ben thielsen <[email protected]> writes: > On Jun 27, 2010, at 22.47, [email protected] wrote: > >>> i just happened to notice that the following search(es) don't return the >>> expected results: >>> >>>> ldapsearch -xs base -b '' + >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <> with scope baseObject >>> # filter: (objectclass=*) >>> # requesting: + >>> # >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 1 >>> >>> i'm using 2.4.21, courtesy of ubuntu. >> >> [...] >> >>> conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" >>> conn=1000 op=1 SRCH attr=+ >>> => test_filter >>> PRESENT >>> => access_allowed: search access to "" "objectClass" requested >>> => acl_get: [1] attr objectClass >>> => acl_mask: access to entry "", attr "objectClass" requested >>> => acl_mask: to all values by "", (=0) >>> <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >>> <= check a_dn_pat: * >>> <= acl_mask: [2] applying +0 (break) >>> <= acl_mask: [2] mask: =0 >>> <= acl_get: done. >>> => slap_access_allowed: no more rules >>> => access_allowed: no more rules >>> <= test_filter 50 >> >> This 50 means insufficient access, as pointed out by the above logs. Your >> ACLs prevent searching the rootDSE entry. > > i see, thank you. where can i read more about possible values used here and > what they mean? > > below are my current acls. olcAccess: to dn.base="" by * read is what i'd > expected would allow such searches - but, it occurs to me now that defining > that in the context of a specific database/suffix is perhaps not right? > > #>ldapsearch -ZZLLLWD 'cn=admin,cn=config' -b 'cn=config' > '(|(objectclass=olcglobal)(objectclass=olcdatabaseconfig))' olcdatabase > olcaccess olcsuffix > Enter LDAP Password: > dn: cn=config > > dn: olcDatabase={-1}frontend,cn=config > olcDatabase: {-1}frontend > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * > break
this rule only allows root to access rootDSE via local socket, that is ldapi:/// that is, as root: ldapsearch -Y EXTERNAL -H ldapi:/// -b "" -s base + [...] -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
