search/security problem (fwd)
Jason Cross <jcross01@eng.eds.com> Thu, 29 December 1994 22:23 UTC
Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa08238; 29 Dec 94 17:23 EST
Received: from CNRI.Reston.VA.US by IETF.CNRI.Reston.VA.US id aa08234; 29 Dec 94 17:23 EST
Received: from haig.cs.ucl.ac.uk by CNRI.Reston.VA.US id aa19937; 29 Dec 94 17:23 EST
Received: from bells.cs.ucl.ac.uk by haig.cs.ucl.ac.uk with local SMTP id <g.02655-0@haig.cs.ucl.ac.uk>; Thu, 29 Dec 1994 21:31:34 +0000
Received: from gmlink.gmeds.com by bells.cs.ucl.ac.uk with Internet SMTP id <g.21854-0@bells.cs.ucl.ac.uk>; Thu, 29 Dec 1994 21:30:37 +0000
Received: from earth (earth.troy.eng.eds.com) by gmlink.gmeds.com with SMTP id AA08510 (InterLock SMTP Gateway 1.1 for <osi-ds@cs.ucl.ac.uk>); Thu, 29 Dec 1994 16:25:22 -0500
Message-Id: <199412292125.AA08510@gmlink.gmeds.com>
Received: from majorca (majorca.troy.eng.eds.com) by earth (4.1/AE-1.0) id AA08533; Thu, 29 Dec 94 16:25:19 EST
Date: Thu, 29 Dec 1994 16:26:26 -0500
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Jason Cross <jcross01@eng.eds.com>
Subject: search/security problem (fwd)
To: isogrp <osi-ds@cs.ucl.ac.uk>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
I have a DIT structured as such: c=US | o=Acme | -------------------------------- | | | | ou=Sales ou=Support | | | | cn=Al Smith cn=Tom Jones userPassword=smith userPassword=jones homePhone=+1 821 555-4321 homePhone=+1 321 555-1234 [...other attr's] [...other attr's] cn= Joe Doe cn=Jane Todd [...other attr's] [...other attr's] The acl's for the leaf entries are set-up where the people in the same OU can see each other's home phone, but *not* those in the other OU. Here's the acl: acl= self # write # entry &\ self # write # child &\ self # write # default &\ others # read # entry &\ others # read # child &\ others # read # default &\ others # none # attributes # homePhone &\ others # compare # attributes # userPassword &\ group # c=US@o=Acme@cn=Admin # write # entry &\ group # c=US@o=Acme@cn=Admin # write # attributes # userPassword &\ group # c=US@o=Acme@cn=Admin # write # attributes # homePhone &\ prefix # c=US@o=Acme@ou=<Sales or Support> # read # attributes # homePhone I have a program which uses ldap to extract information from the directory. When I login to the directory via the program as "c=us@o=acme@cn=Admin" *and* begin the search at "c=us@o=acme@ou=sales", I receive all the attributes, including homePhone. However, when I login via the program as "c=us@o=acme@cn=Admin" *and* begin the search at "c=us@o=acme", I *do not* receive the homePhone attribute and value. I'm not too sure if this is quipu configuration issue or an ldap issue. The only error message I can find in the quipu log files is in dsap.log. Any help will be appreciated. dsap.log: [...stuff deleted...] (root ) in dsa_info_new (root ) get_dsa_info() (root ) dsa_info_new - get_dsa_info (master) returned X500 ERROR (root ) search_refer failed: c=US@o=acme@ou=support (root ) Activity applied (root ) Listening on ads: 4. (root ) secs: 0; nads: 5; iads 0x10, wads 0x0 (root ) Listening on ads: 4. (root ) secs: 0; nads: 5; iads 0x10, wads 0x0 (root ) Apply operation (root ) ds_search continuing (root ) really find entry (root ) eis_select (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@@cn=Al Smith (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@cn=Al Smith (root ) eis_select (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@@cn=Joe Doe (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@cn=Joe Doe (root ) eis_select (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@@cn=Tom Jones (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@cn=Tom Jones (root ) eis_select (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@@cn=Jane Todd (root ) access denied for user : (root ) attempting mode=3 (root ) on entry : c=US@o=Acme@cn=Jane Todd [...stuff deleted...]
- search/security problem (fwd) Jason Cross