[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problems: (was: objectIdentifierMatch)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ACL problems: (was: objectIdentifierMatch)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 26 Sep 2002 19:29:03 -0700
Cc: Howard Chu <hyc@symas.com>, openldap-bugs@OpenLDAP.org
Content-disposition: inline
In-reply-to: <5.1.0.14.0.20020926183732.04653968@127.0.0.1>
References: <5.1.0.14.0.20020925194003.041b2a28@127.0.0.1> <NMEFLNHODBAOPDKNNJALGECDDOAA.hyc@symas.com> <NMEFLNHODBAOPDKNNJALGECDDOAA.hyc@symas.com> <5.1.0.14.0.20020925194003.041b2a28@127.0.0.1> <5.1.0.14.0.20020926183732.04653968@127.0.0.1>

--On Thursday, September 26, 2002 6:39 PM -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

do_bind: SASL/GSSAPI bind:
dn="suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=ed
u"
I've also allowed access to * by users search
My suRegID is a group member of Supervisor and of LdapAdmin.
Neither of these groups includes the above DN.


Kurt,

Typo on my part. I had typed the above suRegID bit in by hand. So, anyhow, it is indeed a member of the groups, and the problem remains. Here is my entry from the directory:

# 85e49978f61311d2ae662436000baa77, People, stanford.edu
dn: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: suPerson
objectClass: suKerberosService
objectClass: krb5Principal
cn: quanah gibson mount
sn: gibson mount
givenName: Quanah
displayName: Quanah Gibson-Mount
suDisplaynameLF: Gibson-Mount, Quanah
krbName: quanah@IR.STANFORD.EDU
suKrb5name: quanah@stanford.edu
krb5PrincipalName: quanah/root@stanford.edu


--Quanah

# supervisor, Applications, stanford.edu
dn: cn=supervisor,cn=Applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: supervisor
member:
suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
member:
suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu

# ldapAdmin, Applications, stanford.edu
dn: cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: ldapAdmin
member:
suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
member:
suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
member:
suRegID=118217f4e76411d184232436000baa77,cn=People,dc=stanford,dc=edu

What I see in the logs is that when the ldapsearch goes through, is that
it is reporting that I'm not a member:

Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 248973
local4.debug] => bdb_group: gr dn:
"cn=supervisor,cn=applications,dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 231450 local4.debug] => bdb_group:
op dn:
"suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 529798
local4.debug] => bdb_group: oc: "groupOfNames" at: "member" Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 461965 local4.debug] =>
bdb_group: tr dn: "dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 749508 local4.debug]
bdb_dn2entry_rw("cn=supervisor,cn=applications,dc=stanford,dc=edu") Sep
26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 157115 local4.debug] =>
bdb_dn2id( "cn=supervisor,cn=applications,dc=stanford,dc=edu" ) Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 697587 local4.debug] <=
bdb_dn2id: got id=0x00000005 Sep 26 09:56:50 ldap2.Stanford.EDU
slapd[16583]: [ID 548982 local4.debug] entry_decode:
"cn=supervisor,cn=Applications,dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 184541 local4.debug] <=
entry_decode(cn=supervisor,cn=Applications,dc=stanford,dc=edu) Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 257784 local4.debug] =>
bdb_group: found group:
"cn=supervisor,cn=applications,dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 721865 local4.debug] <= bdb_group:
found objectClass groupOfNames and member Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 114958 local4.debug]

dnNormalize:

<suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu>
Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 631365
local4.debug] <= bdb_group:
"suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
not in "cn=supervisor,cn=applications,dc=stanford,dc=edu": member Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 416987 local4.debug] ====>
bdb_cache_return_entry_r( 5 ): created (0) Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 340953 local4.debug] bdb_group: rc=1

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- ACL problems: (was: objectIdentifierMatch)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: objectIdentifierMatch (ITS#2095)
  - From: "Howard Chu" <hyc@symas.com>
- Re: ACL problems: (was: objectIdentifierMatch)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ACL problems: (was: objectIdentifierMatch)
Next by Date: Re: ACL problems: (was: objectIdentifierMatch)
Index(es):
- Chronological
- Thread