From: The H. <the...@ya...> - 2008-05-11 19:56:13
|
--- Tomas Kuliavas <to...@us...> wrote: > > > > Sorry...I left out one last bit of information. Here's the > result > > > > when I issue the following slapacl command: > > > > > > > > slapacl -U anonymous -b "dc=example,dc=com" "uid/read:jsmith" > > > > > > > > read access to uid=jsmith: ALLOWED > > > > > > > > > > Test it with > > > --- > > > ldapsearch -x -b "dc=example,dc=com" '(uid=jsmith)' > > > --- > > > > Here is the result: > > --- > > # extended LDIF > > # > > # LDAPv3 > > # base <dc=example,dc=com> with scope subtree > > # filter: (uid=jsmith) > > # requesting: ALL > > # > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 1 > > --- > > > > I ran the same command with the -D and -W options and got: > > > > --- > > # extended LDIF > > # > > # LDAPv3 > > # base <dc=example,dc=com> with scope subtree > > # filter: (uid=jsmith) > > # requesting: ALL > > # > > > > # jsmith, users, example.com > > dn: uid=jsmith,ou=users,dc=example,dc=com > > uid: jsmith > ... > > > > # search result > > search: 2 > > result: 0 Success > > > > # numResponses: 2 > > # numEntries: 1 > > --- > > > > I'm a bit confused as to why the second command still returned > "result: > > 0 Success" like the first one. Anyway, if the first command had > > worked, I'm assuming I should have gotten everything except the > > userPassword field (per ACLs), right? > > First command didn't return user's info. Anonymous user can't get > user's dn by > executing 'uid=userid' search. "result: 0 Success" only means that > there is no > error in program execution. If ACLs don't allow listing of some > entry, it is > invisible to ldapsearch. > > Plugin makes two LDAP lookups. First it finds user's DN. Plugin uses > $query_dn > and $query_pw settings for that. If settings are not set, anonymous > lookup is > performed. Then plugin rebinds with $ldap_manager_dn and > $ldap_manager_pw or > located user's DN and IMAP password. After rebinding plugin retrieves > full > user's entry with userPassword. > > Set query_dn and query_pw to some login that can fetch user's DN. > > Please don't use top quoting. People read text from top to bottom and > not from > bottom to top. If you write reply on top, it is harder to follow > conversation. > > -- > Tomas Thank you for taking the time to answer my questions! I've done some more work with ldapsearch and have come to realize that it doesn't work for anonymous or users! For example, the following fails to produce any return: ldapsearch -x -D "uid=jsmith,ou=users,dc=example,dc=com" -W -b "dc=example,dc=com" '(uid=jsmith)' Only using the rootdn with the -D options seems to work. Consequently, setting the $query_dn does not work. Unfortunately, I haven't done anything to disable searches for anonymous or users other than to set ACLs for the userPassword field, and I'm not seeing anything else wrong in the slapd.conf file. I even tried reindexing with slapindex, but they didn't help either. Obviously my problems are not with the plugin at this stage, so I'll redirect my question to the openldap list unless someone sees something that I'm missing. Thanks again for the help! |