[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACLs = string matching
Hi there;
I've been trying to get GQ to work with OpenLDAP, but the premission
stuff has
been driving me crazy. The log errors simply make no sense:
Apr 14 10:52:26 uranus slapd[30503]: <= check a_dn_pat:
cn=Manager,dc=equoria,dc=net
Apr 14 10:52:26 uranus slapd[30503]: => string_expand: pattern:
cn=Manager,dc=equoria,dc=net
Apr 14 10:52:26 uranus slapd[30503]: => string_expand: expanded:
cn=Manager,dc=equoria,dc=net
Apr 14 10:52:26 uranus slapd[30503]: => regex_matches: string:
Apr 14 10:52:26 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 10:52:26 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 10:52:26 uranus slapd[30503]: <= acl_mask: [3] applying read
(=rscx) (stop)
Apr 14 10:52:26 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 10:52:26 uranus slapd[30503]: => access_allowed: search access
granted
by read (=rscx)
Gee: it sure seems like a to match to me!
The slapd.conf entries are as basic as I understand they can be:
access to attr=userPassword
by self write
by dn="cn=Manager,dc=equoria,dc=net" write
by anonymous auth
by * none
access to *
by self write
by dn="cn=Manager,dc=equoria,dc=net" write
by * read
suffix "dc=equoria,dc=net"
suffix "o=Land of Garg,c=US"
rootdn "cn=Manager,dc=equoria,dc=net"
rootpw {SSHA}[snip]
But, the only result I get from a write request via GQ is insufficient
access...
Clues, hints, kicks in the right direction, all appreciated.
Bob
Full log listing of an attempt to connect follows:
Apr 14 11:06:47 uranus slapd[30493]: connection_get(10)
Apr 14 11:06:47 uranus slapd[30493]: connection_get(10): got connid=4
Apr 14 11:06:47 uranus slapd[30493]: connection_read(10): checking for
input on id=4
Apr 14 11:06:47 uranus slapd[30493]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Apr 14 11:06:47 uranus slapd[30502]: do_bind
Apr 14 11:06:47 uranus slapd[30502]: do_bind: version=3
dn="cn=Manager,dc=equoria,dc=net" method=128
Apr 14 11:06:47 uranus slapd[30502]: send_ldap_result: conn=4 op=0 p=3
Apr 14 11:06:47 uranus slapd[30502]: send_ldap_result: 0::
Apr 14 11:06:47 uranus slapd[30502]: send_ldap_response: msgid=1 tag=97
err=0
Apr 14 11:06:47 uranus slapd[30502]: do_bind: v3 anonymous bind
Apr 14 11:06:47 uranus slapd[30493]: connection_get(10)
Apr 14 11:06:47 uranus slapd[30493]: connection_get(10): got connid=4
Apr 14 11:06:47 uranus slapd[30493]: connection_read(10): checking for
input on id=4
Apr 14 11:06:47 uranus slapd[30493]: ber_get_next on fd 10 failed errno=11
(Resource temporarily unavailable)
Apr 14 11:06:47 uranus slapd[30503]: do_search
Apr 14 11:06:47 uranus slapd[30503]: SRCH "" 0 0
Apr 14 11:06:47 uranus slapd[30503]: 0 0 0
Apr 14 11:06:47 uranus slapd[30503]: filter: (objectClass=*)
Apr 14 11:06:47 uranus slapd[30503]: attrs:
Apr 14 11:06:47 uranus slapd[30503]: namingcontexts
Apr 14 11:06:47 uranus slapd[30503]:
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: search access to
"" "
objectClass" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr objectClass
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr objectClass
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: objectClass
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "",
attr "objectClass" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read
(=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: search access
granted
by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => send_search_entry: ""
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to
"" "entry" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr entry
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr entry
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr: entry
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "",
attr "entry" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read
(=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access
granted by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to
"" "namingContexts"
requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr:
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "",
attr "namingContexts" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to all values by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read
(=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access
granted by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to
"" "namingContexts"
requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr:
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "",
attr "namingContexts" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to value by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read
(=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access
granted by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access to
"" "namingContexts"
requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [1] check attr
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_get: [2] check attr
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: <= acl_get: [2] acl attr:
namingContexts
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: access to entry "",
attr "namingContexts" requested
Apr 14 11:06:47 uranus slapd[30503]: => acl_mask: to value by "", (=n)
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: self
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: pattern:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => string_expand: expanded:
cn=Manager,dc=equoria,dc=net
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: string:
Apr 14 11:06:47 uranus slapd[30503]: => regex_matches: rc: 1 no matches
Apr 14 11:06:47 uranus slapd[30503]: <= check a_dn_pat: *
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] applying read
(=rscx) (stop)
Apr 14 11:06:47 uranus slapd[30503]: <= acl_mask: [3] mask: read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: => access_allowed: read access granted
by read (=rscx)
Apr 14 11:06:47 uranus slapd[30503]: <= send_search_entry
Apr 14 11:06:47 uranus slapd[30503]: send_ldap_result: conn=4 op=1 p=3
Apr 14 11:06:47 uranus slapd[30503]: send_ldap_result: 0::
Apr 14 11:06:47 uranus slapd[30503]: send_ldap_response: msgid=2 tag=101
err=0
Apr 14 11:06:52 uranus slapd[30493]: connection_get(10)
Apr 14 11:06:52 uranus slapd[30493]: connection_get(10): got connid=4
Apr 14 11:06:52 uranus slapd[30493]: connection_read(10): checking for
input on id=4
Apr 14 11:06:52 uranus slapd[30493]: ber_get_next on fd 10 failed
errno=0 (Success)
Apr 14 11:06:52 uranus slapd[30493]: connection_read(10): input error=-2
id=4, closing.
Apr 14 11:06:52 uranus slapd[30493]: connection_closing: readying conn=4
sd=10 for close
Apr 14 11:06:52 uranus slapd[30493]: connection_close: deferring conn=4
sd=10
Apr 14 11:06:52 uranus slapd[30604]: do_unbind
Apr 14 11:06:52 uranus slapd[30604]: connection_resched: attempting
closing conn=4 sd=10
Apr 14 11:06:52 uranus slapd[30604]: connection_close: conn=4 sd=10