Re: Slave/Replica server authentication/authorization question

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Wednesday, February 25, 2004 3:31 PM -0600 "Aaron M. Hirsch" 
<Aaron.Hirsch@atosorigin.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Here are my ACL's on my master server...
>
> access to attrs=userPassword,telephoneNumber,mobile,mail
> ~     by self write
> ~     by anonymous auth
> ~     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
> ~     by * none
>
> access to *
> ~     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
> ~     by * read
>
> However whenever I try to use these in the slave/replica, minus the
> group.base entries, I can no longer log into my Linux machines.  When
> I remove all ACL's from the slave/replica then logins work again.  So,
> I'm really drawing blanks!  I'm wondering if I need to add the replica
> user to the ACL's but am not sure that would help.
>
> Back to digging... :)

Well, that makes sense to me.  You are saying that the attribute 
userPassword is readable by nobody, so how can a server that is connecting 
check that attribute to verify login capability?  I think you'd need at 
least compare on userpassword for anonymous (but I'm not sure, since we use 
Kerberos instead of passwords in the directory).

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html