[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with access to OpenLDAP

To: <openldap-software@OpenLDAP.org>
Subject: Problem with access to OpenLDAP
From: <philippe.broussard@e-qual.fr>
Date: Fri, 30 May 2003 16:48:48 +0200
Importance: High

Hi,



I want logging me with an user : AdminContacts and not the superuser I
have defined an ACI about him :

        access to 
         dn="ou=Contacts,dc=e-qual,dc=fr"
        by 
         dn="cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr" 
        write

and here is the ldif of AdminContacts :

	# LDIF Export for: cn=AdminContacts
       Scope: base, 1 objects
	# Generated by DaveDAP on May 30, 2003 12:00 pm

	dn: cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr
	objectclass: person
	objectclass: top
	objectclass: inetOrgPerson
	objectclass: organizationalPerson
	userpassword: poiuyt
	sn: AdminContacts
	cn: AdminContacts
	uid: AdminContacts


Have you an idea about the solution ?
My ACI is false ? (I want that AdminContacts can write, delete... any
entry in the branch : ou=Contacts,dc=e-qual,dc=fr)


Philippe



conn=0 fd=12 ACCEPT from IP=192.168.1.53:1293 (IP=0.0.0.0:389)
connection_get(12)
ber_dump: buf=0x08128930 ptr=0x08128930 end=0x0812896e len=62
  0000:  02 01 01 60 39 02 01 02  04 2c 63 6e 3d 41 64 6d
...`9....,cn=Adm
  0010:  69 6e 43 6f 6e 74 61 63  74 73 2c 6f 75 3d 43 6f
inContacts,ou=Co
  0020:  6e 74 61 63 74 73 2c 64  63 3d 65 2d 71 75 61 6c
ntacts,dc=e-qual
  0030:  2c 64 63 3d 66 72 80 06  70 6f 69 75 79 74
,dc=fr..poiuyt
ber_dump: buf=0x08128930 ptr=0x08128933 end=0x0812896e len=59
  0000:  60 39 02 01 02 04 2c 63  6e 3d 41 64 6d 69 6e 43
`9....,cn=AdminC
  0010:  6f 6e 74 61 63 74 73 2c  6f 75 3d 43 6f 6e 74 61
ontacts,ou=Conta
  0020:  63 74 73 2c 64 63 3d 65  2d 71 75 61 6c 2c 64 63
cts,dc=e-qual,dc
  0030:  3d 66 72 80 06 70 6f 69  75 79 74                  =fr..poiuyt
ber_dump: buf=0x08128930 ptr=0x08128966 end=0x0812896e len=8
  0000:  00 06 70 6f 69 75 79 74                            ..poiuyt
conn=0 op=0 BIND dn="cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr"
method=128 ==> bdb_bind: dn:
cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr
=> access_allowed: auth access to
"cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr" "userPassword" requested
=> dnpat: [1] ou=Contacts,dc=e-qual,dc=fr nsub: 0 => acl_get: [1]
matched => acl_get: [1] check attr userPassword <= acl_get: [1] acl
cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr attr: userPassword =>
match[0]: 17 44 ou=contacts,dc=e-qual,dc=fr => acl_mask: access to entry
"cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr", attr "userPassword"
requested => acl_mask: to all values by "", (=n) <= check a_dn_pat:
cn=AdminContacts,ou=Contacts,dc=e-qual,dc=fr
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: auth access denied by =n
send_ldap_result: err=50 matched="" text=""
conn=0 op=0 RESULT tag=97 err=50 text=
connection_get(12)
ber_dump: buf=0x081304c8 ptr=0x081304c8 end=0x08130588 len=192
  0000:  02 01 02 68 81 ba 04 24  63 6e 3d 74 6f 74 6f 33
...h...$cn=toto3
  0010:  36 20 74 6f 74 6f 33 36  2c 6f 75 3d 2c 64 63 3d   6
toto36,ou=,dc=
  0020:  65 2d 71 75 61 6c 2c 64  63 3d 66 72 30 81 91 30
e-qual,dc=fr0..0
  0030:  15 04 02 63 6e 31 0f 04  0d 74 6f 74 6f 33 36 20
...cn1...toto36
  0040:  74 6f 74 6f 33 36 30 08  04 02 6f 75 31 02 04 00
toto360...ou1...
  0050:  30 15 04 09 67 69 76 65  6e 6e 61 6d 65 31 08 04
0...givenname1..
  0060:  06 74 6f 74 6f 33 36 30  0e 04 02 73 6e 31 08 04
.toto360...sn1..
  0070:  06 74 6f 74 6f 33 36 30  47 04 0b 6f 62 6a 65 63
.toto360G..objec
  0080:  74 63 6c 61 73 73 31 38  04 03 74 6f 70 04 0d 69
tclass18..top..i
  0090:  6e 65 74 6f 72 67 70 65  72 73 6f 6e 04 14 6f 72
netorgperson..or
  00a0:  67 61 6e 69 7a 61 74 69  6f 6e 61 6c 70 65 72 73
ganizationalpers
  00b0:  6f 6e 04 0c 6f 66 66 69  63 65 70 65 72 73 6f 6e
on..officeperson
ber_dump: buf=0x081304c8 ptr=0x081304cb end=0x08130588 len=189
  0000:  68 81 ba 04 24 63 6e 3d  74 6f 74 6f 33 36 20 74
h...$cn=toto36 t
  0010:  6f 74 6f 33 36 2c 6f 75  3d 2c 64 63 3d 65 2d 71
oto36,ou=,dc=e-q
  0020:  75 61 6c 2c 64 63 3d 66  72 30 81 91 30 15 04 02
ual,dc=fr0..0...
  0030:  63 6e 31 0f 04 0d 74 6f  74 6f 33 36 20 74 6f 74   cn1...toto36
tot
  0040:  6f 33 36 30 08 04 02 6f  75 31 02 04 00 30 15 04
o360...ou1...0..
  0050:  09 67 69 76 65 6e 6e 61  6d 65 31 08 04 06 74 6f
.givenname1...to
  0060:  74 6f 33 36 30 0e 04 02  73 6e 31 08 04 06 74 6f
to360...sn1...to
  0070:  74 6f 33 36 30 47 04 0b  6f 62 6a 65 63 74 63 6c
to360G..objectcl
  0080:  61 73 73 31 38 04 03 74  6f 70 04 0d 69 6e 65 74
ass18..top..inet
  0090:  6f 72 67 70 65 72 73 6f  6e 04 14 6f 72 67 61 6e
orgperson..organ
  00a0:  69 7a 61 74 69 6f 6e 61  6c 70 65 72 73 6f 6e 04
izationalperson.
  00b0:  0c 6f 66 66 69 63 65 70  65 72 73 6f 6e
.officeperson
do_add: invalid dn (cn=toto36 toto36,ou=,dc=e-qual,dc=fr)
send_ldap_result: err=34 matched="" text="invalid DN"
conn=0 op=1 RESULT tag=105 err=34 text=invalid DN
connection_get(12)
ber_dump: buf=0x08128b78 ptr=0x08128b78 end=0x08128b7d len=5
  0000:  02 01 03 42 00                                     ...B.
conn=0 op=2 UNBIND
conn=0 fd=12 closed

Follow-Ups:
- Re: Problem with access to OpenLDAP
  - From: "Alexei Monastyrnyi" <alexeim@orcsoftware.com>
- Re: Problem with access to OpenLDAP
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: LDAP, globus and tutorials
Next by Date: Account Login / schema question
Index(es):
- Chronological
- Thread