Re: Oracle OUD and Apache Directory Studio

Mon, 27 Jul 2015 07:43:17 -0700 

1. Yes, I manually set "Base DN" = dc=acme,dc=com
2. Using the "Get Base DNs from Root DSE" box and the "Fetch Base DNs" button instead seems to have solved the issue. 

Thanks



On 07/24/2015 04:57 PM, Stefan Seelmann wrote:

On 07/24/2015 07:21 PM, Lohr, Donald wrote:

I am setting up Oracle OUD for the first time and am learning how to
implement entry and attribute security in OUD.  I am running the Linux
64 v2.0.0.v20150606-M9 version of Apache Directory Studio.

My OUD DIT structure is similar to:

dc=acme,dc=com
       cn=Groups
       cn=Users
             ou=Employees
             ou=Contractors
             ou=Customers

If I place an ACL on "dc=acme,dc=com":

aci: (target = "ldap:///dc=acme,dc=com";)(targetattr = "* ||
+")(targetscope = "*onelevel*") (version 3.0; acl "sample"; allow
(search,read,compare) userdn = "ldap:///all";;)

...note that I'm setting the scope on the ACI to onelevel (not base or
sub). In Apache Directory Studio I have a connection profile for one of
the user entries in the ou=Employees container, all when the Apache
Directory Studio returns results when I successfully bind, it only
displays the ROOTDSE.

Here's the interesting thing.  If I do the following ldapsearch (using
ldapseach from OpenLDAP 2.4.40):

ldapsearch -x -LLL -h 10.0.0.100 -p 389 -b dc=acme,dc=com -D
cn=test-01,ou=customers,cn=users,dc=acme,dc=com -W "(objectclass=*)"

...I get back the following, which is what I understand for the OUD
Admin guide I should get back:

dn: cn=Users,dc=acme,dc=com
cn: Users
objectClass: orclContainer
objectClass: top

dn: cn=Groups,dc=acme,dc=com
cn: Groups
objectClass: orclContainer
objectClass: top


For the ldapseach command, when no -b (base) or -s (scope) is provided,
the search is performed from the ROOTDSE with a sub scope.

Why are my results different when using Apache Directory Studio?


Did you set the "Base DN" manually (Connection  properties -> tab
Browser Options)? If not, Studio tries to figure them out from
namingContexts attribute of the RootDSE. AFAIK in OID only admin user is
allowed to read namingContexts attribute, and maybe ACL block that, not
sure if OUD is different.

Please try to click the "Fetch Base DNs" button in connection properties
and see if your dc=acme,dc=com is there. Otherwise set the base DN manually.

You can see the search requests done by Studio in the "Search Logs" view
at the bottom.

Kind Regards,
Stefan

Reply via email to