[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: GSSAPI Binds openldap 2.1.12
Ok, let me explain a little more,
cn=staff,dc=csic,dc=umd,dc=edu
is the rootdn, so it should be able to see anything, anywhere.
uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
is say a user, I want to be able to bind so that they could change certain
attributes on their dn.
so, my access rights right now is this,
access to attr=uid,uidNumber,gidNumber,homeDirectory,mailLocalAddress
by dn="cn=staff,dc=csic,dc=umd,dc=edu"
by users read
access to attr=loginShell,gecos,cn,mailroutingaddress,mailHost
by dn="cn=staff,dc=csic,dc=umd,dc=edu"
by self write
by users read
You would have to be authenticated to just read the attributes and some you would
be able to write to.
I would obviously like to do this with GSSAPI, so I don't need to put any passwords,
etc in the ldap database.
On Wed, Jan 22, 2003 at 09:55:15PM -0800, Howard Chu wrote:
> You need to fix your ACLs. In the GSSAPI case, the log shows you bound as
> uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
> while in the simple bind you used
> cn=staff,dc=csic,dc=umd,dc=edu
>
> Clearly these are not the same, and your ACL only references the second DN
> above.
>
> Also, your ACL doesn't specify any rights for the cn=staff DN. Was that just
> a cut/paste error?
>
> Finally, you probably want an "access to *" clause after the other, to assign
> privileges to everything else.
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Derek T. Yarnell
>
> > I am having a issue with getting my gssapi/sasl binds
> > working. I was wondering
> > if someone could give me a little insight,
> >
> > ldapsearch -Y GSSAPI -b 'dc=csic,dc=umd,dc=edu' '(uid=derek)'
> >
> > Here is the server output,
> >
> > Jan 22 14:43:36 queasy slapd[10595]: conn=0 fd=13 ACCEPT from
> > IP=127.0.0.1:56125 (IP=0.0.0.0:389)
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=0 BIND dn=""
> > method=163
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=1 BIND dn=""
> > method=163
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND dn=""
> > method=163
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND authcid="derek"
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 AUTHZ
> > dn="uid=derek,ou=staff,dc=csic,dc=umd,dc=edu" mech=GSSAPI ssf=56
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SRCH
> > base="ou=staff,dc=csic,dc=umd,dc=edu" scope=2 filter="(uid=derek)"
> > Jan 22 14:43:36 queasy slapd[10604]: <=
> > bdb_equality_candidates: index_param failed (18)
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SEARCH
> > RESULT tag=101 err=0 nentries=0 text=
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=4 UNBIND
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 fd=13 closed
> >
> > ----------------------------------------------------------
> > derek@queasy:~> /csic/openldap/bin/ldapsearch -Y GSSAPI -b
> > 'ou=staff,dc=csic,dc=umd,dc=edu' '(uid=derek)'
> > SASL/GSSAPI authentication started
> > SASL SSF: 56
> > SASL installing layers
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <ou=staff,dc=csic,dc=umd,dc=edu> with scope sub
> > # filter: (uid=derek)
> > # requesting: ALL
> > #
> >
> > # search result
> > search: 4
> > result: 0 Success
> >
> > # numResponses: 1
> > ----------------------------------------------------------
> >
> > But it doesn't return anything, but a normal bind will return
> > something,
> >
> > ----------------------------------------------------------
> > derek@queasy:~> /csic/openldap/bin/ldapsearch -x -D
> > 'cn=staff,dc=csic,dc=umd,dc=edu' -b 'dc=csic,dc=umd,dc=edu'
> > -W '(uid=derek)'
> > Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <dc=csic,dc=umd,dc=edu> with scope sub
> > # filter: (uid=derek)
> > # requesting: ALL
> > #
> >
> > # derek, staff, csic.umd.edu
> > dn: uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
> > objectClass: csicAccount
> > objectClass: account
> > cn: Derek Yarnell
> > uid: derek
> > uidNumber: 2174
> > gidNumber: 10
> > homeDirectory: /afs/csic/staff/derek
> > loginShell: /bin/tcsh
> > mailHost: cs.umd.edu
> > mailRoutingAddress: derek@cs.umd.edu
> > mailLocalAddress: derek@cs.umd.edu
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> > ----------------------------------------------------------
> >
> > here is my sasl-regex,
> >
> >
> > sasl-regexp uid=(.*),cn=gssapi,cn=auth
> > uid=$1,ou=staff,dc=csic,dc=umd,dc=edu
> >
> >
> > and the only other access control i have,
> >
> > access to attr=loginShell,gecos,cn,mailroutingaddress
> > by dn="cn=staff,dc=csic,dc=umd,dc=edu"
> > by self write
> > by users read
> >
> > thanks for any help.
> >
> >
> > --
> > ---
> > Derek T. Yarnell
> > University of Maryland
> > Computer Science Department Unix Staff
> > derek@cs.umd.edu
> >
>
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu