[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL syntax of by <who> (ITS#1246)

To: openldap-its@OpenLDAP.org
Subject: ACL syntax of by <who> (ITS#1246)
From: J.Campbell@bham.ac.uk
Date: Thu, 19 Jul 2001 12:25:16 GMT

Full_Name: Jim Campbell
Version: 2.0.11
OS: Solaris
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (147.188.40.2)


It is not immediately obvious from blurb and man what the syntax is for
the ACL to match a userid when doing SASL bind.

Attempting to change a password using Solaris 8 Native client shows:
do_sasl_bind: dn (uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK) mech
CRAM-MD5
conn=4 op=0 BIND dn="UID=JC,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=UK"
method=163
==> sasl_bind: dn="uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK"
mech=CRAM-MD5 datalen=
0
with the request dump:
  0000:  02 01 02 60 81 94 02 01  03 04 30 75 69 64 3d 6a   ...`......0uid=j  
  0010:  63 2c 6f 75 3d 50 65 6f  70 6c 65 2c 64 63 3d 4e   c,ou=People,dc=N  
  0020:  50 2c 64 63 3d 50 48 2c  64 63 3d 42 48 41 4d 2c   P,dc=PH,dc=BHAM,  
  0030:  64 63 3d 41 43 2c 64 63  3d 55 4b a3 5d 04 08 43   dc=AC,dc=UK.]..C  
  0040:  52 41 4d 2d 4d 44 35 04  51 75 69 64 3d 6a 63 2c   RAM-MD5.Quid=jc,  
  0050:  6f 75 3d 50 65 6f 70 6c  65 2c 64 63 3d 4e 50 2c   ou=People,dc=NP,  
  0060:  64 63 3d 50 48 2c 64 63  3d 42 48 41 4d 2c 64 63   dc=PH,dc=BHAM,dc  
  0070:  3d 41 43 2c 64 63 3d 55  4b 20 61 65 34 37 66 63   =AC,dc=UK ae47fc  
the sasl dump looks like:
do_sasl_bind: dn (uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK) mech
CRAM-MD5
conn=4 op=1 BIND dn="UID=JC,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=UK"
method=163
==> sasl_bind: dn="uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK"
mech=<continuing> data
len=81
SASL Authorize [conn=4]:
authcid="uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" authzid
="uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK"
SASL Authorize [conn=4]: "uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" as
"u:uid=jc,ou
=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK"
slap_sasl_bind: username="u:uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK"
realm="npsmx"
 ssf=0
<== slap_sasl_bind: authzdn:
"uid=uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK + realm=
npsmx"
and the acl access dump:

=> access_allowed: write access to
"uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" "user
Password" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK attr:
userPassword
=> acl_mask: access to entry "uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK",
attr "user
Password" requested
=> acl_mask: to value by
"UID=UID=JC,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=UK+REALM=NPSMX"
, (=n) 

so it looks like the the slapd.conf requires:
NOT as I have which is:
access to attr=userPassword
        by dn="cn=admin,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" write
	by dn="cn=proxyagent,ou=profile,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" read
        by self write
        by anonymous auth
        by * none
which cant match "self"
BUT something like:
access to attr=userPassword
	by uid="uid=jc,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK+realm=npsmx"
can I do
	by uid=self+realm *

cheers
Jim

Prev by Date: slapd - dumps core (ITS#1245)
Next by Date: Re: slapd - dumps core (ITS#1245)
Index(es):
- Chronological
- Thread