Hi folks,
i have just installed openldap and i am having trouble to understand access directive:
I have 6 access rules :
################################################################################ # access definition on ou=people,dc=ufv,dc=br ################################################################################
access to dn.one="ou=people,dc=ufv,dc=br" attrs=userPassword by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read by anonymous auth by * none
access to dn.one="ou=people,dc=ufv,dc=br" attrs=uid,homeDirectory by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
access to dn.one="ou=people,dc=ufv,dc=br" attrs=cn,uidNumber,gidNumber,loginShell,gecos,description by self read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
access to dn.one="ou=people,dc=ufv,dc=br" attrs=mail,mailMessageStore,mailAlternateAddress,qmailUID,qmailGID,mailHost,mailForwardingAddress,deliveryProgramPath,qmailDotMode,deliveryMode,mailReplyText,accountStatus,qmailAccountPurge,mailQuotaSize,mailQuotaCount,mailSizeMax by self read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
access to dn.one="ou=people,dc=ufv,dc=br" by self read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
access to dn.base="ou=people,dc=ufv,dc=br" by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
I have some rules, as you can see, giving acess to certain attributes of anything below (one level) ou=people,dc=ufv,dc=br. I have another rule given access to everything on the same level, this is the rule 5th.
Everything works ok, for instance:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux@UFV.BR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree # filter: (objectclass=*) # requesting: homedirectory #
# sioux, people, ufv.br dn: uid=sioux,ou=people,dc=ufv,dc=br homeDirectory: /home/sioux
# search result search: 5 result: 0 Success
# numResponses: 2 # numEntries: 1 sioux@gustav$
But if i comment the 5th rule (I keep the others, giving access to the homedirectory attribute), it does not work:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux@UFV.BR SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <uid=sioux,ou=people,dc=ufv,dc=br> with scope subtree # filter: (objectclass=*) # requesting: homedirectory #
# search result search: 5 result: 32 No such object
# numResponses: 1 sioux@gustav$
Does anybody here know why ?
Thanks in advance.
On Mon, Jan 07, 2013 at 01:21:23PM -0200, Friedrich Locke wrote:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux@UFV.BR
You appear to be binding as the entry that you want to read, so 'self' rules will match...
But if i comment the 5th rule (I keep the others, giving access to the homedirectory attribute), it does not work:
sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory SASL/GSSAPI authentication started SASL username: sioux@UFV.BR
result: 32 No such object
Does anybody here know why ?
No such object means that you do not have access to the base object for the search (uid=sioux,ou=people,dc=ufv,dc=br in this case).
Your rule 5 said:
access to dn.one="ou=people,dc=ufv,dc=br" by self read by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
so it gives 'self' access to all attributes. The critical thing here is the pseudo-attribute 'entry' - you need to give access to that if you want to use the entry as the base of a search or if it is to be listed in a search result.
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Friedrich Locke