On 07/24/2015 07:21 PM, Lohr, Donald wrote: > I am setting up Oracle OUD for the first time and am learning how to > implement entry and attribute security in OUD. I am running the Linux > 64 v2.0.0.v20150606-M9 version of Apache Directory Studio. > > My OUD DIT structure is similar to: > > dc=acme,dc=com > cn=Groups > cn=Users > ou=Employees > ou=Contractors > ou=Customers > > If I place an ACL on "dc=acme,dc=com": > > aci: (target = "ldap:///dc=acme,dc=com";)(targetattr = "* || > +")(targetscope = "*onelevel*") (version 3.0; acl "sample"; allow > (search,read,compare) userdn = "ldap:///all";;) > > ...note that I'm setting the scope on the ACI to onelevel (not base or > sub). In Apache Directory Studio I have a connection profile for one of > the user entries in the ou=Employees container, all when the Apache > Directory Studio returns results when I successfully bind, it only > displays the ROOTDSE. > > Here's the interesting thing. If I do the following ldapsearch (using > ldapseach from OpenLDAP 2.4.40): > > ldapsearch -x -LLL -h 10.0.0.100 -p 389 -b dc=acme,dc=com -D > cn=test-01,ou=customers,cn=users,dc=acme,dc=com -W "(objectclass=*)" > > ...I get back the following, which is what I understand for the OUD > Admin guide I should get back: > > dn: cn=Users,dc=acme,dc=com > cn: Users > objectClass: orclContainer > objectClass: top > > dn: cn=Groups,dc=acme,dc=com > cn: Groups > objectClass: orclContainer > objectClass: top > > > For the ldapseach command, when no -b (base) or -s (scope) is provided, > the search is performed from the ROOTDSE with a sub scope. > > Why are my results different when using Apache Directory Studio? >
Did you set the "Base DN" manually (Connection properties -> tab Browser Options)? If not, Studio tries to figure them out from namingContexts attribute of the RootDSE. AFAIK in OID only admin user is allowed to read namingContexts attribute, and maybe ACL block that, not sure if OUD is different. Please try to click the "Fetch Base DNs" button in connection properties and see if your dc=acme,dc=com is there. Otherwise set the base DN manually. You can see the search requests done by Studio in the "Search Logs" view at the bottom. Kind Regards, Stefan
