[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap 2.1.29/PGP can't write when write is explicit



Hi all,

Thanks in advance...

When trying to write to ou=PGP Keys,dc=mycom,dc=com
the client message returned is "strong authentication
required" see debug info at the bottom..

My ACE for ou=PGP Keys,dc=mycom,dc=com is

access to dn="ou=PGP Keys,dc=tivo,dc=com"
        by * write

As I understand it each ACE applies only to the
database entry for that section. If I understand this
correctly then some other config or security mechanism
is in place and I have no clue.

I've read through the openldap software group which
solve many of my problems and for which I'm greatful.
But at this point I'm not sure how to troubleshoot
this further. Can someone please lend a hand?

---------- install from rpm-------------

openldap-servers-2.1.29-1
openldap-2.1.29-1

cyrus-sasl-2.1.18-2
cyrus-sasl-gssapi-2.1.18-2
cyrus-sasl-devel-2.1.18-2
cyrus-sasl-md5-2.1.18-2

my ldap.conf

-----------------------snip---------------
BASE dc=mycom,dc=com

tls_checkpeer no
SIZELIMIT       500
TIMELIMIT       30
#DEREF          never
HOST 127.0.0.1

---------------------snap-------------

my sldap.conf

----------------snip--------------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include        
/etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
include        
/etc/openldap/schema/pgp-keyserver.schema
include        
/etc/openldap/schema/pgp-remte-prefs.schema
include         /etc/openldap/schema/pgp-recon.schema

sockbuf_max_incoming    524288

pidfile //var/run/slapd.pid

# Load dynamic backend modules:
 modulepath     /usr/sbin/openldap
 moduleload     back_ldap.la
# moduleload    back_ldbm.la
 moduleload     back_passwd.la
# moduleload    back_shell.la

# Key Reconstruction
database        bdb
suffix          ou=users,dc=mycom,dc=com
directory       /var/lib/ldap
index           objectClass                           
                 eq
index           pgpReconCertID                        
                 sub,eq

access to
dn="pgpReconCertID=.*,cn=.*,ou=users,dc=mycom,dc=com"
        by dnattr=owner write
        by * none

access to dn="ou=users,dc=mycom,dc=com"
        by * read
        by self write
        by anonymous auth


# PGP Admin Prefs
database        bdb
suffix          "cn=pgpprefs,dc=mycom,dc=com"
directory       /var/lib/ldap
index           objectClass                           
                 eq
index           pgpElementType                        
                 sub,eq

access to dn="cn=pgpprefs,dc=mycom,dc=com"
        by * read


# PGP Key storage
database        bdb
suffix          "ou=PGP Keys,dc=mycom,dc=com"
directory       /var/lib/ldap
index           pgpUserID                             
                 sub,eq
index          
pgpCertID,pgpKeyID,pgpKeyType,pgpKeyCreateTime        
 eq
index          
pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime   
 eq
index           pgpDisabled,pgpRevoked                
                 eq

access to dn="ou=PGP Keys,dc=mycom,dc=com"
        by * write


# Authenticate users from AD
database        ldap
suffix          "cn=users,dc=mycom,dc=com"
subordinate
uri ldap://xxx.xxx.xxx.xxx

access to dn="cn=.*,ou=users,dc=mycom,dc=com"
        by dnattr=owner write
        by * none

access to dn="ou=users,dc=mycom,dc=com"
        by * read
        by anonymous auth


# Main ldap root
database        bdb
suffix          "dc=mycom,dc=com"
rootdn          "cn=ldapadmin,dc=mycom,dc=com"
rootpw          {SSHA}myhash
directory       /var/lib/ldap
index          
objectClass,uid,uidNumber,gidNumber,memberUid         
 eq
index           cn,mail,surname,givenname             
                 eq,sub
index           sambaSID                              
                 eq
index           sambaPrimaryGroupSID                  
                 eq
index           sambaDomainName                       
                 eq
index           default                               
                 eq,sub

# Access Control
access to attr=userPassword
        by self         write
        by anonymous    auth
        by *            compare
Access to *
        by self         write
        by * read

---------------snap----------

--------------debug snip-----------
conn=0 op=0 ADD
dn="pgpCertID=940B94DA412AD665,dc=mycom,dc=com"
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=8 matched="" text="modifications
require authentication"
send_ldap_response: msgid=1 tag=105 err=8
ber_flush: 50 bytes to sd 16
  0000:  30 30 02 01 01 69 2b 0a  01 08 04 00 04 24 6d
6f   00...i+......$mo
  0010:  64 69 66 69 63 61 74 69  6f 6e 73 20 72 65 71
75   difications requ
  0020:  69 72 65 20 61 75 74 68  65 6e 74 69 63 61 74
69   ire authenticati
  0030:  6f 6e                                        
     on
ldap_write: want=50, written=50
  0000:  30 30 02 01 01 69 2b 0a  01 08 04 00 04 24 6d
6f   00...i+......$mo
  0010:  64 69 66 69 63 61 74 69  6f 6e 73 20 72 65 71
75   difications requ
  0020:  69 72 65 20 61 75 74 68  65 6e 74 69 63 61 74
69   ire authenticati
  0030:  6f 6e                                        
     on
conn=0 op=0 RESULT tag=105 err=8 text=modifications
require authentication
daemon: activity on 1 descriptors
daemon: activity on: 16r
daemon: read activity on 16
connection_get(16)
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=7
  0000:  30 05 02 01 02 42 00                         
     0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x0a0271a0 ptr=0x0a0271a0 end=0x0a0271a5
len=5
  0000:  02 01 02 42 00                               
     ...B.
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 16 failed errno=0 (Success)
connection_read(16): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=16 for close
connection_close: deferring conn=0 sd=16
do_unbind
conn=0 op=1 UNBIND
connection_resched: attempting closing conn=0 sd=16
connection_close: conn=0 sd=16
=>ldap_back_conn_destroy: fetching conn 0
daemon: removing 16
conn=0 fd=16 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

--------------debug snap----------

-------------ethereal follow stream ----------

0......h....*pgpcertid=940B94DA412AD665,
dc=mycom,dc=com0..Y0...objectclass1..
pgpkeyinfo0...pgpcertid1...940B94DA412AD6650.....pgpkey1.......-----BEGIN


PGP PUBLIC KEY BLOCK-----

Version: PGP SDK 3.0.3



   "pub key"


-----END PGP PUBLIC KEY BLOCK-----

0...pgpdisabled1...00...pgpkeyid1
..412AD6650..
pgpkeytype1...DSS/DH0.....pgpuserid1u..Joe Smith
<jsmith@mycom.com>.JJoe Simth </O=CORPORATE/OU=FIRST
ADMINISTRATIVE
GROUP/CN=RECIPIENTS/CN=JSMITH>0%..pgpkeycreatetime1...20040715222220Z0%..pgpkeyexpiretime1...19700101000000Z0!..pgpsignerid1...940B94DA412AD6650..
pgprevoked1...00!..pgpsubkeyid1...5D72CCF055FC809F0..
pgpkeysize1...0204800...i+
.....$modifications require authentication0....B.

-------------------end ethereal -----------


		
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail