On Mon, Jan 07, 2013 at 01:21:23PM -0200, Friedrich Locke wrote: > sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory > SASL/GSSAPI authentication started > SASL username: [email protected]
You appear to be binding as the entry that you want to read, so 'self' rules will match... > But if i comment the 5th rule (I keep the others, giving access to the > homedirectory attribute), it does not work: > > sioux@gustav$ ldapsearch -b uid=sioux,ou=people,dc=ufv,dc=br homedirectory > SASL/GSSAPI authentication started > SASL username: [email protected] > result: 32 No such object > Does anybody here know why ? No such object means that you do not have access to the base object for the search (uid=sioux,ou=people,dc=ufv,dc=br in this case). Your rule 5 said: > access to dn.one="ou=people,dc=ufv,dc=br" > by self read > by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read > by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read so it gives 'self' access to all attributes. The critical thing here is the pseudo-attribute 'entry' - you need to give access to that if you want to use the entry as the base of a search or if it is to be listed in a search result. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
