[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI Binds openldap 2.1.12



Derek,

I think you missed a bit of what Howard was saying... We are using GSSAPI quite extensively here @ Stanford with Openldap.

--On Thursday, January 23, 2003 11:56 AM -0500 "Derek T. Yarnell" <derek@cs.umd.edu> wrote:

Ok, let me explain a little more,

cn=staff,dc=csic,dc=umd,dc=edu

is the rootdn, so it should be able to see anything, anywhere.

uid=derek,ou=staff,dc=csic,dc=umd,dc=edu

Is this a typo? ou=staff != cn=staff that I know of.


is say a user, I want to be able to bind so that they could change certain attributes on their dn.

so, my access rights right now is this,

access to attr=uid,uidNumber,gidNumber,homeDirectory,mailLocalAddress
        by dn="cn=staff,dc=csic,dc=umd,dc=edu"

I'm not sure the above is a valid statement. You are not specifying what type of access (read, write, etc). On top of that, you are saying that only the EXPLICIT dn "cn=staff,dc=csic,dc=umd,dc=edu" has this unknown access. If you want for your UID piece to have that access, you need to do dn.children (which will then allow the subtree access).


        by users read
access to attr=loginShell,gecos,cn,mailroutingaddress,mailHost
        by dn="cn=staff,dc=csic,dc=umd,dc=edu"

Same comment here.

On Howard's comment about access to *, you pretty much have to have that clause. By default, what you have right now, only the things listed does anyone have any type of access to. This means that nothing else has any types of access.

Here is our slapd.acl file for our replicas:

# $Id: slapd.acl,v 1.9 2003/01/03 17:13:37 quanah Exp $
# ACL include file for slapd
#
# this is for testing

access to dn.base=""
       by * read

access to *
by dn.base="cn=replicator,cn=Applications,dc=stanford,dc=edu" write
by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" read
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
by * break


access to attr=krb5PrincipalName,member
       by * search

access to attr=entry
by dn="cn=StanfordMailRouter,cn=Applications,dc=stanford,dc=edu" read


access to dn.children="cn=Accounts,dc=stanford,dc=edu" attr=suSeasSunetID,suMailDrop
by dn="cn=StanfordMailRouter,cn=Applications,dc=stanford,dc=edu" read



Note the dn.children line.

--Quanah

        by self write
        by users read

You would have to be authenticated to just read the attributes and some
you would be able to write to.

I would obviously like to do this with GSSAPI, so I don't need to put any
passwords, etc in the ldap database.

On Wed, Jan 22, 2003 at 09:55:15PM -0800, Howard Chu wrote:
You need to fix your ACLs. In the GSSAPI case, the log shows you bound as
  uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
while in the simple bind you used
  cn=staff,dc=csic,dc=umd,dc=edu

Clearly these are not the same, and your ACL only references the second
DN above.

Also, your ACL doesn't specify any rights for the cn=staff DN. Was that
just a cut/paste error?

Finally, you probably want an "access to *" clause after the other, to
assign privileges to everything else.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Derek T.
> Yarnell

> I am having a issue with getting my gssapi/sasl binds
> working. I was wondering
> if someone could give me a little insight,
>
> ldapsearch -Y GSSAPI -b 'dc=csic,dc=umd,dc=edu' '(uid=derek)'
>
> Here is the server output,
>
> Jan 22 14:43:36 queasy slapd[10595]: conn=0 fd=13 ACCEPT from
> IP=127.0.0.1:56125 (IP=0.0.0.0:389)
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=0 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=1 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND authcid="derek"
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 AUTHZ
> dn="uid=derek,ou=staff,dc=csic,dc=umd,dc=edu" mech=GSSAPI ssf=56
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SRCH
> base="ou=staff,dc=csic,dc=umd,dc=edu" scope=2 filter="(uid=derek)"
> Jan 22 14:43:36 queasy slapd[10604]: <=
> bdb_equality_candidates: index_param failed (18)
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SEARCH
> RESULT tag=101 err=0 nentries=0 text=
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=4 UNBIND
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 fd=13 closed
>
> ----------------------------------------------------------
> derek@queasy:~> /csic/openldap/bin/ldapsearch -Y GSSAPI -b
> 'ou=staff,dc=csic,dc=umd,dc=edu' '(uid=derek)'
> SASL/GSSAPI authentication started
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <ou=staff,dc=csic,dc=umd,dc=edu> with scope sub
> # filter: (uid=derek)
> # requesting: ALL
> #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
> ----------------------------------------------------------
>
> But it doesn't return anything, but a normal bind will return
> something,
>
> ----------------------------------------------------------
> derek@queasy:~> /csic/openldap/bin/ldapsearch -x -D
> 'cn=staff,dc=csic,dc=umd,dc=edu' -b 'dc=csic,dc=umd,dc=edu'
> -W '(uid=derek)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=csic,dc=umd,dc=edu> with scope sub
> # filter: (uid=derek)
> # requesting: ALL
> #
>
> # derek, staff, csic.umd.edu
> dn: uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
> objectClass: csicAccount
> objectClass: account
> cn: Derek Yarnell
> uid: derek
> uidNumber: 2174
> gidNumber: 10
> homeDirectory: /afs/csic/staff/derek
> loginShell: /bin/tcsh
> mailHost: cs.umd.edu
> mailRoutingAddress: derek@cs.umd.edu
> mailLocalAddress: derek@cs.umd.edu
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> ----------------------------------------------------------
>
> here is my sasl-regex,
>
>
> sasl-regexp     uid=(.*),cn=gssapi,cn=auth
>                 uid=$1,ou=staff,dc=csic,dc=umd,dc=edu
>
>
> and the only other access control i have,
>
> access to attr=loginShell,gecos,cn,mailroutingaddress
>         by dn="cn=staff,dc=csic,dc=umd,dc=edu"
>         by self write
>         by users read
>
> thanks for any help.
>
>
> --
> ---
> Derek T. Yarnell
> University of Maryland
> Computer Science Department Unix Staff
> derek@cs.umd.edu
>


-- --- Derek T. Yarnell University of Maryland Computer Science Department Unix Staff derek@cs.umd.edu



-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html