I have a ldapsearch that returns this object
sendmailMTAClassName: w sendmailMTAClassValue: xxx sendmailMTAClassValue: yyy sendmailMTAClassValue: zzz objectClass: sendmailMTA objectClass: sendmailMTAClass
I thought I could strengthen the acl by just appending to with a filter
but if I add these below, the ldapsearch does not return anything err=32
filter=(objectClass=sendmailMTAClass) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(objectClass=sendmailMTA*)
If I change the filter to this, I get the expected result again
filter=(objectClass=*)
Goal is to have ldapsearch only list the specific objectClasses. Or should I do this with listing only attributes.
--On Tuesday, August 1, 2023 1:34 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
I have a ldapsearch that returns this object
sendmailMTAClassName: w sendmailMTAClassValue: xxx sendmailMTAClassValue: yyy sendmailMTAClassValue: zzz objectClass: sendmailMTA objectClass: sendmailMTAClass
I thought I could strengthen the acl by just appending to with a filter
but if I add these below, the ldapsearch does not return anything err=32
filter=(objectClass=sendmailMTAClass) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(objectClass=sendmailMTA*)
a) ACLs are contextual b) The above are not fully formed ACL statements. No conclusions can be reached w/o full information.
--Quanah
If I add this filter=(&(objectClass=*)), I also get the expected result.
I'm wondering if a "search" privilege needs to be granted somewhere and "(objectClass=*)" is a a loophole that bypasses the need for the "search" privilege. What happens if you say "filter=(&(objectClass=*))" ?
Sean.
On 1/08/2023 10:34 pm, Marc wrote:
I have a ldapsearch that returns this object
sendmailMTAClassName: w sendmailMTAClassValue: xxx sendmailMTAClassValue: yyy sendmailMTAClassValue: zzz objectClass: sendmailMTA objectClass: sendmailMTAClass
I thought I could strengthen the acl by just appending to with a filter
but if I add these below, the ldapsearch does not return anything err=32
filter=(objectClass=sendmailMTAClass) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(objectClass=sendmailMTA*)
If I change the filter to this, I get the expected result again
filter=(objectClass=*)
Goal is to have ldapsearch only list the specific objectClasses. Or should I do this with listing only attributes.
Hi Sean, Your search helped me a bit tracking this down currently I am testing with something like this
to dn.subtree="dc=local" filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) by ssf=64 dn.exact="cn=cron,dc=local" read
to dn.subtree="dc=local" by ssf=64 dn.exact="cn=cron,dc=local" search
I'm wondering if a "search" privilege needs to be granted somewhere and "(objectClass=*)" is a a loophole that bypasses the need for the "search" privilege. What happens if you say "filter=(&(objectClass=*))" ?
Sean.
On 1/08/2023 10:34 pm, Marc wrote:
I have a ldapsearch that returns this object sendmailMTAClassName: w sendmailMTAClassValue: xxx sendmailMTAClassValue: yyy sendmailMTAClassValue: zzz objectClass: sendmailMTA objectClass: sendmailMTAClass I thought I could strengthen the acl by just appending to with afilter
but if I add these below, the ldapsearch does not return anythingerr=32
filter=(objectClass=sendmailMTAClass) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(objectClass=sendmailMTA*) If I change the filter to this, I get the expected result again filter=(objectClass=*) Goal is to have ldapsearch only list the specific objectClasses. Orshould I do this with listing only attributes.
I have a ldapsearch that returns this object
sendmailMTAClassName: w sendmailMTAClassValue: xxx sendmailMTAClassValue: yyy sendmailMTAClassValue: zzz objectClass: sendmailMTA objectClass: sendmailMTAClass
I thought I could strengthen the acl by just appending to with a
filter
but if I add these below, the ldapsearch does not return anything
err=32
filter=(objectClass=sendmailMTAClass) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(objectClass=sendmailMTA*)
a) ACLs are contextual
I am just appending this to an existing 'standard' type of acl
to dn.subtree="dc=local" filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) by ssf=64 dn.exact="cn=cron,dc=local" read
--On Wednesday, August 2, 2023 2:13 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
a) ACLs are contextual
I am just appending this to an existing 'standard' type of acl
to dn.subtree="dc=local" filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) by ssf=64 dn.exact="cn=cron,dc=local" read
I will repeat that ACLs are contextual. Providing a single ACL w/o the entire set of ACLs in use for context is not useful. You could enable ACL level debugging with slapd to see what permissions are being sought during the search to discover why it no longer returns any objects. Since your filter breaks it, clearly your search requires access to more than those two objectClasses.
As an aside, (&(objectClass=*)) should just be shortened to (objectClass=*).
--Quanah
I'm wondering if a "search" privilege needs to be granted somewhere and "(objectClass=*)" is a a loophole that bypasses the need for the "search" privilege. What happens if you say "filter=(&(objectClass=*))" ?
Sean.
On 1/08/2023 10:34 pm, Marc wrote:
I have a ldapsearch that returns this object
sendmailMTAClassName: w sendmailMTAClassValue: xxx sendmailMTAClassValue: yyy sendmailMTAClassValue: zzz objectClass: sendmailMTA objectClass: sendmailMTAClass
I thought I could strengthen the acl by just appending to with a filter
but if I add these below, the ldapsearch does not return anything err=32
filter=(objectClass=sendmailMTAClass) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(|(objectClass=sendmailMTAClass)(objectClass=sendmailMTA)) filter=(objectClass=sendmailMTA*)
If I change the filter to this, I get the expected result again
filter=(objectClass=*)
Goal is to have ldapsearch only list the specific objectClasses. Or should I do this with listing only attributes.
openldap-technical@openldap.org
-
Marc -
Quanah Gibson-Mount -
Sean Gallagher