[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Help! bind funny?
I need to deploy my system but an error stop me...
The system is:
-Linux: Redhat 6.1-2.2.14
-openldap: 1.2.10
My slapd.conf is:
-----------------------------------------------------------------------
include /usr/local/etc/openldap/slapd.at.conf
include /usr/local/etc/openldap/slapd.oc.conf
schemacheck off
#referral ldap://root.openldap.org/
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "o=pruebas"
rootdn "cn=root, o=pruebas"
rootpw <rootpw>
directory /usr/local/ldapBD/pruebas
defaultaccess none
access to dn=".*"
by dn="^$$" none
by dn=".*,O=RACF" read
by * none
###############################################################
# V.1 RACF backend
#Database que implementa la posibilidad de Bind a través de la
#autenficación en RACF.
#NOTAS:
# - el formato del dn para el bind es:
# CN=<USUARIO>,....
# - la falta de parametros no está considerada, siendo
# todos obligatorios.
# - El servidor puede ser tanto en nombre como en ip
# - No tiene sentido definir un root, ya que no utiliza
###############################################################
database racf
suffix "o=racf"
servidor srvtrj.villasis.monte
puerto 9302
transaccion PLOGON
---------------------------------------------------------------
The last database (racf) is my own backend for bind command, this
backend do user autentication in a external system (where all
users+password on defined)...
The ACL for database ldbm ("pruebas") stop all actions for anonymous
users and giving read access for conections with bind at database "racf"
I populate the pruebas database wiht a lot of entrys.
Well, if I bind to racf database with a invalid user o password the
backed return error and not accion is aloved (this work fine at my
test).
If I bind with a right user+password and search the database pruebas I
get a abnormal execution....
I execute:
ldapserarch -w mypassword -D "CN=S5540, O=RACF" -b "o=pruebas"
objectclass=*
Some search are right and return entrys for database pruebas, but other
are wrong...
The log (slapd -d 128):
----------------------------------------------------------------
ACL: access to dn=.*
by dn=^$$
by dn=.*,O=RACF
by dn=.*
slapd starting
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (entry)
=> acl_get: entry (o=pruebas) attr (entry)
<= acl_get: [1] backend acl o=pruebas attr: entry
=> acl_access_allowed: read access to entry "o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (o=pruebas) attr (entry)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: read access to entry "o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> acl_get: entry (o=pruebas) attr (o)
<= acl_get: [1] backend acl o=pruebas attr: o
=> acl_access_allowed: read access to entry "o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> acl_get: entry (o=pruebas) attr (description)
<= acl_get: [1] backend acl o=pruebas attr: description
=> acl_access_allowed: read access to entry "o=pruebas"
/ldapsearch.3±*mv -f /usr/local/bin/ud /usr/local/bin/ud-im 775 ud
/usr/local/binp1
abeledURL)Ù<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (entry)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (entry)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: entry
=> acl_access_allowed: read access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (entry)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: read access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (cn)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: cn
=> acl_access_allowed: read access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
---------------------------------------------------------------------------------
The diference is:
=> acl_access_allowed: search access to value "any" by ""
And
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
But is the same execution...
Any idee?
Thanks
P.S.: Sorry for my english
--
Juan Gonzalo de Silva Medina