[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-opendj
Subject: [Opendj] pagedResultsControl & Insufficient Access
From: mark.craig () gmail ! com (Mark Craig)
Date: 2011-08-31 6:16:59
Message-ID: CACFdy_9_OWpmWubWCArvj92op4nNXGMyM8BSqqAgo=m9FZpNpg () mail ! gmail ! com
[Download RAW message or body]
Hello,
This means the Solaris LDAP clients are sending the simple paged results
control, which OpenDJ supports
as mentioned in
http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide/appendix-controls.html
.
>From http://tools.ietf.org/html/rfc2696, "This control extension allows a
client to control the rate at which an LDAP server returns the results of an
LDAP search operation. This control may be useful when the LDAP client
has limited resources and may not be able to process the entire result set
from a given LDAP query, or when the LDAP client is connected over a
low-bandwidth connection."
With dsconfig I see the following global-aci including the paged results
control is set by default in OpenDJ:
$ ./dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password
get-access-control-handler-prop
Property : Value(s)
-----------:-------------------------------------------------------------------
enabled : true
global-aci : (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 ||
...
: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 ||
1.3.6.1.1.13.2
: || *1.2.840.113556.1.4.319* || 1.2.826.0.1.3344810.2.3 ||
: 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 ||
: 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version
: 3.0; acl "Authenticated users control access"; allow(read)
: userdn="ldap:///all";)
...
*ldap:///all* in that ACI only matches authenticated clients. So if the
Solaris LDAP client is requesting paged results as anonymous and you want to
let that through, you could add an ACI such as:
(targetcontrol="1.2.840.113556.1.4.319")(version 3.0; acl "Anonymous users
can request simple paged results"; allow(read) userdn="ldap://anyone";)
For more about access control, see
http://opendj.forgerock.org/doc/admin-guide/OpenDJ-Admin-Guide/chap-privileges-acis.html
.
Regards,
Mark
On Tue, Aug 30, 2011 at 11:53 PM, Jason J. W. Williams <
jasonjwwilliams at gmail.com> wrote:
> Hello,
>
> I've noticed the following message in the OpenDJ access logs when our
> Solaris LDAP clients are accessing:
>
> "The request control with Object Identifier (OID)
> "1.2.840.113556.1.4.319" cannot be used due to insufficient access
> rights"
>
> It doesn't seem to prevent the Solaris clients from getting user and
> group information, and it doesn't come up with the Linux clients. What
> does this error really mean and how can I change my configuration to
> avoid it? Thank you in advance.
>
> -J
> _______________________________________________
> OpenDJ mailing list
> OpenDJ at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/opendj
>
--
*Mark Craig*
mark.craig at gmail.com
http://marginnotes2.wordpress.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/opendj/attachments/20110831/5adb7114/attachment.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic