[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymously binding despite '-U ....' to ldapsearch

I suggest you use ldapwhoami(1) to determine what your
authorization identity actually is.  Note that some of
of the identity mapping stuff was changed.  Namely,
multi-valued RDNs are no longer used.

Kurt

At 08:23 AM 2/26/2003, Turbo Fredriksson wrote:
>I don't seem to be able to view 'secret' information in my
>new system. Object 'cn=admin' should have a userPassword entry,
>but I can't see it (exept from 'slapcat')...
>
>----- s n i p -----
>[majorskan.pts/2]$ ldapsearch -U turbo -LLL cn=admin  userPassword
>SASL/GSSAPI authentication started
>SASL username: turbo@BAYOUR.COM
>SASL SSF: 56
>SASL installing layers
>dn: cn=admin,dc=bayour,dc=com
>----- s n i p -----
>
>Running slapd with '-d -1' shows:
>----- s n i p -----
>majorskan:~# egrep 'BIND dn|_sasl_bind' /tmp/slapd-1.out
>do_sasl_bind: dn () mech GSSAPI
>conn=0 op=1 BIND dn="" method=163
><== slap_sasl_bind: rc=14
>do_sasl_bind: dn () mech GSSAPI
>conn=0 op=2 BIND dn="" method=163
><== slap_sasl_bind: rc=14
>do_sasl_bind: dn () mech GSSAPI
>conn=0 op=3 BIND dn="" method=163
><== slap_sasl_bind: rc=0
>----- s n i p -----
>
>Where's the DN!? I bind anonymously, why? I know that 2.1 of OpenLDAP
>is quite different, but I've looked through the mailarchive, but can't
>seem to find anything special...
>
>
>Softwares:
>OpenLDAP        v2.1.12
>Cyrus SASL      v2.1.12
>Berkeley DB     v4.1.25
>
>Supported SASL Mechanisms:
>----- s n i p -----
>[majorskan.pts/2]$ ldapsearch -h localhost -x -b "" -s base -LLL supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: NTLM
>supportedSASLMechanisms: GSSAPI
>supportedSASLMechanisms: DIGEST-MD5
>supportedSASLMechanisms: CRAM-MD5
>----- s n i p -----
>
>ACLs:
>----- s n i p -----
>access to attribute=userPassword
>        by dn="cn=admin,dc=bayour,dc=com" write
>        by dn="uid=turbo\\+realm=BAYOUR.COM" write
>        by anonymous auth
>        by self write
>        by * none
>
>access to *
>        by dn="cn=admin,dc=bayour,dc=com" write
>        by dn="uid=turbo\\+realm=BAYOUR.COM" write
>        by * read
>----- s n i p -----
>
>Kerberos ticket:
>----- s n i p -----
>[majorskan.pts/2]$ klist
>Ticket cache: FILE:/tmp/krb5cc_1000
>Default principal: turbo@BAYOUR.COM
>
>Valid starting     Expires            Service principal
>02/26/03 16:24:58  02/27/03 02:24:56  krbtgt/BAYOUR.COM@BAYOUR.COM
>02/26/03 16:25:00  02/27/03 02:24:56  ldap/majorskan.bayour.com@BAYOUR.COM
>
>
>Kerberos 4 ticket cache: /tmp/tkt1000
>klist: You have no tickets cached
>----- s n i p -----