[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problems: (was: objectIdentifierMatch)



At 10:04 AM 2002-09-26, Quanah Gibson-Mount wrote:


>--On Wednesday, September 25, 2002 8:03 PM -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
>
>>Changed the subject as this has nothing to do with the
>>objectIdentifierMatch issue previously reported.
>>
>>As far as debugging your problem, I suggest you examine
>>logs to determine what's going here.  Enabling ACL logging
>>would likely be particular informative.
>>
>>The only curious thing I see in your post is your comment:
>>>I am a member of both ldapadmin, and supervisor.  Still,
>>>with this setup, I cannot bind as either of them
>>
>>This implies you are not authenticating as yourself but as
>>  cn=supervisor,cn=applications,dc=stanford,dc=edu
>>or
>>  cn=ldapadmin,cn=applications,dc=stanford,dc=edu
>>
>>Or maybe you are authenticating as yourself and assuming
>>one of these identities.
>
>Well, that is what <should> happen, but isn't happening. ;)
>
>I think the problem lies within the fact that we are using SASL GSSAPI.
>
>I've now exposed the sasl-regexp attributes to * read, and I now get the correct authcDN of suRegID=<my suRegID>.  I've also tried exposing the member attribute to * read, but that does not solve the problem either.
>
>do_bind: SASL/GSSAPI bind: dn="suRegID=85e49978f61311d2a3662436000baa77,cn=People,dc=stanford,dc=edu"
>
>I've also allowed access to * by users search
>
>My suRegID is a group member of Supervisor and of LdapAdmin.

Neither of these groups includes the above DN.


># supervisor, Applications, stanford.edu
>dn: cn=supervisor,cn=Applications,dc=stanford,dc=edu
>objectClass: groupOfNames
>cn: supervisor
>member: suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
>member: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
>
># ldapAdmin, Applications, stanford.edu
>dn: cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu
>objectClass: groupOfNames
>cn: ldapAdmin
>member: suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
>member: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
>member: suRegID=118217f4e76411d184232436000baa77,cn=People,dc=stanford,dc=edu
>
>What I see in the logs is that when the ldapsearch goes through, is that it is reporting that I'm not a member:
>
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 248973 local4.debug] => bdb_group: gr dn: "cn=supervisor,cn=applications,dc=stanford,dc=edu"
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 231450 local4.debug] => bdb_group: op dn: "suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 529798 local4.debug] => bdb_group: oc: "groupOfNames" at: "member"
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 461965 local4.debug] => bdb_group: tr dn: "dc=stanford,dc=edu"
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 749508 local4.debug] bdb_dn2entry_rw("cn=supervisor,cn=applications,dc=stanford,dc=edu")
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 157115 local4.debug] => bdb_dn2id( "cn=supervisor,cn=applications,dc=stanford,dc=edu" )
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 697587 local4.debug] <= bdb_dn2id: got id=0x00000005
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 548982 local4.debug] entry_decode: "cn=supervisor,cn=Applications,dc=stanford,dc=edu"
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 184541 local4.debug] <= entry_decode(cn=supervisor,cn=Applications,dc=stanford,dc=edu)
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 257784 local4.debug] => bdb_group: found group: "cn=supervisor,cn=applications,dc=stanford,dc=edu"
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 721865 local4.debug] <= bdb_group: found objectClass groupOfNames and member
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 114958 local4.debug] 
>>>>dnNormalize: 
><suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu>
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 631365 local4.debug] <= bdb_group: "suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu" not in "cn=supervisor,cn=applications,dc=stanford,dc=edu": member
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 416987 local4.debug] ====> bdb_cache_return_entry_r( 5 ): created (0)
>Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 340953 local4.debug] bdb_group: rc=1
>
>--
>Quanah Gibson-Mount
>Senior Systems Administrator
>ITSS/TSS/Computing Systems
>Stanford University
>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html