[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldap_add: Insufficient access

To: <openldap-software@OpenLDAP.org>
Subject: RE: ldap_add: Insufficient access
From: "Scott Russell" <scott@activestudios.com>
Date: Fri, 25 Jan 2002 15:10:41 -0500
Importance: Normal
In-reply-to: <HAEAJFJDJFGGNNCOFFDCMEBCCAAA.scott@activestudios.com>

No luck so far...  I'm still convinced it's a by <who> write problem in the
acl.  Improper passwords and users return what I'd expect them to - errors
to that effect- so I'm sure the auth is actually happening.

I just updated openldap to 2.0.21 (RH 7.2 updates) and the problem persists.
openldap, on the whole, seems more stable as a result, though.

Does anyone have an example sasl acl they could share with me?  Or does
everyone else just use the "simple" auth?

  - Scott

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Scott Russell
Sent: Thursday, January 24, 2002 12:11 PM
To: openldap-software@OpenLDAP.org
Subject: ldap_add: Insufficient access


I'm about 90% finished installing openldap, with sasl (but not kerberos) on
linux.

The error I'm getting is:

[root]# ldapadd -f /tmp/ldifstart
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: user
SASL realm: realm
SASL SSF: 128
SASL installing layers
adding new entry "dc=people,dc=aaa,dc=com"
ldap_add: Insufficient access

ldif_record() = 50


I strongly suspect that my ACLs are set up improperly.  I've tried the
following permutations (and several others), but have had no success yet.

access to *
        by dn="uid=user@realm" write
        by * read

access to *
        by dn="uid=user + realm=realm" write
        by * read

access to *
        by dn="u: user" write
        by * read

Running slapd with -d 255, I see the following:

do_sasl_bind: dn (uid=user@realm) mech DIGEST-MD5
==> sasl_bind: dn="uid=user@realm" mech=<continuing> datalen=0
SASL Authorize [conn=0]: authcid="user" authzid="user"
SASL Authorize [conn=0]: "user" as "u:user"
slap_sasl_bind: username="u:user" realm="realm" ssf=128
<== slap_sasl_bind: authzdn: "uid=user + realm=realm"

The following also appears, which I think is unrelated and does not worry me
at the moment:

ber_get_next
ldap_read: want=1 error=Resource temporarily unavailable
ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
daemon: select: listen=6 active_threads=0 tvp=NULL

Please advise - I'm so close, I can smell it.

  - Scott

References:
- ldap_add: Insufficient access
  - From: "Scott Russell" <scott@activestudios.com>

Prev by Date: RE: Active Directory Imitation
Next by Date: ldapcompare
Index(es):
- Chronological
- Thread