[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP 2.0.11 SASL/ACL Problem
Hi everybody,
we are trying to setup OpenLDAP with SASL DIGEST-MD5 authentication several
hours now. SASL works well with the testsuite of cyrus-sasl.
Also Slurpd binds via SASL to the slave LDAP-server which is to be updated,
so replication from master to slave works fine. The problem occurs if a user
wants to bind to a server using SASL.
SASL authentication for the user seems to be working.
athene:~ # ldapmodify -H ldap://athene -U foller -f mod.ldif
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: foller
SASL realm: athene
SASL SSF: 112
SASL installing layers
modifying entry "uid=foller,dc=fh-stralsund,dc=de"
ldap_modify: Insufficient access
ldif_record() = 50
but modifying of an entry fails. This might be a problem with ACL's.
We have added the following lines on top of our ACL file, included by
slapd.conf.
access to dn="uid=(.*),dc=fh-stralsund,dc=de"
by dn="UID=$1\+REALM=ATHENE" write
by self write
by * none
The LDIF file looks like follows.
dn: uid=foller,dc=fh-stralsund,dc=de
changetype: modify
replace: l
l: Stralsund
The whole log is attached, but the relevant lines should be.
Apr 10 11:38:27 athene slapd[13596]: => access_allowed: write access to
"uid=foller,dc=fh-stralsund,dc=de" "l" requested
Apr 10 11:38:27 athene slapd[13596]: => dnpat: [1]
uid=(.*),dc=fh-stralsund,dc=de nsub: 1
Apr 10 11:38:27 athene slapd[13596]: => acl_get: [1] matched
Apr 10 11:38:27 athene slapd[13596]: => acl_get: [1] check attr l
Apr 10 11:38:27 athene slapd[13596]: <= acl_get: [1] acl
uid=foller,dc=fh-stralsund,dc=de attr: l
Apr 10 11:38:27 athene slapd[13596]: => acl_mask: access to entry
"uid=foller,dc=fh-stralsund,dc=de", attr "l" requested
Apr 10 11:38:27 athene slapd[13596]: => acl_mask: to value by
"UID=FOLLER+REALM=ATHENE", (=n)
Apr 10 11:38:27 athene slapd[13596]: <= check a_dn_pat: UID=$1+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => string_expand: pattern:
UID=$1+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => string_expand: expanded:
UID=FOLLER+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => regex_matches: string:
UID=FOLLER+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => regex_matches: rc: 1 no matches
Apr 10 11:38:27 athene slapd[13596]: <= check a_dn_pat: self
Apr 10 11:38:27 athene slapd[13596]: <= check a_dn_pat: *
Apr 10 11:38:27 athene slapd[13596]: <= acl_mask: [3] applying none (=n)
(stop)
Apr 10 11:38:27 athene slapd[13596]: <= acl_mask: [3] mask: none (=n)
Apr 10 11:38:27 athene slapd[13596]: => access_allowed: write access denied
by none (=n)
The question is why do the expanded string and regex string dont match.
Any suggestion will be quite helpfull.
Thanks in advance.
Marcus Linke & Fred Ollermann
University of Applied Sciences Stralsund
Germany
---
The whole log:
Apr 10 11:38:27 athene slapd[13596]: do_bind
Apr 10 11:38:27 athene slapd[13596]: do_sasl_bind: dn () mech DIGEST-MD5
Apr 10 11:38:27 athene slapd[13596]: conn=0 op=3 BIND dn="" method=163
Apr 10 11:38:27 athene slapd[13596]: SASL Authorize [conn=0]: "foller" as
"u:foller"
Apr 10 11:38:27 athene slapd[13596]: slap_sasl_bind: username="u:foller"
realm="athene" ssf=112
Apr 10 11:38:27 athene slapd[13596]: <== slap_sasl_bind: authzdn: "uid=foller
+ realm=athene"
Apr 10 11:38:27 athene slapd[13596]: send_ldap_sasl: err=0 len=-1
Apr 10 11:38:27 athene slapd[13596]: send_ldap_response: msgid=4 tag=97 err=0
Apr 10 11:38:27 athene slapd[13596]: <== slap_sasl_bind: rc=0
Apr 10 11:38:27 athene slapd[13581]: connection_get(12): got connid=0
Apr 10 11:38:27 athene slapd[13581]: connection_read(12): checking for input
on id=0
Apr 10 11:38:27 athene slapd[13581]: ber_get_next on fd 12 failed errno=11
(Resource temporarily unavailable)
Apr 10 11:38:27 athene slapd[13596]: do_modify
Apr 10 11:38:27 athene slapd[13596]: conn=0 op=4 MOD
dn="uid=foller,dc=fh-stralsund,dc=de"
Apr 10 11:38:27 athene slapd[13596]: dn2entry_r: dn:
"UID=FOLLER,DC=FH-STRALSUND,DC=DE"
Apr 10 11:38:27 athene slapd[13596]: => dn2id(
"UID=FOLLER,DC=FH-STRALSUND,DC=DE" )
Apr 10 11:38:27 athene slapd[13596]: => ldbm_cache_open( "dn2id.dbb", 7, 600
)
Apr 10 11:38:27 athene slapd[13596]: <= ldbm_cache_open (opened 0)
Apr 10 11:38:27 athene slapd[13596]: <= dn2id 50
Apr 10 11:38:27 athene slapd[13596]: => id2entry_r( 50 )
Apr 10 11:38:27 athene slapd[13596]: => ldbm_cache_open( "id2entry.dbb", 7,
600 )
Apr 10 11:38:27 athene slapd[13596]: <= ldbm_cache_open (opened 1)
Apr 10 11:38:27 athene slapd[13596]: => str2entry
Apr 10 11:38:27 athene slapd[13596]: <=
str2entry(uid=foller,dc=fh-stralsund,dc=de) -> -1 (0x80e1930)
Apr 10 11:38:27 athene slapd[13596]: <= id2entry_r( 50 ) 0x80e1930 (disk)
Apr 10 11:38:27 athene slapd[13596]: ====> cache_return_entry_r( 50 ):
created (0)
Apr 10 11:38:27 athene slapd[13596]: dn2entry_w: dn:
"UID=FOLLER,DC=FH-STRALSUND,DC=DE"
Apr 10 11:38:27 athene slapd[13596]: => dn2id(
"UID=FOLLER,DC=FH-STRALSUND,DC=DE" )
Apr 10 11:38:27 athene slapd[13596]: ====>
cache_find_entry_dn2id("UID=FOLLER,DC=FH-STRALSUND,DC=DE"): 50 (1 tries)
Apr 10 11:38:27 athene slapd[13596]: <= dn2id 50 (in cache)
Apr 10 11:38:27 athene slapd[13596]: => id2entry_w( 50 )
Apr 10 11:38:27 athene slapd[13596]: ====> cache_find_entry_id( 50 )
"uid=foller,dc=fh-stralsund,dc=de" (found) (1 tries)
Apr 10 11:38:27 athene slapd[13596]: <= id2entry_w( 50 ) 0x80e1930 (cache)
Apr 10 11:38:27 athene slapd[13596]: ldbm_modify_internal:
Apr 10 11:38:27 athene slapd[13596]: => access_allowed: write access to
"uid=foller,dc=fh-stralsund,dc=de" "l" requested
Apr 10 11:38:27 athene slapd[13596]: => dnpat: [1]
uid=(.*),dc=fh-stralsund,dc=de nsub: 1
Apr 10 11:38:27 athene slapd[13596]: => acl_get: [1] matched
Apr 10 11:38:27 athene slapd[13596]: => acl_get: [1] check attr l
Apr 10 11:38:27 athene slapd[13596]: <= acl_get: [1] acl
uid=foller,dc=fh-stralsund,dc=de attr: l
Apr 10 11:38:27 athene slapd[13596]: => acl_mask: access to entry
"uid=foller,dc=fh-stralsund,dc=de", attr "l" requested
Apr 10 11:38:27 athene slapd[13596]: => acl_mask: to value by
"UID=FOLLER+REALM=ATHENE", (=n)
Apr 10 11:38:27 athene slapd[13596]: <= check a_dn_pat: UID=$1+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => string_expand: pattern:
UID=$1+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => string_expand: expanded:
UID=FOLLER+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => regex_matches: string:
UID=FOLLER+REALM=ATHENE
Apr 10 11:38:27 athene slapd[13596]: => regex_matches: rc: 1 no matches
Apr 10 11:38:27 athene slapd[13596]: <= check a_dn_pat: self
Apr 10 11:38:27 athene slapd[13596]: <= check a_dn_pat: *
Apr 10 11:38:27 athene slapd[13596]: <= acl_mask: [3] applying none (=n)
(stop)
Apr 10 11:38:27 athene slapd[13596]: <= acl_mask: [3] mask: none (=n)
Apr 10 11:38:27 athene slapd[13596]: => access_allowed: write access denied
by none (=n)
Apr 10 11:38:27 athene slapd[13596]: send_ldap_result: conn=0 op=4 p=3
Apr 10 11:38:27 athene slapd[13596]: send_ldap_response: msgid=5 tag=103
err=50
Apr 10 11:38:27 athene slapd[13596]: conn=0 op=4 RESULT tag=103 err=50 text=
Apr 10 11:38:27 athene slapd[13581]: connection_get(12): got connid=0
Apr 10 11:38:27 athene slapd[13581]: connection_read(12): checking for input
on id=0
Apr 10 11:38:27 athene slapd[13581]: ber_get_next on fd 12 failed errno=0
(Success)
Apr 10 11:38:27 athene slapd[13581]: connection_read(12): input error=-2
id=0, closing.
Apr 10 11:38:27 athene slapd[13581]: connection_closing: readying conn=0
sd=12 for close
Apr 10 11:38:27 athene slapd[13581]: connection_close: deferring conn=0 sd=12
Apr 10 11:38:27 athene slapd[13596]: ====> cache_return_entry_w( 50 ):
returned (0)
Apr 10 11:38:27 athene slapd[13596]: connection_resched: attempting closing
conn=0 sd=12
Apr 10 11:38:27 athene slapd[13596]: connection_close: deferring conn=0 sd=12
Apr 10 11:38:27 athene slapd[13597]: do_unbind
Apr 10 11:38:27 athene slapd[13597]: conn=0 op=5 UNBIND
Apr 10 11:38:27 athene slapd[13597]: connection_resched: attempting closing
conn=0 sd=12
Apr 10 11:38:27 athene slapd[13597]: connection_close: conn=0 sd=12
Apr 10 11:38:27 athene slapd[13597]: conn=-1 fd=12 closed