[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Anonymously binding despite '-U ....' to ldapsearch
I suggest you use ldapwhoami(1) to determine what your
authorization identity actually is. Note that some of
of the identity mapping stuff was changed. Namely,
multi-valued RDNs are no longer used.
Kurt
At 08:23 AM 2/26/2003, Turbo Fredriksson wrote:
>I don't seem to be able to view 'secret' information in my
>new system. Object 'cn=admin' should have a userPassword entry,
>but I can't see it (exept from 'slapcat')...
>
>----- s n i p -----
>[majorskan.pts/2]$ ldapsearch -U turbo -LLL cn=admin userPassword
>SASL/GSSAPI authentication started
>SASL username: turbo@BAYOUR.COM
>SASL SSF: 56
>SASL installing layers
>dn: cn=admin,dc=bayour,dc=com
>----- s n i p -----
>
>Running slapd with '-d -1' shows:
>----- s n i p -----
>majorskan:~# egrep 'BIND dn|_sasl_bind' /tmp/slapd-1.out
>do_sasl_bind: dn () mech GSSAPI
>conn=0 op=1 BIND dn="" method=163
><== slap_sasl_bind: rc=14
>do_sasl_bind: dn () mech GSSAPI
>conn=0 op=2 BIND dn="" method=163
><== slap_sasl_bind: rc=14
>do_sasl_bind: dn () mech GSSAPI
>conn=0 op=3 BIND dn="" method=163
><== slap_sasl_bind: rc=0
>----- s n i p -----
>
>Where's the DN!? I bind anonymously, why? I know that 2.1 of OpenLDAP
>is quite different, but I've looked through the mailarchive, but can't
>seem to find anything special...
>
>
>Softwares:
>OpenLDAP v2.1.12
>Cyrus SASL v2.1.12
>Berkeley DB v4.1.25
>
>Supported SASL Mechanisms:
>----- s n i p -----
>[majorskan.pts/2]$ ldapsearch -h localhost -x -b "" -s base -LLL supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: NTLM
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: CRAM-MD5
>----- s n i p -----
>
>ACLs:
>----- s n i p -----
>access to attribute=userPassword
> by dn="cn=admin,dc=bayour,dc=com" write
> by dn="uid=turbo\\+realm=BAYOUR.COM" write
> by anonymous auth
> by self write
> by * none
>
>access to *
> by dn="cn=admin,dc=bayour,dc=com" write
> by dn="uid=turbo\\+realm=BAYOUR.COM" write
> by * read
>----- s n i p -----
>
>Kerberos ticket:
>----- s n i p -----
>[majorskan.pts/2]$ klist
>Ticket cache: FILE:/tmp/krb5cc_1000
>Default principal: turbo@BAYOUR.COM
>
>Valid starting Expires Service principal
>02/26/03 16:24:58 02/27/03 02:24:56 krbtgt/BAYOUR.COM@BAYOUR.COM
>02/26/03 16:25:00 02/27/03 02:24:56 ldap/majorskan.bayour.com@BAYOUR.COM
>
>
>Kerberos 4 ticket cache: /tmp/tkt1000
>klist: You have no tickets cached
>----- s n i p -----