[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I'm have a problem w/userPasswords and binding





--On Friday, October 08, 2004 08:00:11 PM +0200 Pierangelo Masarati <ando@sys-net.it> wrote:
> ACL problem?  What about the access anonymous has to both entries
> userPassword?  You can check it by adding 128 to your log level.
>
Pierangelo,
I actually thought about that and fixed it.  But while it certainly did fix some aspect of the problem,
the bind still fails.  Below is a '-1' level log.   It certainly looks as if access to the password attribute
is successful.  Does anything stick out as far as you can see?

-- Rob


Oct  8 11:24:06 belgarian slapd[18951]: daemon: activity on 1 descriptors
Oct  8 11:24:06 belgarian slapd[18951]: daemon: new connection on 9
Oct  8 11:24:06 belgarian slapd[18951]: conn=15 fd=9 ACCEPT from IP=10.170.132.5:44915 (IP=0.0.0.0:389)
Oct  8 11:24:06 belgarian slapd[18951]: daemon: added 9r
Oct  8 11:24:06 belgarian slapd[18951]: daemon: activity on:
Oct  8 11:24:06 belgarian slapd[18951]:  
Oct  8 11:24:06 belgarian slapd[18951]: daemon: select: listen=6 active_threads=0 tvp=NULL
Oct  8 11:24:06 belgarian slapd[18951]: daemon: activity on 1 descriptors
Oct  8 11:24:06 belgarian slapd[18951]: daemon: activity on:
Oct  8 11:24:06 belgarian slapd[18951]:  9r
Oct  8 11:24:06 belgarian slapd[18951]:  
Oct  8 11:24:06 belgarian slapd[18951]: daemon: read activity on 9
Oct  8 11:24:06 belgarian slapd[18951]: connection_get(9)
Oct  8 11:24:06 belgarian slapd[18951]: connection_get(9): got connid=15
Oct  8 11:24:06 belgarian slapd[18951]: connection_read(9): checking for input on id=15
Oct  8 11:24:06 belgarian slapd[18951]: ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
Oct  8 11:24:06 belgarian slapd[18951]: do_bind
Oct  8 11:24:06 belgarian slapd[18951]: >>> dnPrettyNormal: <cn=postfix,ou=special users,o=linfield.edu>
Oct  8 11:24:06 belgarian slapd[18951]: <<< dnPrettyNormal: <cn=postfix,ou=special users,o=linfield.edu>, <cn=postfix,ou=special users,o=linfield.edu>
Oct  8 11:24:06 belgarian slapd[18951]: do_bind: version=3 dn="cn=postfix,ou=special users,o=linfield.edu" method=128
Oct  8 11:24:06 belgarian slapd[18951]: conn=15 op=0 BIND dn="cn=postfix,ou=special users,o=linfield.edu" method=128
Oct  8 11:24:06 belgarian slapd[18951]: ==> bdb_bind: dn: cn=postfix,ou=special users,o=linfield.edu
Oct  8 11:24:06 belgarian slapd[18951]: bdb_dn2entry("cn=postfix,ou=special users,o=linfield.edu")
Oct  8 11:24:06 belgarian slapd[18951]: => access_allowed: auth access to "cn=Postfix,ou=Special Users,o=linfield.edu" "userPassword" requested
Oct  8 11:24:06 belgarian slapd[18951]: => dn: [1] ou=people,o=linfield.edu
Oct  8 11:24:06 belgarian slapd[18951]: => dn: [2] ou=people,o=linfield.edu
Oct  8 11:24:06 belgarian slapd[18951]: => dn: [3] ou=special users,o=linfield.edu
Oct  8 11:24:06 belgarian slapd[18951]: => acl_get: [3] matched
Oct  8 11:24:06 belgarian slapd[18951]: => acl_get: [3] attr userPassword
Oct  8 11:24:06 belgarian slapd[18951]: => acl_mask: access to entry "cn=Postfix,ou=Special Users,o=linfield.edu", attr "userPassword" requested
Oct  8 11:24:06 belgarian slapd[18951]: => acl_mask: to all values by "", (=n)  
Oct  8 11:24:06 belgarian slapd[18951]: <= check a_dn_pat: anonymous
Oct  8 11:24:06 belgarian slapd[18951]: <= acl_mask: [1] applying auth(=x) (stop)
Oct  8 11:24:06 belgarian slapd[18951]: <= acl_mask: [1] mask: auth(=x)
Oct  8 11:24:06 belgarian slapd[18951]: => access_allowed: auth access granted by auth(=x)
Oct  8 11:24:06 belgarian slapd[18951]: send_ldap_result: conn=15 op=0 p=3
Oct  8 11:24:06 belgarian slapd[18951]: send_ldap_result: err=49 matched="" text=""
Oct  8 11:24:06 belgarian slapd[18951]: send_ldap_response: msgid=1 tag=97 err=49
Oct  8 11:24:06 belgarian slapd[18951]: conn=15 op=0 RESULT tag=97 err=49 text=
Oct  8 11:24:06 belgarian slapd[18951]: daemon: select: listen=6 active_threads=0 tvp=NULL
Oct  8 11:24:06 belgarian slapd[18951]: daemon: activity on 1 descriptors
Oct  8 11:24:06 belgarian slapd[18951]: daemon: activity on:
Oct  8 11:24:06 belgarian slapd[18951]:  9r
Oct  8 11:24:06 belgarian slapd[18951]:  
Oct  8 11:24:06 belgarian slapd[18951]: daemon: read activity on 9
Oct  8 11:24:06 belgarian slapd[18951]: connection_get(9)
Oct  8 11:24:06 belgarian slapd[18951]: connection_get(9): got connid=15
Oct  8 11:24:06 belgarian slapd[18951]: connection_read(9): checking for input on id=15
Oct  8 11:24:06 belgarian slapd[18951]: ber_get_next on fd 9 failed errno=0 (Success)
Oct  8 11:24:06 belgarian slapd[18951]: connection_read(9): input error=-2 id=15, closing.
Oct  8 11:24:06 belgarian slapd[18951]: connection_closing: readying conn=15 sd=9 for close
Oct  8 11:24:06 belgarian slapd[18951]: connection_close: conn=15 sd=9
Oct  8 11:24:06 belgarian slapd[18951]: daemon: removing 9
Oct  8 11:24:06 belgarian slapd[18951]: conn=15 fd=9 closed
Oct  8 11:24:06 belgarian slapd[18951]: daemon: select: listen=6 active_threads=0 tvp=NULL
Oct  8 11:24:06 belgarian slapd[18951]: daemon: activity on 1 descriptors
Oct  8 11:24:06 belgarian slapd[18951]: daemon: select: listen=6 active_threads=0 tvp=NULL

> p.
>
> >
> > --On Friday, October 08, 2004 09:19:31 AM +0200 Pierangelo Masarati
> > <ando@sys-net.it> wrote:
> >  >
> >> Rob,
> >>
> >> "Invalid credentials" is a catchall for almost any error during bind,
> > to
> >> avoid disclosing sensitive info (e.g. the user does not exist, or
> > other
> >> details about the account) to malicious clients.  I suggest you look
> > at
> >> server logs at a reasonable level (at worst, -d -1; -d 256 (STATS) or
> > -d
> >> 384 (STATS+ACL) should be a good starting point) to find out more
> > about
> >> the real reason of your failure.
> >>
> >> You don't say what versions of server and client you're using, so
> > further
> >> advise is not possible.
> >>
> >> p.
> >>
> >> --
> >> Pierangelo Masarati
> >> mailto:pierangelo.masarati@sys-net.it
> >>
> >>
> >>
> >>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:
> > +390382476497
> >>
> >>
> >
> > Pierangelo,
> >  Also, here is the antry for the DN that can't successfully bind (yes,
> > I did replace the password a
> > string of Xs -- other than that, this is the unmodified output from
> > ldapsearch):
> >
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <o=linfield.edu> with scope sub
> > # filter: cn=postfix
> > # requesting: ALL
> > #
> >
> > # Postfix, Special Users, linfield.edu
> > dn: cn=Postfix,ou=Special Users,o=linfield.edu
> > objectClass: top
> > objectClass: linfieldSpecialUser
> > cn: Postfix
> > ou: Special Users
> > userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> >
> >
> > Thanks,
> > Rob
> >
> > --
> > Rob Tanner
> > UNIX Services Manager
> > Linfield College, McMinnville OR
> >
>
>
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>
>
>
>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>
>




--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR