On 01-04-14 10:53, Terje Trane wrote:
On 01.04.2014 09:58, Jonas Kellens wrote:
even if I add at the beginning of slapd.conf the following :
access to * by *
I still get no results with the user 'cn=U101001,ou=101001,dc=mydomain'
I only get result with 'cn=Manager,dc=mydomain'
Remember that ACLs are "first match used".
If a database does not have an ACL the global ACL applies.
But if it has a database specific ACL, that one is read first when accessing that particular database, and the global then *only* used if there is no match (or a control keyword like break or continue is specified)
I posted it before, but will post it again. This is the database specific ACL :
database bdb suffix "dc=mydomain" rootdn "cn=Manager,dc=mydomain" rootpw {SSHA}blCAG/CNdFPY597Cf4Ssuj
access to attrs=userPassword by * auth
access to dn.regex="ou=tbook[12345],ou=contacten,ou=101001,dc=mydomain" attrs=children by group.exact="cn=admins,ou=101001,dc=mydomain" write by * none break
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read
access to dn.one="ou=tbook2,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook2,ou=gebruikers,ou=101001,dc=mydomain" read
access to dn.one="ou=tbook3,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook3,ou=gebruikers,ou=101001,dc=mydomain" read
access to dn.one="ou=tbook4,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook4,ou=gebruikers,ou=101001,dc=mydomain" read
access to dn.one="ou=tbook5,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook5,ou=gebruikers,ou=101001,dc=mydomain" read
If user 'cn=U101001,ou=101001,dc=mydomain' is member of group "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain", wouldn't you agree that it should be able to read the entries in dn "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" ??
Kind regards, Jonas.
Am Tue, 01 Apr 2014 11:04:15 +0200 schrieb Jonas Kellens jonas.kellens@telenet.be:
On 01-04-14 10:53, Terje Trane wrote:
On 01.04.2014 09:58, Jonas Kellens wrote:
even if I add at the beginning of slapd.conf the following :
access to * by *
I still get no results with the user 'cn=U101001,ou=101001,dc=mydomain'
I only get result with 'cn=Manager,dc=mydomain'
Remember that ACLs are "first match used".
If a database does not have an ACL the global ACL applies.
But if it has a database specific ACL, that one is read first when accessing that particular database, and the global then *only* used if there is no match (or a control keyword like break or continue is specified)
I posted it before, but will post it again. This is the database specific ACL :
database bdb suffix "dc=mydomain" rootdn "cn=Manager,dc=mydomain" rootpw {SSHA}blCAG/CNdFPY597Cf4Ssuj
run slapd in debugging mode and debug level acl
-Dieter
On 01-04-14 12:20, Dieter Klünter wrote:
Am Tue, 01 Apr 2014 11:04:15 +0200 schrieb Jonas Kellens jonas.kellens@telenet.be:
On 01-04-14 10:53, Terje Trane wrote:
On 01.04.2014 09:58, Jonas Kellens wrote:
even if I add at the beginning of slapd.conf the following :
access to * by *
I still get no results with the user 'cn=U101001,ou=101001,dc=mydomain'
I only get result with 'cn=Manager,dc=mydomain'
Remember that ACLs are "first match used".
If a database does not have an ACL the global ACL applies.
But if it has a database specific ACL, that one is read first when accessing that particular database, and the global then *only* used if there is no match (or a control keyword like break or continue is specified)
I posted it before, but will post it again. This is the database specific ACL :
database bdb suffix "dc=mydomain" rootdn "cn=Manager,dc=mydomain" rootpw {SSHA}blCAG/CNdFPY597Cf4Ssuj
run slapd in debugging mode and debug level acl
-Dieter
Hello Dieter,
debug level is 256.
/var/log/slapd.log :
Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 fd=13 ACCEPT from IP=127.0.0.1:35278 (IP=0.0.0.0:389) Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=0 BIND dn="cn=U101001,ou=101001,dc=mydomain" method=128 Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=0 BIND dn="cn=U101001,ou=101001,dc=mydomain" mech=SIMPLE ssf=0 Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=0 RESULT tag=97 err=0 text= Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=1 SRCH base="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" scope=2 deref=0 filter="(objectClass=*)" Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=2 UNBIND Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 fd=13 closed
Kind regards, Jonas.
On 01.04.2014 14:25, Jonas Kellens wrote:
debug level is 256.
That is loglevel "stats". You need to add the loglevel "acl". You can find the loglevels in http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File%20...
No need to use the numbers, You can use the keywords, and multiple keywords on the same line, e.g. loglevel stats acl
On 01-04-14 14:55, Terje Trane wrote:
On 01.04.2014 14:25, Jonas Kellens wrote:
debug level is 256.
That is loglevel "stats". You need to add the loglevel "acl". You can find the loglevels in http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File%20...
No need to use the numbers, You can use the keywords, and multiple keywords on the same line, e.g. loglevel stats acl
With your loglevel, the output in /var/log/.slapd.conf stays the same :
Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 fd=13 ACCEPT from IP=127.0.0.1:35285 (IP=0.0.0.0:389) Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 op=0 BIND dn="cn=U101001,ou=101001,dc=mydomain" method=128 Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 op=0 BIND dn="cn=U101001,ou=101001,dc=mydomain" mech=SIMPLE ssf=0 Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 op=0 RESULT tag=97 err=0 text= Apr 1 15:19:10 slap01 slapd[21809]: connection_input: conn=1000 deferring operation: binding Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 op=1 SRCH base="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" scope=2 deref=0 filter="(objectClass=*)" Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 op=2 UNBIND Apr 1 15:19:10 slap01 slapd[21809]: conn=1000 fd=13 closed
Kind regards, Jonas.
Terje Trane wrote:
On 01.04.2014 14:25, Jonas Kellens wrote:
debug level is 256.
That is loglevel "stats".
This is an important point that seems to get missed a lot - debug level and log level are two completely separate things.
We've stated this countless times now: For troubleshooting purposes you should be using debug level and capturing slapd's stderr. syslog should only be used for routine logging activity, syslogd is too slow for the volume of output that debugging produces and will drop messages when it falls behind. It's completely unsuitable for debugging.
Sysadmins should already know this, syslog's behavior is already well documented.
The same applies to this other post http://www.openldap.org/lists/openldap-technical/201404/msg00000.html
You need to add the loglevel "acl". You can find the loglevels in http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File%20...
No need to use the numbers, You can use the keywords, and multiple keywords on the same line, e.g. loglevel stats acl
Am Tue, 01 Apr 2014 14:25:47 +0200 schrieb Jonas Kellens jonas.kellens@telenet.be:
On 01-04-14 12:20, Dieter Klünter wrote:
Am Tue, 01 Apr 2014 11:04:15 +0200 schrieb Jonas Kellens jonas.kellens@telenet.be:
On 01-04-14 10:53, Terje Trane wrote:
On 01.04.2014 09:58, Jonas Kellens wrote:
even if I add at the beginning of slapd.conf the following :
access to * by *
I still get no results with the user 'cn=U101001,ou=101001,dc=mydomain'
I only get result with 'cn=Manager,dc=mydomain'
Remember that ACLs are "first match used".
If a database does not have an ACL the global ACL applies.
But if it has a database specific ACL, that one is read first when accessing that particular database, and the global then *only* used if there is no match (or a control keyword like break or continue is specified)
I posted it before, but will post it again. This is the database specific ACL :
database bdb suffix "dc=mydomain" rootdn "cn=Manager,dc=mydomain" rootpw {SSHA}blCAG/CNdFPY597Cf4Ssuj
run slapd in debugging mode and debug level acl
-Dieter
Hello Dieter,
debug level is 256.
/var/log/slapd.log :
Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 fd=13 ACCEPT from IP=127.0.0.1:35278 (IP=0.0.0.0:389) Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=0 BIND dn="cn=U101001,ou=101001,dc=mydomain" method=128 Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=0 BIND dn="cn=U101001,ou=101001,dc=mydomain" mech=SIMPLE ssf=0 Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=0 RESULT tag=97 err=0 text= Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=1 SRCH base="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" scope=2 deref=0 filter="(objectClass=*)" Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 op=2 UNBIND Apr 1 14:21:32 slap01 slapd[17106]: conn=1039 fd=13 closed
I am talking about slapd debug, not slapd logging. Read man slapd(8) on debugging mode and debug level.
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Howard Chu -
Jonas Kellens -
Terje Trane