[Date Prev][Date Next] [Chronological] [Thread] [Top]

Anonymously binding despite '-U ....' to ldapsearch



I don't seem to be able to view 'secret' information in my
new system. Object 'cn=admin' should have a userPassword entry,
but I can't see it (exept from 'slapcat')...

----- s n i p -----
[majorskan.pts/2]$ ldapsearch -U turbo -LLL cn=admin  userPassword
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn: cn=admin,dc=bayour,dc=com
----- s n i p -----

Running slapd with '-d -1' shows:
----- s n i p -----
majorskan:~# egrep 'BIND dn|_sasl_bind' /tmp/slapd-1.out
do_sasl_bind: dn () mech GSSAPI
conn=0 op=1 BIND dn="" method=163
<== slap_sasl_bind: rc=14
do_sasl_bind: dn () mech GSSAPI
conn=0 op=2 BIND dn="" method=163
<== slap_sasl_bind: rc=14
do_sasl_bind: dn () mech GSSAPI
conn=0 op=3 BIND dn="" method=163
<== slap_sasl_bind: rc=0
----- s n i p -----

Where's the DN!? I bind anonymously, why? I know that 2.1 of OpenLDAP
is quite different, but I've looked through the mailarchive, but can't
seem to find anything special...


Softwares:
OpenLDAP	v2.1.12
Cyrus SASL	v2.1.12
Berkeley DB	v4.1.25

Supported SASL Mechanisms:
----- s n i p -----
[majorskan.pts/2]$ ldapsearch -h localhost -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
----- s n i p -----

ACLs:
----- s n i p -----
access to attribute=userPassword
        by dn="cn=admin,dc=bayour,dc=com" write
        by dn="uid=turbo\\+realm=BAYOUR.COM" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admin,dc=bayour,dc=com" write
        by dn="uid=turbo\\+realm=BAYOUR.COM" write
        by * read
----- s n i p -----

Kerberos ticket:
----- s n i p -----
[majorskan.pts/2]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: turbo@BAYOUR.COM

Valid starting     Expires            Service principal
02/26/03 16:24:58  02/27/03 02:24:56  krbtgt/BAYOUR.COM@BAYOUR.COM
02/26/03 16:25:00  02/27/03 02:24:56  ldap/majorskan.bayour.com@BAYOUR.COM


Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
----- s n i p -----