[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
incorrect access_allowed: requests upon login (ACL issue)?
Dear Sirs,
I am using LDAP for user authentication (akin to NIS+). I run 2.0.7 on
Linux 2.2.17.
When I try to login to my system (configured for LDAP authentication),
it denies me login with the following message: "Insufficient credentials
to access authentication data". Below is debugging output from 'slapd
-d 128' and portions of my slapd.conf file.
My understanding of the login process is that somewhere in the login
process (presumably near the beginning), an anonymous bind is performed
to the userPassword attribute. This never happens in my debugging
output. It's always wanting search or read access. If I allow
anonymous read access to these attributes (uidNumber, gidNumber,
homeDirectory, etc.) the login proceeds normally. Is there another way
to provide user level login to my systems without allowing anonymous
read on my users attributes? I must have something misconfigured
somewhere.
Would someone be able to comment on the issue and my setup? Any input
is appreciated.
Thanks!
Elliot Metsger
When I turn on debugging using 'slapd -d 128', the output indicates that
the ldap client is asking for read access to many of my user attributes:
>> At this point I've telnetted to the system, and I've just entered my username, but not my password
=> access_allowed: search access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "objectClass" requested
=> access_allowed: search access granted by search (=scx)
=> access_allowed: search access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "uid" requested
=> access_allowed: search access granted by search (=scx)
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "entry" requested
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "loginShell" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute loginShell not allowed
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "gidNumber" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute gidNumber not allowed
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "objectClass" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute objectClass not allowed
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "uid" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute uid not allowed
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "gecos" requested
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "gecos" requested
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "uidNumber" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute uidNumber not allowed
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "cn" requested
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "cn" requested
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "homeDirectory" requested
=> access_allowed: read access denied by search (=scx)
acl: access to attribute homeDirectory not allowed
=> access_allowed: read access to "uid=elliot, ou=People, ou=MSEL-LCS,
o=Johns Hopkins University, c=US" "userPassword" requested
=> access_allowed: read access denied by auth (=x)
acl: access to attribute userPassword not allowed
>> After entering my password (output not shown), it tries to get more of the same information anonymously, like my gecos, mailhost, etc. Because its binding anonymously, it can't read the attributes and my login is denied.
Furthermore from my slapd.log file (connection logging), it does this
anonymously (it only binds _once_ as my DN, the rest are anonymous):
>> Here I connect via telnet
Dec 29 11:16:56 sys05 slapd[17775]: daemon: conn=5 fd=12 connection from
IP=128.220.205.76:1180 (IP=0.0.0.0:389) accepted.
Dec 29 11:16:56 sys05 slapd[17777]: conn=5 op=0 BIND dn="" method=128
Dec 29 11:16:56 sys05 slapd[17777]: conn=5 op=0 RESULT tag=97 err=0
text=
Dec 29 11:16:56 sys05 slapd[17778]: conn=5 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=root))"
Dec 29 11:16:56 sys05 slapd[17778]: conn=5 op=1 SEARCH RESULT tag=101
err=0 text=
Dec 29 11:16:56 sys05 slapd[17775]: conn=-1 fd=12 closed
>> Here I enter my username at the login: prompt
Dec 29 11:17:06 sys05 slapd[17775]: daemon: conn=6 fd=12 connection from
IP=128.220.205.76:1181 (IP=0.0.0.0:389) accepted.
Dec 29 11:17:06 sys05 slapd[17777]: conn=6 op=0 BIND dn="" method=128
Dec 29 11:17:06 sys05 slapd[17777]: conn=6 op=0 RESULT tag=97 err=0
text=
Dec 29 11:17:06 sys05 slapd[17778]: conn=6 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=elliot))"
Dec 29 11:17:07 sys05 slapd[17778]: conn=6 op=1 SEARCH RESULT tag=101
err=0 text=
>> Here I enter my password
Dec 29 11:17:49 sys05 slapd[17775]: daemon: conn=7 fd=18 connection from
IP=128.220.205.76:1182 (IP=0.0.0.0:389) accepted.
Dec 29 11:17:49 sys05 slapd[17775]: conn=-1 fd=12 closed
Dec 29 11:17:49 sys05 slapd[17777]: conn=7 op=0 BIND dn="" method=128
Dec 29 11:17:49 sys05 slapd[17777]: conn=7 op=0 RESULT tag=97 err=0
text=
Dec 29 11:17:49 sys05 slapd[17778]: conn=7 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixaccount)(uid=elliot))"
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=2 BIND
dn="UID=ELLIOT,OU=PEOPLE,OU=MSEL-LCS,O=JOHNS HOPKINS UNIVERSITY,C=US"
method=128
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=2 RESULT tag=97 err=0
text=
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=3 BIND dn="" method=128
Dec 29 11:17:50 sys05 slapd[17777]: conn=7 op=3 RESULT tag=97 err=0
text=
Dec 29 11:17:50 sys05 slapd[17775]: daemon: conn=8 fd=12 connection from
IP=128.220.205.76:1183 (IP=0.0.0.0:389) accepted.
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=0 BIND dn="" method=128
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=0 RESULT tag=97 err=0
text=
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=1 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=elliot))"
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=1 SEARCH RESULT tag=101
err=0 text=
Dec 29 11:17:50 sys05 slapd[17777]: conn=8 op=2 SRCH base="ou=MSEL-LCS,
o=Johns Hopkins University, c=US" scope=2
filter="(&(objectClass=posixAccount)(uid=elliot))"
Dec 29 11:17:50 sys05 slapd[17778]: conn=7 op=1 SEARCH RESULT tag=101
err=0 text=
Dec 29 11:17:51 sys05 slapd[17792]: conn=7 op=4 UNBIND
Dec 29 11:17:51 sys05 slapd[17792]: conn=-1 fd=18 closed
Dec 29 11:17:51 sys05 slapd[17777]: conn=8 op=2 SEARCH RESULT tag=101
err=0 text=
Dec 29 11:17:51 sys05 slapd[17777]: conn=-1 fd=12 closed
>> Then I get the "Insufficient credentials to access authentication data" message and I am logged off.
The relavent portions of my slapd.conf file follow:
#######################################################################
# Access Controls
#######################################################################
defaultaccess none
access to attr=userPassword
by anonymous auth
by self write
by * none
access to attr=uid,uidNumber,gidNumber,loginShell,homeDirectory
by anonymous search
by users read
by self read
by * none
access to
attr=mail,gecos,cn,phoneNumber,roomNumber,faxNumber,objectclass
by anonymous read
by users read
by self read
by * none
access to attr=entry
by anonymous read
by users read
by self read
by * read
access to dn=".*,ou=Roaming,ou=Services,ou=MSEL-LCS,o=Johns Hopkins
University,c=US"
by dnattr=owner write
by users search
by * none
access to dn="ou=People,ou=MSEL-LCS,o=Johns Hopkins University,c=US"
by anonymous auth
by self read
by users read
by * none
access to dn="ou=MSEL-LCS,o=Johns Hopkins University,c=US"
by domain=.*\.jhu\.edu read
by domain=.*\.jhmi\.edu read
by * none