Am Montag 04 Mai 2009 10:32:42 schrieb Florian Götz:
Hi Dieter,
as I was trying to implement your ACL a more fundamental problem arose.
The structure at the moment is dc=justushere,dc=de -> ou= Users -> Some users in here with their data
If I do a ldapsearch with the admin DN I can get all the data from everything I want. The way it should be.
For example: ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=goetzf gives me all the information about my own user.
If I try ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf I get "ldap_bind: Invalid credentials (49)" as answer.
The only ACL left in the system now are the following:
#1 .Publishing subschemas for JXplorer access to dn.base="cn=Subschema" by dn="cn=admin,dc=justushere,dc=de" read
#2. Your ACL, now commented out for testing #access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$" # attrs=entry,sn,cn,userPassword,mail # by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write # by * none
#3. Deny any other access access to * by none
I got no clue why I get a "invalid credential" message when using my own password. There are no ACLs restricting access. No matter if I you your ACL above or not, I´m not getting access with my password.
If I just use ACL Nr 1 and another access to * by self read I can´t get any info as well, no matter if i use ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf or even ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf,ou=Users,dc=justushere,dc=de
If I rewrite that to access to * by * read I get all information with my password.
As I mentioned above, I got no more clues how to handle that :(
In order to be able to authenticate using simple bind, you need to have "auth" privileges on the "userPassword" attribute. As none of your ACLs grants that right, your ldapsearch -x.... currently fails with "ldap_bind: Invalid credentials (49)". Please try to add the following ACL as the first in your list:
access to attr=userpassword by self =xw by anonymous auth
Addtionally you should have a look at: http://www.openldap.org/faq/data/cache/320.html and http://www.openldap.org/faq/data/cache/189.html and the admin guide for more information.
[..]