,dc=br" attrs=uid,homeDirectory
        by self read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read

access to dn.one="ou=people,dc=ufv,dc=br" attrs=cn,uidNumber,gidNumber,loginShell,gecos,description
        by self read
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read

access to dn.one="ou=people,dc=ufv,dc=br" attrs=mail,mailMessageStore,mailAlternateAddress,qmailUID,qmailGID,mailHost,mailForwardingAddress,deliveryProgramPath,qmailDotMode,deliveryMode,mailReplyText,accountStatus,qmailAccountPurge,mailQuotaSize,mailQuotaCount,mailSizeMax
        by self read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read

access to dn.one="ou=people,dc=ufv,dc=br"
        by self read
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read

access to dn.base="ou=people,dc=ufv,dc=br"
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read

I have some rules, as you can see, giving acess to certain attributes of anything below (one level) ou=people,dc=ufv,dc=br. I have another rule given access to everything on the same level, this is the rule 5th.

Everything works ok, for instance:

sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory
SASL/GSSAPI authentication started
SASL username: sioux@UFV.BR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree
# filter: (objectclass=*)
# requesting: homedirectory
#

# sioux, people, ufv.br
dn: uid=sioux,ou=people,dc=ufv,dc=br
homeDirectory: /home/sioux

# search result
search: 5
result: 0 Success

# numResponses: 2
# numEntries: 1
sioux@gustav$


But if i comment the 5th rule (I keep the others, giving access to the homedirectory attribute), it does not work:

sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory
SASL/GSSAPI authentication started
SASL username: sioux@UFV.BR
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree
# filter: (objectclass=*)
# requesting: homedirectory
#

# search result
search: 5
result: 32 No such object

# numResponses: 1
sioux@gustav$


Does anybody here know why ?


Thanks in advance.