search/security problem

Jason Cross (jcross01@eng.eds.com)
Thu, 29 Dec 1994 16:08:20 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: sysop@mkbbs.co.uk: "Quipu and LDAP"
Previous message: ldap-support@umich.edu: "LDAP 3.1 Release Announcement"

I have a DIT structured as such:

c=US
|
o=Acme
|
--------------------------------
| |
| |
ou=Sales ou=Support
| |
| |
cn=Al Smith cn=Tom Jones
userPassword=smith userPassword=jones
homePhone=+1 821 555-4321 homePhone=+1 321 555-1234
[...other attr's] [...other attr's]

cn= Joe Doe cn=Jane Todd
[...other attr's] [...other attr's]

The acl's for the leaf entries are set-up where the people in
the same OU can see each other's home phone, but *not* those in
the other OU. Here's the acl:

acl= self # write # entry &\
self # write # child &\
self # write # default &\
others # read # entry &\
others # read # child &\
others # read # default &\
others # none # attributes # homePhone &\
others # compare # attributes # userPassword &\
group # c=US@o=Acme@cn=Admin # write # entry &\
group # c=US@o=Acme@cn=Admin # write # attributes # userPassword &\
group # c=US@o=Acme@cn=Admin # write # attributes # homePhone &\
prefix # c=US@o=Acme@ou=<Sales or Support> # read # attributes # homePhone

I have a program which uses ldap to extract information from
the directory.

When I login to the directory via the program as "c=us@o=acme@cn=Admin"
*and* begin the search at "c=us@o=acme@ou=sales", I receive all the
attributes, including homePhone.

However, when I login via the program as "c=us@o=acme@cn=Admin" *and*
begin the search at "c=us@o=acme", I *do not* receive the homePhone
attribute and value.

I'm not too sure if this is quipu configuration issue or an ldap
issue. The only error message I can find in the quipu log files
is in dsap.log. Any help will be appreciated.

dsap.log:

[...stuff deleted...]
(root ) in dsa_info_new
(root ) get_dsa_info()
(root ) dsa_info_new - get_dsa_info (master) returned X500 ERROR
(root ) search_refer failed: c=US@o=acme@ou=support
(root ) Activity applied
(root ) Listening on ads: 4.
(root ) secs: 0; nads: 5; iads 0x10, wads 0x0
(root ) Listening on ads: 4.
(root ) secs: 0; nads: 5; iads 0x10, wads 0x0
(root ) Apply operation
(root ) ds_search continuing
(root ) really find entry
(root ) eis_select
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@@cn=Al Smith
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@cn=Al Smith
(root ) eis_select
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@@cn=Joe Doe
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@cn=Joe Doe
(root ) eis_select
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@@cn=Tom Jones
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@cn=Tom Jones
(root ) eis_select
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@@cn=Jane Todd
(root ) access denied for user :
(root ) attempting mode=3
(root ) on entry : c=US@o=Acme@cn=Jane Todd
[...stuff deleted...]

Next message: sysop@mkbbs.co.uk: "Quipu and LDAP"
Previous message: ldap-support@umich.edu: "LDAP 3.1 Release Announcement"