[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs = string matching



Hi there;

I've been trying to get GQ to work with OpenLDAP, but the premission stuff has
been driving me crazy. The log errors simply make no sense:


Apr 14 10:52:26 uranus slapd[30503]: <= check a_dn_pat:
cn=Manager,dc=equoria,dc=net
Apr 14 10:52:26 uranus slapd[30503]: => string_expand: pattern:
cn=Manager,dc=equoria,dc=net
Apr 14 10:52:26 uranus slapd[30503]: => string_expand: expanded:
cn=Manager,dc=equoria,dc=net
Apr 14 10:52:26 uranus slapd[30503]: => regex_matches: string:
Apr 14 10:52:26 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 10:52:26 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 10:52:26 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop)
Apr 14 10:52:26 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 10:52:26 uranus slapd[30503]: => access_allowed: search access granted
by read (=rscx)


Gee: it sure seems like a to match to me!

The slapd.conf entries are as basic as I understand they can be:

access to attr=userPassword
       by self write
       by dn="cn=Manager,dc=equoria,dc=net" write
       by anonymous auth
       by * none

access to *
       by self write
       by dn="cn=Manager,dc=equoria,dc=net" write
       by * read

suffix          "dc=equoria,dc=net"
suffix          "o=Land of Garg,c=US"
rootdn          "cn=Manager,dc=equoria,dc=net"
rootpw        {SSHA}[snip]

But, the only result I get from a write request via GQ is insufficient access...

Clues, hints, kicks in the right direction, all appreciated.

Bob



Full log listing of an attempt to connect follows:

Apr 14 11:06:47 uranus slapd[30493]: connection_get(10)
Apr 14 11:06:47 uranus slapd[30493]: connection_get(10): got connid=4
Apr 14 11:06:47 uranus slapd[30493]: connection_read(10): checking for input on id=4
Apr 14 11:06:47 uranus slapd[30493]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Apr 14 11:06:47 uranus slapd[30502]: do_bind
Apr 14 11:06:47 uranus slapd[30502]: do_bind: version=3 dn="cn=Manager,dc=equoria,dc=net" method=128
Apr 14 11:06:47 uranus slapd[30502]: send_ldap_result: conn=4 op=0 p=3
Apr 14 11:06:47 uranus slapd[30502]: send_ldap_result: 0::
Apr 14 11:06:47 uranus slapd[30502]: send_ldap_response: msgid=1 tag=97 err=0
Apr 14 11:06:47 uranus slapd[30502]: do_bind: v3 anonymous bind
Apr 14 11:06:47 uranus slapd[30493]: connection_get(10)
Apr 14 11:06:47 uranus slapd[30493]: connection_get(10): got connid=4
Apr 14 11:06:47 uranus slapd[30493]: connection_read(10): checking for input on id=4
Apr 14 11:06:47 uranus slapd[30493]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Apr 14 11:06:47 uranus slapd[30503]: do_search
Apr 14 11:06:47 uranus slapd[30503]: SRCH "" 0 0
Apr 14 11:06:47 uranus slapd[30503]: 0 0 0
Apr 14 11:06:47 uranus slapd[30503]: filter: (objectClass=*)
Apr 14 11:06:47 uranus slapd[30503]: attrs:
Apr 14 11:06:47 uranus slapd[30503]: namingcontexts
Apr 14 11:06:47 uranus slapd[30503]:
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: search access to "" "
objectClass" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr objectClass
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr objectClass
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: objectClass
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "objectClass" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: search access granted
by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => send_search_entry: ""
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "entry" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr entry
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr entry
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: entry
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "entry" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "namingContexts"
requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr namingContexts
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "namingContexts" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "namingContexts"
requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr namingContexts
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "namingContexts" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to value by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "namingContexts"
requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr namingContexts
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "namingContexts" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to value by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted
by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: <= send_search_entry
Apr 14 11:06:47 uranus slapd[30503]: send_ldap_result: conn=4 op=1 p=3
Apr 14 11:06:47 uranus slapd[30503]: send_ldap_result: 0::
Apr 14 11:06:47 uranus slapd[30503]: send_ldap_response: msgid=2 tag=101 err=0
Apr 14 11:06:52 uranus slapd[30493]: connection_get(10)
Apr 14 11:06:52 uranus slapd[30493]: connection_get(10): got connid=4
Apr 14 11:06:52 uranus slapd[30493]: connection_read(10): checking for input on id=4
Apr 14 11:06:52 uranus slapd[30493]: ber_get_next on fd 10 failed errno=0 (Success)
Apr 14 11:06:52 uranus slapd[30493]: connection_read(10): input error=-2 id=4, closing.
Apr 14 11:06:52 uranus slapd[30493]: connection_closing: readying conn=4 sd=10 for close
Apr 14 11:06:52 uranus slapd[30493]: connection_close: deferring conn=4 sd=10
Apr 14 11:06:52 uranus slapd[30604]: do_unbind
Apr 14 11:06:52 uranus slapd[30604]: connection_resched: attempting closing conn=4 sd=10
Apr 14 11:06:52 uranus slapd[30604]: connection_close: conn=4 sd=10