anonymous queries on second suffix subtrees

["Mc Laughlin David Bruce (ID BD)" <david.mclaughlin@xxxxxxxxxx>]

Hello, 389ers.

I am migrating a whitepages server from OpenLDAP to 389-DS.

My instance has a root suffix with two subtrees (for staff and students).

Anonymous queries of the two root suffix subtrees return the expected results.

The instance also has a second suffix of "o=psi,c=ch" with three subtrees:

  ou=contacts,o=psi,c=ch
  ou=groups,o=psi,c=ch
  ou=users,o=psi,c=ch

Anonymous queries of the three "o=psi,c=ch" subtrees return NO records.

I have added ACIs for the three "o=psi,c=ch" subtrees and restarted the instance, but
anonymous queries of any of the three "o=psi,c=ch" subtrees STILL return no records.

Does anyone know how to allow anonymous queries?

Thanks,
 David

[root@el-dap ~]#
[root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -D "cn=Directory Manager" -W -x -b "ou=users,o=psi,c=ch" -s sub '(aci=*)' aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,o=psi,c=ch> with scope subtree
# filter: (aci=*)
# requesting: aci
#

# users, psi, ch
dn: ou=users,o=psi,c=ch
aci: (target = "ldap:///ou=users,o=psi,c=ch")(version 3.0; acl "Anonymous read
 , search for users";allow (read, search) userdn = "ldap:///anyone";)

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@el-dap ~]#

[root@el-dap ~]#
[root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -LLL -x -b 'ou=users,o=psi,c=ch' '(cn=*kohler*)'
[root@el-dap ~]#

[root@el-dap ~]#
[root@el-dap ~]# tail /var/log/dirsrv/slapd-el-dap/access

[30/Apr/2020:10:23:02.362530519 +0200] conn=5 fd=64 slot=64 connection from 129.132.65.9 to 129.132.65.9
[30/Apr/2020:10:23:02.362748318 +0200] conn=5 op=0 BIND dn="" method=128 version=3
[30/Apr/2020:10:23:02.362795436 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000179605 dn=""
[30/Apr/2020:10:23:02.363025956 +0200] conn=5 op=1 SRCH base="ou=users,o=psi,c=ch" scope=2 filter="(cn=*kohler*)" attrs=ALL
[30/Apr/2020:10:23:02.363471926 +0200] conn=5 op=1 RESULT err=0 tag=101 nentries=0 etime=0.0000606595
[30/Apr/2020:10:23:02.363649360 +0200] conn=5 op=2 UNBIND
[30/Apr/2020:10:23:02.363680129 +0200] conn=5 op=2 fd=64 closed - U1
[root@el-dap ~]#

___________________________________________________

David McLaughlin

ETH Zürich / Swiss Federal Institute of Technology

Informatikdienste

Basisdienste

Mail, Archive & Directories group

CH-8092 Zürich

 

Tel.: +41 44 632 3531

e-mail: david.mclaughlin@xxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx