[389-users] ACL doesn't works

Thu Sep 27 19:41:09 UTC 2012

Look closer you first bind as directory manager but later you bind as test.
That second bind don't make any sense for me. Please attach ldapsearch log
and audit logs. This may give someone including myself some clues about
problem.

Greg.
27 wrz 2012 21:35, "Satish Patel" <satish.txt at gmail.com> napisał(a):

> May be i am binding DN using cn=directory manager and because of that it
> don't understand about test or test4 user and because of that it ignore ACL
>
> On Tue, Sep 25, 2012 at 7:31 PM, Grzegorz Dwornicki <gd1100 at gmail.com>wrote:
>
>> I have to admit I thought that access log for webapp will show anomaly
>> but I was wrong. If ldapsearch does not bind please show us logs of thesse.
>> Maybe comparing the logs will tell us something...
>>
>> Greg.
>> 25 wrz 2012 20:17, "Satish Patel" <satish.txt at gmail.com> napisał(a):
>>
>> Ah! i was testing multiple users. test and test4 both has ACL and has
>>> same problem.
>>>
>>> On Tue, Sep 25, 2012 at 2:16 PM, Patrick Morris <patrick.morris at hp.com>wrote:
>>>
>>>>  On 9/25/2012 11:07 AM, Satish Patel wrote:
>>>>
>>>> This is what i got in access logs.
>>>>
>>>>
>>>> [25/Sep/2012:14:04:36 -0400] conn=497 fd=75 slot=75 connection from
>>>>> 10.101.100.236 to 10.10.52.10
>>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 BIND dn="cn=Directory
>>>>> Manager" method=128 version=3
>>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=0 RESULT err=0 tag=97
>>>>> nentries=0 etime=0 dn="cn=directory manager"
>>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 SRCH
>>>>> base="dc=example,dc=com" scope=2
>>>>> filter="(&(uid=test4)(objectClass=person))" attrs="1.1"
>>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=1 RESULT err=0 tag=101
>>>>> nentries=1 etime=0
>>>>> [25/Sep/2012:14:04:36 -0400] conn=498 fd=76 slot=76 connection from
>>>>> 10.101.100.236 to 10.10.52.10
>>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 UNBIND
>>>>> [25/Sep/2012:14:04:36 -0400] conn=497 op=2 fd=75 closed - U1
>>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 BIND
>>>>> dn="uid=test4,ou=People,dc=example,dc=com" method=128 version=3
>>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=0 RESULT err=0 tag=97
>>>>> nentries=0 etime=0 dn="uid=test4,ou=people,dc=example,dc=com"
>>>>> [25/Sep/2012:14:04:36 -0400] conn=498 op=1 UNBIND
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Sep 25, 2012 at 1:46 PM, Grzegorz Dwornicki <gd1100 at gmail.com>wrote:
>>>>
>>>>> Can you provide logs from FDS when you are trying to login via
>>>>> application?
>>>>>
>>>>> Greg.
>>>>> 25 wrz 2012 19:27, "Satish Patel" <satish.txt at gmail.com> napisał(a):
>>>>>
>>>>>>  Hello ALL,
>>>>>>
>>>>>> I have a web base application and user authenticate web application
>>>>>> using Directory Service (FDS). I want to restrict some user to not allow to
>>>>>> login so i have implement host base deny ACL. But somehow it doesn't works.
>>>>>> may be i am missing something. following acl i have.
>>>>>>
>>>>>>  (targetattr = "*") (version 3.0;acl "Host ACL";deny (all)(userdn =
>>>>>>> "ldap:///uid=test,ou=People,dc=example,dc=com") and
>>>>>>> (ip="10.101.100.236");)
>>>>>>>
>>>>>>
>>>>>> But interesting thing is, it works with ldapsearch but not with Web
>>>>>> application?
>>>>>>
>>>>>
>>>> Your ACL specifies "uid=test," but that bind was done with "test4".
>>>>
>>>> --
>>>> 389 users mailing list
>>>> 389-users at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120927/9d95fd23/attachment.html>