On Mon, Nov 14, 2011 at 4:45 PM, Howard Chu <[email protected]> wrote: > sim123 wrote: > >> >> >> On Mon, Nov 14, 2011 at 1:37 PM, sim123 <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi All, >> >> I am playing with access controls on openldap 2.4.26, I have a user >> with >> search access on everything >> >> access to * >> by anonymous auth >> by dn="uid=102,ou=system,dc=**example,dc=com" search >> >> And when I perform search I get nothing >> >> ldapsearch -H "ldap://testldap:389"; -D >> "uid=102,ou=system,dc=example,**dc=com" -b >> "ou=users,dc=example,dc=com" -x >> -W '(uid=1)' mail cn dn >> >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <ou=users,dc=example,dc=com> with scope subtree >> # filter: (uid=1) >> # requesting: mail cn dn >> # >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 1 >> >> so I get a success but no value, is it a valid response? >> > > Yes, it's a valid response. You haven't given Read access to anything, so > no values can be returned. But the search base existed and you had search > access to it, so the search request succeeded. > > > I want to control >> access so that the "uid=102" user can do lookup from given attributes >> but >> can not do (objectClass=*) to get a list of every entry in the ldap. >> >> Thanks for the help >> >> >> Other way of stating my problem is I want to control query filters on the >> server side so the user with "uid=102" can only do query using filter >> (uid=.+) >> , all other filters should be restricted. I tried this regular >> expression but >> getting no such object error. >> > > It seems to me that what you want cannot be done. You need Read access in > order to retrieve any values. Read access includes Search access. So if you > are able to read the value of an attribute, you are allowed to Search for > it as well. >
Thanks for the response, just wondering how can one prevent ldap injections from the server side? In my scenario there will be different systems talking to server and how can I prevent them from getting list of users by doing simple query? I am using uid as login id and this uid is not part of DN (because it can change and I need the DN in different ldap groups), so for normal authentication these systems need to know respective DN from given uid. Thats why I give read privilege to a system account, all anonymous users have auth privilege only. Am I missing something here? Thanks again for the help and support. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP > http://www.openldap.org/**project/<http://www.openldap.org/project/> >
