[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd question with GSSAPI



"Derek T. Yarnell" <derek@cs.umd.edu> writes:

> Sorry I ran into another problem with ACL's now, but from the debuging  
> I can't tell why,
>
> bdb_dn2entry("cn=testgroup2,ou=groups,dc=csic,dc=umd,dc=edu")
> => bdb_dn2id( "cn=testgroup2,ou=groups,dc=csic,dc=umd,dc=edu" )
> <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found  
> (-30990)
> => access_allowed: write access to "ou=groups,dc=csic,dc=umd,dc=edu"  
> "children" requested

Here, write access to "dn.children=ou=groups,dc=csic,dc=umd,dc=edu" is
requested 

> => acl_get: [2] attr children
> => acl_mask: access to entry "ou=groups,dc=csic,dc=umd,dc=edu", attr  
> "children" requested
> => acl_mask: to all values by "uid=host/torch.cs.umd.edu@csic.umd.edu, 
> cn=cs.umd.edu,cn=gssapi,cn=auth", (=n)
> <= check a_dn_pat: uid=host/torch.cs.umd.edu@cs.umd.edu,cn=cs.umd.edu, 
> cn=gssapi,cn=auth
> <= check a_dn_pat: uid=host/torch.cs.umd.edu@csic.umd.edu,cn=cs.umd. 
> edu,cn=gssapi,cn=auth
> <= acl_mask: [2] applying +0 (stop)
> <= acl_mask: [2] mask: =n

parsing of acl's accepted rule 2 as matching

> => access_allowed: write access denied by =n
> bdb_add: no write access to parent

No write access to dn.base=ou=groups,,dc=csic,dc=umd,dc=edu

> send_ldap_result: conn=1 op=4 p=3
> send_ldap_response: msgid=5 tag=105 err=50
>
> it gives the right id, but then seems to not match either of the write  
> acls.
[...]
>
> access to attrs=userPassword
>         by * auth
>
> access to *
>         by dn="uid=host/torch.cs.umd.edu@CS.UMD.EDU,cn=cs.umd.edu, 
> cn=gssapi,cn=auth"
>         by dn="uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=cs.umd.edu, 
> cn=gssapi,cn=auth"
>         by * read
[...]

rule 2 allows no write access.

-Dieter

-- 
Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521
http://www.avci.de