[Date Prev][Date Next] [Chronological] [Thread] [Top]

Search subschemaSubentry with GSSAPI bind



I'm seeing a very strange problem where I can't search the subschemaSubentry using GSSAPI. If I use simple binds it does work. More specifically I can search all attributes of cn=Subschema *except* the attributeTypes schema. I raised my loglevel to 2472 and compared the results from a search that succeeds (objectClasses) and one that fails (attributeTypes) and the logs are identical and the server thinks it succeeded. Below are the results from searching each attribute using GSSAPI. If I do:

ldapsearch -x -ZZ -H ldap://ldap2.example.com -s base -b "cn=Subschema" +

It gives me everything.

Below everything is my slapd.conf file.

Any help would be greatly appreciated.


------- ldapSyntaxes attribute -------

[leggett@:~]$ ldapsearch -ZZ -H ldap://ldap2.example.com -s base -b "cn=Subschema" ldapSyntaxes
SASL/GSSAPI authentication started
SASL username: leggett/admin@CI.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=Subschema> with scope base
# filter: (objectclass=*)
# requesting: ldapSyntaxes
#


# Subschema
dn: cn=Subschema
ldapSyntaxes: ( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' )
[...]
# search result
search: 6
result: 0 Success

# numResponses: 2
# numEntries: 1


------- matchingRules attribute -------

[leggett@:~]$ ldapsearch -ZZ -H ldap://ldap2.example.com -s base -b "cn=Subschema" matchingRules
SASL/GSSAPI authentication started
SASL username: leggett/admin@CI.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=Subschema> with scope base
# filter: (objectclass=*)
# requesting: matchingRules
#


# Subschema
dn: cn=Subschema
matchingRules: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' SYNTAX 1.3.6.
[...]
# search result
search: 6
result: 0 Success


# numResponses: 2
# numEntries: 1


------- matchingRuleUse attribute -------

[leggett@:~]$ ldapsearch -ZZ -H ldap://ldap2.example.com -s base -b "cn=Subschema" matchingRuleUse
SASL/GSSAPI authentication started
SASL username: leggett/admin@CI.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=Subschema> with scope base
# filter: (objectclass=*)
# requesting: matchingRuleUse
#


# Subschema
dn: cn=Subschema
matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( s
[...]
# search result
search: 6
result: 0 Success


# numResponses: 2
# numEntries: 1


------- objectClasses attribute -------

[leggett@:~]$ ldapsearch -ZZ -H ldap://ldap2.example.com -s base -b "cn=Subschema" objectClasses
SASL/GSSAPI authentication started
SASL username: leggett/admin@CI.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=Subschema> with scope base
# filter: (objectclass=*)
# requesting: objectClasses
#


# Subschema
dn: cn=Subschema
objectClasses: ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaAccountPolicy' DESC 'Samba
[...]
# search result
search: 6
result: 0 Success


# numResponses: 2
# numEntries: 1


------- attributeTypes attribute -------

[leggett@:~]$ ldapsearch -ZZ -H ldap://ldap2.example.com -s base -b "cn=Subschema" attributeTypes
SASL/GSSAPI authentication started
SASL username: leggett/admin@CI.EXAMPLE.COM
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=Subschema> with scope base
# filter: (objectclass=*)
# requesting: attributeTypes
#


ldap_result: Can't contact LDAP server (-1)


------- slapd.conf -------

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/autofs.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/samba.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
#loglevel       2472
loglevel        256

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
#security ssf=1 tls=128 update_sasl=56 update_tls=128
security ssf=1 tls=128 update_tls=128
#disallow bind_simple
allow bind_v2 bind_anon_dn
#allow bind_anon_dn bind_v2

TLSCipherSuite          HIGH
TLSCACertificatePath    /usr/share/ssl/certs
TLSCertificateFile      /usr/share/ssl/ldap/slapd-cert.pem
TLSCertificateKeyFile   /usr/share/ssl/ldap/slapd-key.pem
TLSVerifyClient         allow

sasl-secprops           noplain,noanonymous,noactive,minssf=56

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy is:
#       Allow read by all
#
# rootdn can always write!

# Map SASL authentication DNs to LDAP DNs
# This leaves "username/admin" principals untouched
sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth "uid= $1,ou=people,o=ci,dc=example,dc=com"
# This should be a ^ plus, not a star, but slapd won't accept it


# Allow anonymous users to get information to authenitcate
access to dn.base=""
        by * read

# Allow authenticated users access to the subchemaSubentry
access to dn.base="cn=Subschema"
        by * read

# Samba accounts passwords
access to attrs=sambaLMPassword,sambaNTPassword
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by dn.exact="uid=samba_server,ou=people,o=ci,dc=example,dc=com" write
by self write
by anonymous auth
by * none


# Passwords should not be in entered by anyone
#access to attrs=userPassword
# by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
# by dn.exact="uid=samba_server,ou=people,o=ci,dc=example,dc=com" write
# by self write
# by anonymous auth
# by * none


# Users can change their shell, anyone else can see it
#access to attrs=loginShell
#       by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
#       by self write
#       by * read

# Only the user can see their employeeNumber
#access to attrs=employeeNumber
#       by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
#       by self read
#       by * none

# Allow everyone to get user information
access to dn.children="ou=people,o=ci,dc=example,dc=com"
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

# Allow everyone to get group information
access to dn.children="ou=group,o=ci,dc=example,dc=com"
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

# Allow everyone to get netgroup information
access to dn.children="ou=netgroups,o=ci,dc=example,dc=com"
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

# Allow everyone to get mail alias information
access to dn.children="ou=aliases,o=ci,dc=example,dc=com"
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

# Allow everyone to get service information
access to dn.children="ou=services,o=ci,dc=example,dc=com"
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

# Allow everyone to get host information
access to dn.children="ou=hosts,o=ci,dc=example,dc=com"
        by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
        by * read

# Default read access for everything else
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by dn.exact="uid=samba_server,ou=people,o=ci,dc=example,dc=com" write
by anonymous none
by * read


# Limit number of search results to prevent trolling of directory
# by spammers, etc.
#sizelimit 10
# Alternatively, specify a large enough size limit to ensure we can dump
# the entire directory
sizelimit 5000

# Limit the number of threads
# The default is 16 and that has been reported on the openldap mailing
# list to be too many for a machine with < 1 GB of RAM
threads 8

# Disconnect idle connections after 4 hours.  Otherwise connections
# from nss_ldap keep piling up and we eventually exceed our open file
# handle limit.  Increasing that limit above 1024 is difficult on Linux
# because slapd uses select(2) and the FD_SETSIZE is hard-coded at 1024.
# Presumably slapd will eventually be converted to use poll(2) instead
# of select, which doesn't have that limit.  But until then this is our
# workaround.
idletimeout 14400

# Turn off logging.  We can always turn it back on when we need to see
# what's going on.
# 256 is the default.  256 logs connections, operations and results,
# it would be nice to log only operations but there isn't a level just
# for operations.
#loglevel 0

#######################################################################
# ldbm database definitions
#######################################################################

database        bdb
suffix          "o=ci,dc=example,dc=com"
#rootdn         "cn=Manager,o=ci,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw         {SSHA}secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap
mode            0600
# Indices to maintain
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index sambaSID,sambaPrimaryGroupSID     eq,pres
index sambaDomainName                   eq,pres
index ipHostNumber                      eq,pres

# Increase the size of slapd's entry cache.  Note that this is a
# seperate cache from BDB's cache, who's size is configured in DB_CONFIG
cachesize 10000

# BDB tuning
# It would be preferable to do all BDB tuning in BDB's configuration
# file, but there are some settings that aren't supported there.
# BDB's config file is var/openldap-data/DB_CONFIG
# Docs:  http://www.openldap.org/faq/data/cache/893.html
#
# Turn on checkpointing, which is off by default.  This reduces the
# amount of time it takes db_recover to run on a restart.
checkpoint 256 15

# Replication log
replogfile      /var/lib/ldap/slapd.replog
replica         host=ldap2.example.com:389
                suffix="o=ci,dc=example,dc=com"
                bindmethod=sasl
                saslmech=gssapi
                authcId=host/ldap1.example.com@CI.EXAMPLE.COM
                tls=yes