[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl UID mapping

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: sasl UID mapping
From: Paul Jakma <paul@clubi.ie>
Date: Sun, 18 Jan 2004 02:56:46 +0000 (GMT)
Cc: "'OpenLDAP list'" <openldap-software@OpenLDAP.org>
In-reply-to: <043001c3dd6b$c8151590$1801a8c0@CELLO>
References: <043001c3dd6b$c8151590$1801a8c0@CELLO>

On Sat, 17 Jan 2004, Howard Chu wrote:

> Pulling out my handy crystal ball, I see that your ACLs prevent
> this from succeeding.

Ok, so the sasl-regexp itself looks sane. With what DN does slapd 
bind to itself for sasl-regexp lookups? (i wouldnt have thought ACLs 
applied to slapd itself).

> But seriously, turn up debugging, then look at the sequence of
> events in the actual SASL name mapping. It will tell you what it's
> doing.

I tried, but I dont see anything to do with ACLs and sasl-regexp 
lookups, eg:

Jan 18 02:06:37 hibernia slapd[6197]: conn=0 op=3 BIND 
dn="cn=paul,cn=jakma.org,cn=GSSAPI,cn=auth" method=163 
Jan 18 02:06:37 hibernia slapd[6194]: daemon: select: listen=6 
active_threads=1 tvp=NULL 
Jan 18 02:06:37 hibernia slapd[6197]: SASL [conn=0] Error: unable to 
open Berkeley db /etc/sasldb2: Permission denied 
Jan 18 02:06:37 hibernia slapd[6194]: daemon: select: listen=7 
active_threads=1 tvp=NULL 
Jan 18 02:06:37 hibernia slapd[6197]: conn=0 op=3 BIND 
authcid="paul@JAKMA.ORG" 
Jan 18 02:06:37 hibernia slapd[6197]: conn=0 op=3 BIND 
dn="uid=paul,cn=jakma.org,cn=gssapi,cn=auth" mech=GSSAPI ssf=56 
Jan 18 02:06:37 hibernia slapd[6194]: daemon: activity on 1 descriptors 
Jan 18 02:06:37 hibernia slapd[6194]: daemon: activity on:
Jan 18 02:06:37 hibernia slapd[6194]:  10r
Jan 18 02:06:37 hibernia slapd[6194]:
Jan 18 02:06:37 hibernia slapd[6194]:  
Jan 18 02:06:37 hibernia slapd[6194]: daemon: read activity on 10   
Jan 18 02:06:37 hibernia slapd[6197]: conn=0 op=4 MOD 
dn="cn=local,ou=auto.misc,ou=Automount,dc=jakma,dc=org" 

<now we get ACL debug info, but related to the cn=local DN>

The /etc/sasldb2 entry is intriguing, but the mech is GSSAPI which 
shouldnt have any business opening that file really.

> We can't see what it's doing from out here, and asking people to
> guess blindly is not productive.

Not asking anyone to guess, just asking "i have xyz but cant foo", if 
the answer is "xyz is completely wrong" then that is constructive. :) 
if no conclusion can be drawn, i can always post further info.

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam@dishone.st
Fortune:
The Shuttle is now going five times the sound of speed.
		-- Dan Rather, first landing of Columbia

Follow-Ups:
- RE: sasl UID mapping
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: sasl UID mapping
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: make test crashes in test020-proxycache
Next by Date: RE: sasl UID mapping
Index(es):
- Chronological
- Thread