[Date Prev][Date Next] [Chronological] [Thread] [Top]

ENC: ENC: RES: sasl proxy authorization and regexp





-----Mensagem original-----
De: Pierangelo Masarati [mailto:ando@sys-net.it]
Enviada: sex 26/3/2004 15:10
Para: Raissa Dantas Freire de Medeiros
Cc: openldap-software@OpenLDAP.org
Assunto: Re: ENC: RES: sasl proxy authorization and regexp
 

> Hello!
>
> I am using the 2.2.5 version. The log is bellow.
>
> I modified my user Joao to the following:
>
> dn: uid=joao,cn=Alunos,cn=CampusII,dc=ucb,dc=br
> changetype: modify
> replace: saslAuthzTo
> saslAuthzTo: dn.regex:uid=.*,cn=Alunos,ou=CampusI,dc=ucb,dc=br
>
> I am trying to execute the command:
>
> ldapadd -f ./ucb3.ldif -U joao@ares.cesmic.ucb.br -X
> "dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" -Y DIGEST-MD5
>
> And the error is:
>
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
>         additional info: SASL(-14): authorization failure: not
> authorized
>
> I have the ACL "access to * by
> dn.base="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write" in my
> slapd.conf.

This seems to be a poor ACL, because anonymous can't bind.
You should use

access to attrs=userPassword
  by * auth

(you may add write permission to someone, if needed,
e.g. by self or so) and then


access to *
  by dn.exact="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write


Ok, that was just one of my ACLs. I've already had the ACLs you suggested. Anyway, no success with the regular expression.

Try this and let me know.  A detailed log of the server,
especially of the saslauthz phase, would help as well.
But I don't think you'll get there, without anonymous
auth permission.

Here is the log.


>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=359
SASL [conn=0] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=0]: authcid="joao@ares.cesmic.ucb.br"
slap_sasl_getdn: id=joao@ares.cesmic.ucb.br [len=23]
getdn: u:id converted to uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth,272)=0
<<< dnNormalize: <uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth"
SASL Canonicalize [conn=0]: authzid="dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br"
slap_sasl_getdn: id=dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br [len=49]
>>> dnNormalize: <uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br>
=> ldap_bv2dn(uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br,0)
<= ldap_bv2dn(uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br,272)=0
<<< dnNormalize: <uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br>
==>slap_sasl2dn: converting SASL name uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br to a DN
slap_sasl_regexp: converting SASL name uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authzDN="uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br"
SASL Authorize [conn=0]: authcid="joao@ares.cesmic.ucb.br" authzid="dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br"
==>slap_sasl_authorized: can uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth become uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br?
==>slap_sasl_check_authz: does uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br match saslAuthzTo rule in uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth?
<==slap_sasl_check_authz: saslAuthzTo check returning 32
<== slap_sasl_authorized: return 48
SASL Authorize [conn=0]:  authorization disallowed (48)
SASL [conn=0] Failure: not authorized
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized"
send_ldap_response: msgid=2 tag=97 err=50
ber_flush: 62 bytes to sd 10
  0000:  30 3c 02 01 02 61 37 0a  01 32 04 00 04 30 53 41   0<...a7..2...0SA
  0010:  53 4c 28 2d 31 34 29 3a  20 61 75 74 68 6f 72 69   SL(-14): authori
  0020:  7a 61 74 69 6f 6e 20 66  61 69 6c 75 72 65 3a 20   zation failure:
  0030:  6e 6f 74 20 61 75 74 68  6f 72 69 7a 65 64         not authorized
ldap_write: want=62, written=62
  0000:  30 3c 02 01 02 61 37 0a  01 32 04 00 04 30 53 41   0<...a7..2...0SA
  0010:  53 4c 28 2d 31 34 29 3a  20 61 75 74 68 6f 72 69   SL(-14): authori
  0020:  7a 61 74 69 6f 6e 20 66  61 69 6c 75 72 65 3a 20   zation failure:
  0030:  6e 6f 74 20 61 75 74 68  6f 72 69 7a 65 64         not authorized
<== slap_sasl_bind: rc=50
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0
 
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it