Hi Dieter,
as I was trying to implement your ACL a more fundamental problem arose.
The structure at the moment is dc=justushere,dc=de -> ou= Users -> Some users in here with their data
If I do a ldapsearch with the admin DN I can get all the data from everything I want. The way it should be.
For example: ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=goetzf gives me all the information about my own user.
If I try ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf I get "ldap_bind: Invalid credentials (49)" as answer.
The only ACL left in the system now are the following:
#1 .Publishing subschemas for JXplorer access to dn.base="cn=Subschema" by dn="cn=admin,dc=justushere,dc=de" read
#2. Your ACL, now commented out for testing #access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$" # attrs=entry,sn,cn,userPassword,mail # by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write # by * none
#3. Deny any other access access to * by none
I got no clue why I get a "invalid credential" message when using my own password. There are no ACLs restricting access. No matter if I you your ACL above or not, I´m not getting access with my password.
If I just use ACL Nr 1 and another access to * by self read I can´t get any info as well, no matter if i use ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf or even ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf,ou=Users,dc=justushere,dc=de
If I rewrite that to access to * by * read I get all information with my password.
As I mentioned above, I got no more clues how to handle that :(
Florian
On Thursday 30 April 2009 18:27:58 Dieter Kluenter wrote:
Florian Götz f.goetz@hs-mannheim.de writes:
A warm "Hello" from germany to the openldap-technical list!
I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server. I need to write an ACL which allows a user to see his own entry (objectClass build up on inetOrgPerson) and nothing else. I know that this isn´t the intended use of the LDAP system, but our manager wants it that way.
I tried it with somekind of that:
access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write by users none
but I just get a message about invalid credentials. Used command was: ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1
According to your ACL's a subtree search is not allowed.
ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1 with the rootdn account shows the information, but if the uid of the user1 is used for binding it fails.
Has anyone an idea how to realize these restrictions?
access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$" attrs=entry,more attrs by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write by * none
ldapsearch - -xDW -b uid=user1,ou=users,dc=justushere,dc=de -s base should do what you want.
-Dieter
-----