[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd question with GSSAPI



Sorry I ran into another problem with ACL's now, but from the debuging I can't tell why,

bdb_dn2entry("cn=testgroup2,ou=groups,dc=csic,dc=umd,dc=edu")
=> bdb_dn2id( "cn=testgroup2,ou=groups,dc=csic,dc=umd,dc=edu" )
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30990)
=> access_allowed: write access to "ou=groups,dc=csic,dc=umd,dc=edu" "children" requested
=> acl_get: [2] attr children
=> acl_mask: access to entry "ou=groups,dc=csic,dc=umd,dc=edu", attr "children" requested
=> acl_mask: to all values by "uid=host/torch.cs.umd.edu@csic.umd.edu, cn=cs.umd.edu,cn=gssapi,cn=auth", (=n)
<= check a_dn_pat: uid=host/torch.cs.umd.edu@cs.umd.edu,cn=cs.umd.edu, cn=gssapi,cn=auth
<= check a_dn_pat: uid=host/torch.cs.umd.edu@csic.umd.edu,cn=cs.umd. edu,cn=gssapi,cn=auth
<= acl_mask: [2] applying +0 (stop)
<= acl_mask: [2] mask: =n
=> access_allowed: write access denied by =n
bdb_add: no write access to parent
send_ldap_result: conn=1 op=4 p=3
send_ldap_response: msgid=5 tag=105 err=50


it gives the right id, but then seems to not match either of the write acls.

sasl-regexp     uid=(.*)@CSIC.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
               ldap:///dc=csic,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*)@CS.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
               ldap:///dc=cs,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*),cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
               ldap:///dc=cs,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*),cn=CSIC.UMD.EDU,cn=GSSAPI,cn=auth
               ldap:///dc=csic,dc=umd,dc=edu??sub?uid=$1

sasl-realm      CS.UMD.EDU
sasl-host       ripper.cs.umd.edu

access to attrs=userPassword
       by * auth

access to *
by dn="uid=host/torch.cs.umd.edu@CS.UMD.EDU,cn=cs.umd.edu, cn=gssapi,cn=auth"
by dn="uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=cs.umd.edu, cn=gssapi,cn=auth"
by * read


******* the sasl match

do_sasl_bind: dn () mech GSSAPI
slap_sasl_getdn: u:id converted to uid=host/torch.cs.umd.edu@CSIC.UMD. EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
dnNormalize: <uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU, cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU, cn=GSSAPI,cn=auth,0)
ldap_err2string
<= ldap_bv2dn(uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU, cn=GSSAPI,cn=auth)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=host/torch.cs.umd.edu@csic.umd.edu,cn=cs.umd.edu, cn=gssapi,cn=auth)=0 Success
<<< dnNormalize: <uid=host/torch.cs.umd.edu@csic.umd.edu,cn=cs.umd.edu, cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=host/torch.cs.umd.edu@csic. umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=host/torch.cs.umd.edu@csic. umd.edu,cn=cs.umd.edu,cn=gssapi,cn=auth
slap_sasl_regexp: converted SASL name to ldap:///dc=csic,dc=umd, dc=edu??sub?uid=host/torch.cs.umd.edu
slap_parseURI: parsing ldap:///dc=csic,dc=umd,dc=edu??sub?uid=host/ torch.cs.umd.edu
ldap_url_parse_ext(ldap:///dc=csic,dc=umd,dc=edu??sub?uid=host/torch. cs.umd.edu)
put_filter: "uid=host/torch.cs.umd.edu"
put_filter: default
put_simple_filter: "uid=host/torch.cs.umd.edu"
ber_scanf fmt ({mm}) ber:



On 08/26/2004 01:52:40 PM, Quanah Gibson-Mount wrote:


--On Thursday, August 26, 2004 5:28 PM +0000 "Derek T. Yarnell" <derek@cs.umd.edu> wrote:

Thanks, Quanah for all your help. So I changed the sasl-regex as you
said, and i think I have gotten the right db now, but I am getting an
error still, is there a listing to what err=?? is somewhere?

Yes (I actually just answered this a few days ago for someone else, so it is still fresh in my mind) :P


$SRC/include/ldap.h

Dec10 = Hex 0a

Per the section of ldap.h handling these error codes:

#define LDAP_REFERRAL               0x0a /* LDAPv3 */

I bet your updateDN doesn't match the DN of slurpd's bind now that you modified the regexp?

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

--
Derek T. Yarnell
UNIX System Administrator
Computer Science Deparment
University of Maryland