[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Openldap 2.1.29/PGP can't write when write is explicit
Hi all,
Thanks in advance...
When trying to write to ou=PGP Keys,dc=mycom,dc=com
the client message returned is "strong authentication
required" see debug info at the bottom..
My ACE for ou=PGP Keys,dc=mycom,dc=com is
access to dn="ou=PGP Keys,dc=tivo,dc=com"
by * write
As I understand it each ACE applies only to the
database entry for that section. If I understand this
correctly then some other config or security mechanism
is in place and I have no clue.
I've read through the openldap software group which
solve many of my problems and for which I'm greatful.
But at this point I'm not sure how to troubleshoot
this further. Can someone please lend a hand?
---------- install from rpm-------------
openldap-servers-2.1.29-1
openldap-2.1.29-1
cyrus-sasl-2.1.18-2
cyrus-sasl-gssapi-2.1.18-2
cyrus-sasl-devel-2.1.18-2
cyrus-sasl-md5-2.1.18-2
my ldap.conf
-----------------------snip---------------
BASE dc=mycom,dc=com
tls_checkpeer no
SIZELIMIT 500
TIMELIMIT 30
#DEREF never
HOST 127.0.0.1
---------------------snap-------------
my sldap.conf
----------------snip--------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include
/etc/openldap/schema/pgp-keyserver.schema
include
/etc/openldap/schema/pgp-remte-prefs.schema
include /etc/openldap/schema/pgp-recon.schema
sockbuf_max_incoming 524288
pidfile //var/run/slapd.pid
# Load dynamic backend modules:
modulepath /usr/sbin/openldap
moduleload back_ldap.la
# moduleload back_ldbm.la
moduleload back_passwd.la
# moduleload back_shell.la
# Key Reconstruction
database bdb
suffix ou=users,dc=mycom,dc=com
directory /var/lib/ldap
index objectClass
eq
index pgpReconCertID
sub,eq
access to
dn="pgpReconCertID=.*,cn=.*,ou=users,dc=mycom,dc=com"
by dnattr=owner write
by * none
access to dn="ou=users,dc=mycom,dc=com"
by * read
by self write
by anonymous auth
# PGP Admin Prefs
database bdb
suffix "cn=pgpprefs,dc=mycom,dc=com"
directory /var/lib/ldap
index objectClass
eq
index pgpElementType
sub,eq
access to dn="cn=pgpprefs,dc=mycom,dc=com"
by * read
# PGP Key storage
database bdb
suffix "ou=PGP Keys,dc=mycom,dc=com"
directory /var/lib/ldap
index pgpUserID
sub,eq
index
pgpCertID,pgpKeyID,pgpKeyType,pgpKeyCreateTime
eq
index
pgpSignerID,pgpSubKeyID,pgpKeySize,pgpKeyExpireTime
eq
index pgpDisabled,pgpRevoked
eq
access to dn="ou=PGP Keys,dc=mycom,dc=com"
by * write
# Authenticate users from AD
database ldap
suffix "cn=users,dc=mycom,dc=com"
subordinate
uri ldap://xxx.xxx.xxx.xxx
access to dn="cn=.*,ou=users,dc=mycom,dc=com"
by dnattr=owner write
by * none
access to dn="ou=users,dc=mycom,dc=com"
by * read
by anonymous auth
# Main ldap root
database bdb
suffix "dc=mycom,dc=com"
rootdn "cn=ldapadmin,dc=mycom,dc=com"
rootpw {SSHA}myhash
directory /var/lib/ldap
index
objectClass,uid,uidNumber,gidNumber,memberUid
eq
index cn,mail,surname,givenname
eq,sub
index sambaSID
eq
index sambaPrimaryGroupSID
eq
index sambaDomainName
eq
index default
eq,sub
# Access Control
access to attr=userPassword
by self write
by anonymous auth
by * compare
Access to *
by self write
by * read
---------------snap----------
--------------debug snip-----------
conn=0 op=0 ADD
dn="pgpCertID=940B94DA412AD665,dc=mycom,dc=com"
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=8 matched="" text="modifications
require authentication"
send_ldap_response: msgid=1 tag=105 err=8
ber_flush: 50 bytes to sd 16
0000: 30 30 02 01 01 69 2b 0a 01 08 04 00 04 24 6d
6f 00...i+......$mo
0010: 64 69 66 69 63 61 74 69 6f 6e 73 20 72 65 71
75 difications requ
0020: 69 72 65 20 61 75 74 68 65 6e 74 69 63 61 74
69 ire authenticati
0030: 6f 6e
on
ldap_write: want=50, written=50
0000: 30 30 02 01 01 69 2b 0a 01 08 04 00 04 24 6d
6f 00...i+......$mo
0010: 64 69 66 69 63 61 74 69 6f 6e 73 20 72 65 71
75 difications requ
0020: 69 72 65 20 61 75 74 68 65 6e 74 69 63 61 74
69 ire authenticati
0030: 6f 6e
on
conn=0 op=0 RESULT tag=105 err=8 text=modifications
require authentication
daemon: activity on 1 descriptors
daemon: activity on: 16r
daemon: read activity on 16
connection_get(16)
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 02 42 00
0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x0a0271a0 ptr=0x0a0271a0 end=0x0a0271a5
len=5
0000: 02 01 02 42 00
...B.
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 16 failed errno=0 (Success)
connection_read(16): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=16 for close
connection_close: deferring conn=0 sd=16
do_unbind
conn=0 op=1 UNBIND
connection_resched: attempting closing conn=0 sd=16
connection_close: conn=0 sd=16
=>ldap_back_conn_destroy: fetching conn 0
daemon: removing 16
conn=0 fd=16 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
--------------debug snap----------
-------------ethereal follow stream ----------
0......h....*pgpcertid=940B94DA412AD665,
dc=mycom,dc=com0..Y0...objectclass1..
pgpkeyinfo0...pgpcertid1...940B94DA412AD6650.....pgpkey1.......-----BEGIN
PGP PUBLIC KEY BLOCK-----
Version: PGP SDK 3.0.3
"pub key"
-----END PGP PUBLIC KEY BLOCK-----
0...pgpdisabled1...00...pgpkeyid1
..412AD6650..
pgpkeytype1...DSS/DH0.....pgpuserid1u..Joe Smith
<jsmith@mycom.com>.JJoe Simth </O=CORPORATE/OU=FIRST
ADMINISTRATIVE
GROUP/CN=RECIPIENTS/CN=JSMITH>0%..pgpkeycreatetime1...20040715222220Z0%..pgpkeyexpiretime1...19700101000000Z0!..pgpsignerid1...940B94DA412AD6650..
pgprevoked1...00!..pgpsubkeyid1...5D72CCF055FC809F0..
pgpkeysize1...0204800...i+
.....$modifications require authentication0....B.
-------------------end ethereal -----------
__________________________________
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail