Access control and unclear debugging(to me)

Jeffrey Weiss (weiss@ties.k12.mn.us)
Fri, 25 Oct 1996 14:58:56 -0500 (CDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark Wahl: "LDAP-3.3 SLAPD negation filter patch"
Previous message: Peter Whittaker: "FW2: (Long) Fix to ldapd's modify.c: merge modify changes with current"

Hello,

Still can't get access controls to work.

After a sage LDAP guru from Australia suggested to me that I couldn't
formulate access rules for attributes that would work with with the web500gw
on the same server as the slapd was running on because it was actually
web500gw, not clients "out there", connecting to slapd so only the
domain web500gw was connecting from--or its DN--were relevant, I bound
web500gw to a DN :

conn=4 op=0 BIND dn="cn=web500gw,0=TIES,c=US" method=128,

and tried to at least get differential access for this dn="cn=web500gw and
other DNs in my organization:

access to attr=title,manager,jpegPhoto,labeledURI
by dn="cn=web500gw,o=TIES,c=US" none
by dn=".*,o=TIES,c=US" read
by * none

But the web500gw client still reads everything that an ldapsearch of
objectclass on the localhost also returns.

I.e, no access control.

I do see other anomalous output when running with debug level of 256 in this
string that is returned:
str2entry: entry 2 has no dn

slapd starting
conn=0 fd=6 connection from unknown (127.0.0.1)
conn=0 op=0 BIND dn="cn=web500gw,0=TIES,c=US" method=128
conn=0 op=0 RESULT err=0 tag=97 nentries=0
conn=0 op=1 SRCH base="o=ties,c=us" scope=0 filter="(objectclass=*)"
conn=0 op=1 RESULT err=0 tag=101 nentries=1
conn=0 op=2 SRCH base="o=TIES,c=US" scope=0 filter="(objectclass=*)"
conn=0 op=2 RESULT err=0 tag=101 nentries=1
conn=0 op=3 UNBIND
conn=0 op=3 fd=6 closed errno=11

conn=1 fd=6 connection from unknown (127.0.0.1)
conn=1 op=0 BIND dn="cn=web500gw,0=TIES,c=US" method=128
conn=1 op=0 RESULT err=0 tag=97 nentries=0
conn=1 op=1 SRCH base="o=ties,c=us" scope=0 filter="(objectclass=*)"
conn=1 op=1 RESULT err=0 tag=101 nentries=1
conn=1 op=2 SRCH base="o=TIES,c=US" scope=0 filter="(objectclass=*)"
conn=1 op=2 RESULT err=0 tag=101 nentries=1
conn=1 op=3 UNBIND
conn=1 op=3 fd=6 closed errno=11

conn=2 fd=6 connection from unknown (127.0.0.1)
conn=2 op=0 BIND dn="cn=web500gw,0=TIES,c=US" method=128
conn=2 op=0 RESULT err=0 tag=97 nentries=0
conn=2 op=1 SRCH base="o=TIES,c=US" scope=2 filter="(|(cn=VANDER)(sn=VANDER)(uid=VANDER))"
str2entry: entry 2 has no dn
str2entry: entry 4 has no dn
str2entry: entry 5 has no dn
str2entry: entry 7 has no dn
conn=2 op=1 RESULT err=0 tag=101 nentries=0
conn=2 op=2 SRCH base="o=TIES,c=US" scope=2 filter="(|(cn~=VANDER)(sn~=VANDER))"
str2entry: entry 4 has no dn
conn=2 op=2 RESULT err=0 tag=101 nentries=0
conn=2 op=3 SRCH base="o=TIES,c=US" scope=0 filter="(objectclass=*)"
conn=2 op=3 RESULT err=0 tag=101 nentries=1
conn=2 op=4 UNBIND
conn=2 op=4 fd=6 closed errno=11

Here's some of my ascii LDIF that I'm using:

dn:o=TIES,c=US
objectClass:organization
l:Roseville,MN
st:Minnesota
o:TIES
ou:STAFF
description:Technology and Information Eucational Services

dn:cn=John Vanderwerf,o=TIES,c=US
cn:John Vanderwerf
sn:Vanderwerf
objectClass:person
title:Manager
manager:Lee Whitcraft
telephoneNumber:638-2354
mail:vander
labeledURI:http://www.ties.k12.mn.us/~vander

Please--some pointers or corrections or extreme criticisms, even?

Thank you!
Jeffrey Weiss

Next message: Mark Wahl: "LDAP-3.3 SLAPD negation filter patch"
Previous message: Peter Whittaker: "FW2: (Long) Fix to ldapd's modify.c: merge modify changes with current"