Hi Dieter,
as I was trying to implement your ACL a more fundamental problem arose.
The structure at the moment is
dc=justushere,dc=de
-> ou= Users
-> Some users in here with their data
If I do a ldapsearch with the admin DN I can get all the data from everything
I want. The way it should be.
For example:
ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=goetzf
gives me all the information about my own user.
If I try
ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf
I get "ldap_bind: Invalid credentials (49)" as answer.
The only ACL left in the system now are the following:
#1 .Publishing subschemas for JXplorer
access to dn.base="cn=Subschema"
by dn="cn=admin,dc=justushere,dc=de" read
#2. Your ACL, now commented out for testing
#access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
# attrs=entry,sn,cn,userPassword,mail
# by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
# by * none
#3. Deny any other access
access to *
by none
I got no clue why I get a "invalid credential" message when using my own
password. There are no ACLs restricting access. No matter if I you your ACL
above or not, I´m not getting access with my password.
If I just use ACL Nr 1 and another
access to * by self read
I can´t get any info as well, no matter if i use
ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de uid=goetzf or even
ldapsearch -xWD uid=goetzf,ou=Users,dc=justushere,dc=de
uid=goetzf,ou=Users,dc=justushere,dc=de
If I rewrite that to
access to * by * read
I get all information with my password.
As I mentioned above, I got no more clues how to handle that :(
Florian
On Thursday 30 April 2009 18:27:58 Dieter Kluenter wrote:
Florian Götz <f.goetz(a)hs-mannheim.de> writes:
> A warm "Hello" from germany to the openldap-technical list!
>
> I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
> I need to write an ACL which allows a user to see his own entry
> (objectClass build up on inetOrgPerson) and nothing else.
> I know that this isn´t the intended use of the LDAP system, but our
> manager wants it that way.
>
> I tried it with somekind of that:
>
> access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry
> by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write
> by users none
>
> but I just get a message about invalid credentials.
> Used command was:
> ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1
According to your ACL's a subtree search is not allowed.
> ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1 with the rootdn
> account shows the information, but if the uid of the user1 is used for
> binding it fails.
>
> Has anyone an idea how to realize these restrictions?
access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
attrs=entry,more attrs
by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
by * none
ldapsearch - -xDW -b uid=user1,ou=users,dc=justushere,dc=de -s base
should do what you want.
-Dieter
-----