[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs = string matching

To: openldap-software@OpenLDAP.org
Subject: ACLs = string matching
From: Bob Van Cleef <vancleef@garg.com>
Date: Mon, 14 Apr 2003 11:10:38 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Hi there;

I've been trying to get GQ to work with OpenLDAP, but the premission stuff has been driving me crazy. The log errors simply make no sense:

Apr 14 10:52:26 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net Apr 14 10:52:26 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net Apr 14 10:52:26 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net Apr 14 10:52:26 uranus slapd[30503]: => regex_matches: string: Apr 14 10:52:26 uranus slapd[30503]: => regex_matches: rc: 1 no matches Apr 14 10:52:26 uranus slapd[30503]: <= check a_dn_pat: * Apr 14 10:52:26 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop) Apr 14 10:52:26 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx) Apr 14 10:52:26 uranus slapd[30503]: => access_allowed: search access granted by read (=rscx)

Gee: it sure seems like a to match to me!

The slapd.conf entries are as basic as I understand they can be:

access to attr=userPassword
       by self write
       by dn="cn=Manager,dc=equoria,dc=net" write
       by anonymous auth
       by * none

access to *
       by self write
       by dn="cn=Manager,dc=equoria,dc=net" write
       by * read

suffix          "dc=equoria,dc=net"
suffix          "o=Land of Garg,c=US"
rootdn          "cn=Manager,dc=equoria,dc=net"
rootpw        {SSHA}[snip]

But, the only result I get from a write request via GQ is insufficient access...

Clues, hints, kicks in the right direction, all appreciated.

Bob

Full log listing of an attempt to connect follows:

Apr 14 11:06:47 uranus slapd[30493]: connection_get(10) Apr 14 11:06:47 uranus slapd[30493]: connection_get(10): got connid=4 Apr 14 11:06:47 uranus slapd[30493]: connection_read(10): checking for input on id=4 Apr 14 11:06:47 uranus slapd[30493]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Apr 14 11:06:47 uranus slapd[30502]: do_bind Apr 14 11:06:47 uranus slapd[30502]: do_bind: version=3 dn="cn=Manager,dc=equoria,dc=net" method=128 Apr 14 11:06:47 uranus slapd[30502]: send_ldap_result: conn=4 op=0 p=3 Apr 14 11:06:47 uranus slapd[30502]: send_ldap_result: 0:: Apr 14 11:06:47 uranus slapd[30502]: send_ldap_response: msgid=1 tag=97 err=0 Apr 14 11:06:47 uranus slapd[30502]: do_bind: v3 anonymous bind Apr 14 11:06:47 uranus slapd[30493]: connection_get(10) Apr 14 11:06:47 uranus slapd[30493]: connection_get(10): got connid=4 Apr 14 11:06:47 uranus slapd[30493]: connection_read(10): checking for input on id=4 Apr 14 11:06:47 uranus slapd[30493]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Apr 14 11:06:47 uranus slapd[30503]: do_search Apr 14 11:06:47 uranus slapd[30503]: SRCH "" 0 0 Apr 14 11:06:47 uranus slapd[30503]: 0 0 0 Apr 14 11:06:47 uranus slapd[30503]: filter: (objectClass=*) Apr 14 11:06:47 uranus slapd[30503]: attrs: Apr 14 11:06:47 uranus slapd[30503]: namingcontexts Apr 14 11:06:47 uranus slapd[30503]: Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: search access to "" " objectClass" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr objectClass Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr objectClass Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: objectClass Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "objectClass" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n) Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string: Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: * Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop) Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: search access granted by read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => send_search_entry: "" Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "entry" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr entry Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr entry Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: entry Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "entry" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n) Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string: Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: * Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop) Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted by read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "namingContexts" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr namingContexts Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr namingContexts Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: namingContexts Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "namingContexts" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n) Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string: Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: * Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop) Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted by read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "namingContexts" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr namingContexts Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr namingContexts Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: namingContexts Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "namingContexts" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to value by "", (=n) Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string: Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: * Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop) Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted by read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to "" "namingContexts" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr namingContexts Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr namingContexts Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: namingContexts Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "", attr "namingContexts" requested Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to value by "", (=n) Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded: cn=Manager,dc=equoria,dc=net Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string: Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: * Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read (=rscx) (stop) Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted by read (=rscx) Apr 14 11:06:47 uranus slapd[30503]: <= send_search_entry Apr 14 11:06:47 uranus slapd[30503]: send_ldap_result: conn=4 op=1 p=3 Apr 14 11:06:47 uranus slapd[30503]: send_ldap_result: 0:: Apr 14 11:06:47 uranus slapd[30503]: send_ldap_response: msgid=2 tag=101 err=0 Apr 14 11:06:52 uranus slapd[30493]: connection_get(10) Apr 14 11:06:52 uranus slapd[30493]: connection_get(10): got connid=4 Apr 14 11:06:52 uranus slapd[30493]: connection_read(10): checking for input on id=4 Apr 14 11:06:52 uranus slapd[30493]: ber_get_next on fd 10 failed errno=0 (Success) Apr 14 11:06:52 uranus slapd[30493]: connection_read(10): input error=-2 id=4, closing. Apr 14 11:06:52 uranus slapd[30493]: connection_closing: readying conn=4 sd=10 for close Apr 14 11:06:52 uranus slapd[30493]: connection_close: deferring conn=4 sd=10 Apr 14 11:06:52 uranus slapd[30604]: do_unbind Apr 14 11:06:52 uranus slapd[30604]: connection_resched: attempting closing conn=4 sd=10 Apr 14 11:06:52 uranus slapd[30604]: connection_close: conn=4 sd=10

Follow-Ups:
- Re: ACLs = string matching
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: ACLs = string matching
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: LDAP Partial Replication
Next by Date: Storing the search results in a file
Index(es):
- Chronological
- Thread