search/security problem (fwd)

Jason Cross <jcross01@eng.eds.com> Thu, 29 December 1994 22:23 UTC

Message-Id: <199412292125.AA08510@gmlink.gmeds.com>
Date: Thu, 29 Dec 1994 16:26:26 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Jason Cross <jcross01@eng.eds.com>
Subject: search/security problem (fwd)
To: isogrp <osi-ds@cs.ucl.ac.uk>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"

I have a DIT structured as such:

                   c=US
                    |
                   o=Acme
                    |
     --------------------------------
     |                              |
     |                              |
   ou=Sales                       ou=Support
     |                              |
     |                              |
   cn=Al Smith                    cn=Tom Jones
   userPassword=smith             userPassword=jones
   homePhone=+1 821 555-4321      homePhone=+1 321 555-1234
   [...other attr's]              [...other attr's]

   cn= Joe Doe                    cn=Jane Todd
   [...other attr's]              [...other attr's]

The acl's for the leaf entries are set-up where the people in
the same OU can see each other's home phone, but *not* those in 
the other OU.  Here's the acl:

acl=    self  # write # entry &\
        self  # write # child &\
        self  # write # default &\
        others # read # entry &\
        others # read # child &\
        others # read # default &\
        others # none # attributes # homePhone &\
        others # compare # attributes # userPassword &\
        group # c=US@o=Acme@cn=Admin # write # entry &\
        group # c=US@o=Acme@cn=Admin # write # attributes # userPassword &\
        group # c=US@o=Acme@cn=Admin # write # attributes # homePhone &\
        prefix # c=US@o=Acme@ou=<Sales or Support> # read # attributes # homePhone


I have a program which uses ldap to extract information from 
the directory.

When I login to the directory via the program as "c=us@o=acme@cn=Admin" 
*and* begin the search at "c=us@o=acme@ou=sales", I receive all the 
attributes, including homePhone.  

However, when I login via the program as "c=us@o=acme@cn=Admin" *and* 
begin the search at "c=us@o=acme", I *do not* receive the homePhone 
attribute and value.

I'm not too sure if this is quipu configuration issue or an ldap
issue.  The only error message I can find in the quipu log files
is in dsap.log.   Any help will be appreciated.

dsap.log:

[...stuff deleted...]
(root    )  in dsa_info_new
(root    )  get_dsa_info()
(root    )  dsa_info_new - get_dsa_info (master) returned X500 ERROR
(root    )  search_refer failed: c=US@o=acme@ou=support
(root    )  Activity applied
(root    )  Listening on ads:  4.
(root    )  secs: 0; nads: 5; iads 0x10, wads 0x0
(root    )  Listening on ads:  4.
(root    )  secs: 0; nads: 5; iads 0x10, wads 0x0
(root    )  Apply operation
(root    )  ds_search continuing
(root    )  really find entry
(root    )  eis_select
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@@cn=Al Smith
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@cn=Al Smith
(root    )  eis_select
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@@cn=Joe Doe
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@cn=Joe Doe
(root    )  eis_select
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@@cn=Tom Jones
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@cn=Tom Jones
(root    )  eis_select
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@@cn=Jane Todd
(root    )  access denied for user :
(root    )    attempting mode=3
(root    )    on entry : c=US@o=Acme@cn=Jane Todd
[...stuff deleted...]

search/security problem (fwd) Jason Cross