[Date Prev][Date Next] [Chronological] [Thread] [Top]

incorrect access_allowed: requests upon login (ACL issue)?



Dear Sirs,

I am using LDAP for user authentication (akin to NIS+).  I run 2.0.7 on
Linux 2.2.17.

When I try to login to my system (configured for LDAP authentication),
it denies me login with the following message: "Insufficient credentials
to access authentication data".  Below is debugging output from 'slapd
-d 128' and portions of my slapd.conf file. 

My understanding of the login process is that somewhere in the login
process (presumably near the beginning), an anonymous bind is performed
to the userPassword attribute.  This never happens in my debugging
output.  It's always wanting search or read access.  If I allow
anonymous read access to these attributes (uidNumber, gidNumber,
homeDirectory, etc.) the login proceeds normally.  Is there another way
to provide user level login to my systems without allowing anonymous
read on my users attributes?  I must have something misconfigured
somewhere.  

Would someone be able to comment on the issue and my setup?  Any input
is appreciated.  

Thanks!
Elliot Metsger


When I turn on debugging using 'slapd -d 128', the output indicates that
the ldap client is asking for read access to many of my user attributes:

>> At this point I've telnetted to the system, and I've just entered my username, but not my password

=> access_allowed: search access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "objectClass" requested
=> access_allowed: search access granted by search (=scx)

=> access_allowed: search access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "uid" requested
=> access_allowed: search access granted by search (=scx)

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "entry" requested
=> access_allowed: read access granted by read (=rscx)

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "loginShell" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute loginShell not allowed

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "gidNumber" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute gidNumber not allowed

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "objectClass" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute objectClass not allowed

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "uid" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute uid not allowed

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "gecos" requested
=> access_allowed: read access granted by read (=rscx)

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "gecos" requested
=> access_allowed: read access granted by read (=rscx)

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "uidNumber" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute uidNumber not allowed

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "cn" requested
=> access_allowed: read access granted by read (=rscx)

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "cn" requested
=> access_allowed: read access granted by read (=rscx)

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "homeDirectory" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute homeDirectory not allowed

=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "userPassword" requested
=> access_allowed: read access denied by auth (=x)
acl: access to attribute userPassword not allowed

>> After entering my password (output not shown), it tries to get more of the same information anonymously, like my gecos, mailhost, etc.  Because its binding anonymously, it can't read the attributes and my login is denied.

Furthermore from my slapd.log file (connection logging), it does this
anonymously (it only binds _once_ as my DN, the rest are anonymous):
>> Here I connect via telnet

Dec 29 11:16:56 sys05 slapd[17775]: daemon: conn=5 fd=12 connection from
IP=128.220.205.76:1180 (IP=0.0.0.0:389) accepted. 
Dec 29 11:16:56 sys05 slapd[17777]: conn=5 op=0 BIND dn="" method=128 
Dec 29 11:16:56 sys05 slapd[17777]: conn=5 op=0 RESULT tag=97 err=0
text= 
Dec 29 11:16:56 sys05 slapd[17778]: conn=5 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=root))" 
Dec 29 11:16:56 sys05 slapd[17778]: conn=5 op=1 SEARCH RESULT tag=101
err=0 text= 
Dec 29 11:16:56 sys05 slapd[17775]: conn=-1 fd=12 closed 


>> Here I enter my username at the login: prompt
 
Dec 29 11:17:06 sys05 slapd[17775]: daemon: conn=6 fd=12 connection from
IP=128.220.205.76:1181 (IP=0.0.0.0:389) accepted. 
Dec 29 11:17:06 sys05 slapd[17777]: conn=6 op=0 BIND dn="" method=128 
Dec 29 11:17:06 sys05 slapd[17777]: conn=6 op=0 RESULT tag=97 err=0
text= 
Dec 29 11:17:06 sys05 slapd[17778]: conn=6 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=elliot))" 
Dec 29 11:17:07 sys05 slapd[17778]: conn=6 op=1 SEARCH RESULT tag=101
err=0 text=


>> Here I enter my password
 
Dec 29 11:17:49 sys05 slapd[17775]: daemon: conn=7 fd=18 connection from
IP=128.220.205.76:1182 (IP=0.0.0.0:389) accepted. 
Dec 29 11:17:49 sys05 slapd[17775]: conn=-1 fd=12 closed 
Dec 29 11:17:49 sys05 slapd[17777]: conn=7 op=0 BIND dn="" method=128 
Dec 29 11:17:49 sys05 slapd[17777]: conn=7 op=0 RESULT tag=97 err=0
text= 
Dec 29 11:17:49 sys05 slapd[17778]: conn=7 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixaccount)(uid=elliot))" 
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=2 BIND
dn="UID=ELLIOT,OU=PEOPLE,OU=MSEL-LCS,O=JOHNS HOPKINS UNIVERSITY,C=US"
method=128 
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=2 RESULT tag=97 err=0
text= 
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=3 BIND dn="" method=128 
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=3 RESULT tag=97 err=0
text= 
Dec 29 11:17:50 sys05 slapd[17775]: daemon: conn=8 fd=12 connection from
IP=128.220.205.76:1183 (IP=0.0.0.0:389) accepted. 
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=0 BIND dn="" method=128 
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=0 RESULT tag=97 err=0
text= 
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=elliot))" 
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=1 SEARCH RESULT tag=101
err=0 text= 
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=2 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=elliot))" 
Dec 29 11:17:50 sys05 slapd[17778]: conn=7 op=1 SEARCH RESULT tag=101
err=0 text= 
Dec 29 11:17:51 sys05 slapd[17792]: conn=7 op=4 UNBIND 
Dec 29 11:17:51 sys05 slapd[17792]: conn=-1 fd=18 closed 
Dec 29 11:17:51 sys05 slapd[17777]: conn=8 op=2 SEARCH RESULT tag=101
err=0 text= 
Dec 29 11:17:51 sys05 slapd[17777]: conn=-1 fd=12 closed

>> Then I get the "Insufficient credentials to access authentication data" message and I am logged off.



The relavent portions of my slapd.conf file follow:

#######################################################################
# Access Controls
#######################################################################
defaultaccess none

access to attr=userPassword
        by anonymous auth
        by self write
        by * none

access to attr=uid,uidNumber,gidNumber,loginShell,homeDirectory
        by anonymous search
        by users read
        by self read
        by * none

access to
attr=mail,gecos,cn,phoneNumber,roomNumber,faxNumber,objectclass
        by anonymous read
        by users read
        by self read
        by * none

access to attr=entry
        by anonymous read
        by users read
        by self read
        by * read

access to dn=".*,ou=Roaming,ou=Services,ou=MSEL-LCS,o=Johns Hopkins
University,c=US"
        by dnattr=owner write
        by users search
        by * none

access to dn="ou=People,ou=MSEL-LCS,o=Johns Hopkins University,c=US"
                by anonymous auth
                by self read
                by users read
                by * none

access to dn="ou=MSEL-LCS,o=Johns Hopkins University,c=US"
                by domain=.*\.jhu\.edu read
                by domain=.*\.jhmi\.edu read
                by * none