On 4/30/20 7:14 AM, Mc Laughlin David Bruce (ID BD) wrote:
Hello, 389ers.
I am migrating a whitepages server from OpenLDAP to 389-DS.
My instance has a root suffix with two subtrees (for staff and students).
Anonymous queries of the two root suffix subtrees return the expected
results.
The instance also has a second suffix of "o=psi,c=ch" with three subtrees:
ou=contacts,o=psi,c=ch
ou=groups,o=psi,c=ch
ou=users,o=psi,c=ch
Anonymous queries of the three "o=psi,c=ch" subtrees return NO records.
I have added ACIs for the three "o=psi,c=ch" subtrees and restarted
the instance, but
anonymous queries of any of the three "o=psi,c=ch" subtrees STILL
return no records.
Does anyone know how to allow anonymous queries?
First you don't need to restart the server when you add or change
ACI's. If you run the search as "cn=directory manager" does it return
the results you expect?
Can you share all the ACI's you added to o=psi,c=ch subtrees? Maybe
gather all of them by using this search:
# ldapsearch -D "cn=directory manager" -W -b "o=psi,c=ch" aci=*
aci
Thanks,
Mark
Thanks,
David
[root@el-dap ~]#
[root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -D
"cn=Directory Manager" -W -x -b "ou=users,o=psi,c=ch" -s sub
'(aci=*)' aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,o=psi,c=ch> with scope subtree
# filter: (aci=*)
# requesting: aci
#
# users, psi, ch
dn: ou=users,o=psi,c=ch
aci: (target = "ldap:///ou=users,o=psi,c=ch")(version 3.0; acl
"Anonymous read
, search for users";allow (read, search) userdn = "ldap:///anyone";)
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@el-dap ~]#
[root@el-dap ~]#
[root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -LLL -x
-b 'ou=users,o=psi,c=ch' '(cn=*kohler*)'
[root@el-dap ~]#
[root@el-dap ~]#
[root@el-dap ~]# tail /var/log/dirsrv/slapd-el-dap/access
[30/Apr/2020:10:23:02.362530519 +0200] conn=5 fd=64 slot=64 connection
from 129.132.65.9 to 129.132.65.9
[30/Apr/2020:10:23:02.362748318 +0200] conn=5 op=0 BIND dn=""
method=128 version=3
[30/Apr/2020:10:23:02.362795436 +0200] conn=5 op=0 RESULT err=0 tag=97
nentries=0 etime=0.0000179605 dn=""
[30/Apr/2020:10:23:02.363025956 +0200] conn=5 op=1 SRCH
base="ou=users,o=psi,c=ch" scope=2 filter="(cn=*kohler*)" attrs=ALL
[30/Apr/2020:10:23:02.363471926 +0200] conn=5 op=1 RESULT err=0
tag=101 nentries=0 etime=0.0000606595
[30/Apr/2020:10:23:02.363649360 +0200] conn=5 op=2 UNBIND
[30/Apr/2020:10:23:02.363680129 +0200] conn=5 op=2 fd=64 closed - U1
[root@el-dap ~]#
___________________________________________________
David McLaughlin
ETH Zürich / Swiss Federal Institute of Technology
Informatikdienste
Basisdienste
Mail, Archive & Directories group
CH-8092 Zürich
Tel.: +41 44 632 3531
e-mail: david.mclaughlin(a)id.ethz.ch <mailto:david.mclaughlin@id.ethz.ch>
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
--
389 Directory Server Development Team