On 4/30/20 7:14 AM, Mc Laughlin David
Bruce (ID BD) wrote:
Hello, 389ers.
I am migrating a whitepages server from OpenLDAP to 389-DS.
My instance has a root suffix with two subtrees (for staff and students).Anonymous queries of the two root suffix subtrees return the expected results.
The instance also has a second suffix of "o=psi,c=ch" with three subtrees:
ou=contacts,o=psi,c=ch
ou=groups,o=psi,c=ch
ou=users,o=psi,c=ch
Anonymous queries of the three "o=psi,c=ch" subtrees return NO records.
I have added ACIs for the three "o=psi,c=ch" subtrees and restarted the instance, but
anonymous queries of any of the three "o=psi,c=ch" subtrees STILL return no records.
Does anyone know how to allow anonymous queries?
First you don't need to restart the server when you add or change ACI's. If you run the search as "cn=directory manager" does it return the results you expect?
Can you share all the ACI's you added to o=psi,c=ch subtrees? Maybe gather all of them by using this search:
# ldapsearch -D "cn=directory manager" -W -b "o=psi,c=ch"
aci=* aci
Thanks,
Mark
Thanks,
David
[root@el-dap ~]#
[root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -D "cn=Directory Manager" -W -x -b "ou=users,o=psi,c=ch" -s sub '(aci=*)' aci
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,o=psi,c=ch> with scope subtree
# filter: (aci=*)
# requesting: aci
## users, psi, ch
dn: ou=users,o=psi,c=ch
aci: (target = "ldap:///ou=users,o=psi,c=ch")(version 3.0; acl "Anonymous read
, search for users";allow (read, search) userdn = "ldap:///anyone";)# search result
search: 2
result: 0 Success# numResponses: 2
# numEntries: 1
[root@el-dap ~]#
[root@el-dap ~]#
[root@el-dap ~]# /usr/bin/ldapsearch -H ldap://el-dap.ethz.ch/ -LLL -x -b 'ou=users,o=psi,c=ch' '(cn=*kohler*)'
[root@el-dap ~]#
[root@el-dap ~]#
[root@el-dap ~]# tail /var/log/dirsrv/slapd-el-dap/access[30/Apr/2020:10:23:02.362530519 +0200] conn=5 fd=64 slot=64 connection from 129.132.65.9 to 129.132.65.9
[30/Apr/2020:10:23:02.362748318 +0200] conn=5 op=0 BIND dn="" method=128 version=3
[30/Apr/2020:10:23:02.362795436 +0200] conn=5 op=0 RESULT err=0 tag=97 nentries=0 etime=0.0000179605 dn=""
[30/Apr/2020:10:23:02.363025956 +0200] conn=5 op=1 SRCH base="ou=users,o=psi,c=ch" scope=2 filter="(cn=*kohler*)" attrs=ALL
[30/Apr/2020:10:23:02.363471926 +0200] conn=5 op=1 RESULT err=0 tag=101 nentries=0 etime=0.0000606595
[30/Apr/2020:10:23:02.363649360 +0200] conn=5 op=2 UNBIND
[30/Apr/2020:10:23:02.363680129 +0200] conn=5 op=2 fd=64 closed - U1
[root@el-dap ~]#
___________________________________________________
David McLaughlin
ETH Zürich / Swiss Federal Institute of Technology
Informatikdienste
Basisdienste
Mail, Archive & Directories group
CH-8092 Zürich
Tel.: +41 44 632 3531
e-mail: david.mclaughlin@xxxxxxxxxx
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
-- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
