On Jun 27, 2010, at 22.47, masarati@aero.polimi.it wrote:
i just happened to notice that the following search(es) don't return the expected results:
ldapsearch -xs base -b '' +
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: + #
# search result search: 2 result: 0 Success
# numResponses: 1
i'm using 2.4.21, courtesy of ubuntu.
[...]
conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" conn=1000 op=1 SRCH attr=+ => test_filter PRESENT => access_allowed: search access to "" "objectClass" requested => acl_get: [1] attr objectClass => acl_mask: access to entry "", attr "objectClass" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth <= check a_dn_pat: * <= acl_mask: [2] applying +0 (break) <= acl_mask: [2] mask: =0 <= acl_get: done. => slap_access_allowed: no more rules => access_allowed: no more rules <= test_filter 50
This 50 means insufficient access, as pointed out by the above logs. Your ACLs prevent searching the rootDSE entry.
i see, thank you. where can i read more about possible values used here and what they mean?
below are my current acls. olcAccess: to dn.base="" by * read is what i'd expected would allow such searches - but, it occurs to me now that defining that in the context of a specific database/suffix is perhaps not right?
#>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase olcaccess olcsuffix Enter LDAP Password: dn: cn=config
dn: olcDatabase={-1}frontend,cn=config olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
dn: olcDatabase={0}config,cn=config olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
dn: olcDatabase={1}monitor,cn=config olcDatabase: {1}monitor
dn: olcDatabase={2}bdb,cn=config olcDatabase: {2}bdb olcSuffix: dc=dipswitch,dc=net olcAccess: {0}to dn.base="" by * read olcAccess: {1}to attrs=userPassword by self =xw by anonymous auth by * none olcAccess: {2}to filter=(&(objectclass=iphost)(cn=flip.dipswitch.net)) attrs=authorizedservice val.exact=sshd by group.exact="cn=ssh,ou=all_servers,ou=servers,ou=groups,dc=dipswitch,dc=net" compare by group.exact="cn=ssh,ou=flip,ou=servers,ou=groups,dc=dipswitch,dc=net" compare by * =dxrs olcAccess: {3}to filter=(&(objectclass=iphost)(cn=flip.dipswitch.net)) attrs=authorizedservice val.exact=login by group.exact="cn=console,ou=all_servers,ou=servers,ou=groups,dc=dipswitch,dc=net" compare by group.exact="cn=console,ou=flip,ou=servers,ou=groups,dc=dipswitch,dc=net" compare by * =dxrs olcAccess: {4}to * by self write by group.exact="cn=directory_administrators,ou=general,ou=groups,dc=dipswitch,dc=net" manage by users read by * none