[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd.access dn.regex sasl



Hi all,

I have a problem with slapd.access and dn.regex and sasl.

Firstly sasl seems to need auth access to uid, userPassword, and
objectClass by * to authenticate and work. Is there anyway of defining
this (ie, so everyone doesn't have auth access)?

Secondly when I have this in my slapd.access file:
access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
        by self write
        by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by * auth

Authentication works.

When I have:
access to dn.regex="^.+$"
with exactly the same attrs and by clauses as above it fails. I'm trying
to build a regex but it fails even at the most open. Can someone please
explain what's going on?

here's the logs..

when it fails
------------------------------------
access_allowed: auth access to "uid=dennis,ou=Utiba,ou=People,dc=utiba"
"uid" requested
May  6 11:28:41 blackops slapd[30775]: => dn: [1]
May  6 11:28:41 blackops slapd[30775]: => dn: [2] cn=subschema
May  6 11:28:41 blackops slapd[30775]: => dnpat: [3] ^.+$ nsub: 0
May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] matched
May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] attr uid
May  6 11:28:41 blackops slapd[30775]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
May  6 11:28:41 blackops slapd[30775]: => acl_mask: to value by "", (=n)
May  6 11:28:41 blackops slapd[30775]: <= acl_mask: no more <who>
clauses, returning =n (stop)
May  6 11:28:41 blackops slapd[30775]: => access_allowed: auth access
denied by =n
May  6 11:28:41 blackops slapd[30775]: <= test_filter 50
May  6 11:28:41 blackops slapd[30775]: bdb_search: 4605 does not match
filter
May  6 11:28:41 blackops slapd[30775]: send_ldap_result: conn=1 op=0 p=3
May  6 11:28:41 blackops slapd[30775]: send_ldap_result: err=0
matched="" text=""
May  6 11:28:41 blackops slapd[30775]: <==slap_sasl2dn: Converted SASL
name to <nothing>
May  6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
slapAuthcDN="uid=dennis,cn=digest-md5,cn=auth"
May  6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
authzid="dennis"
May  6 11:28:41 blackops slapd[30775]: SASL [conn=1] Failure: no secret
in database
---------------------------------

when it works
---------------------------------
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
"uid=dennis,ou=Utiba,ou=People,dc=utiba" "uid" requested
May  6 11:34:56 blackops slapd[11754]: => dn: [1]
May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
May  6 11:34:56 blackops slapd[11754]: => dn: [3]
ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr uid
May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
May  6 11:34:56 blackops slapd[11754]: => acl_mask: to value by "", (=n)
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
<uid=root,ou=System,ou=People,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
<uid=root,ou=system,ou=people,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
auth(=x) (stop)
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
granted by auth(=x)
May  6 11:34:56 blackops slapd[11754]: <= test_filter 6
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
matched="" text=""
May  6 11:34:56 blackops slapd[11754]: <==slap_sasl2dn: Converted SASL
name to uid=dennis,ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: getdn: dn:id converted to
uid=dennis,ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
slapAuthcDN="uid=dennis,ou=utiba,ou=people,dc=utiba"
May  6 11:34:56 blackops slapd[11754]: => bdb_search
May  6 11:34:56 blackops slapd[11754]:
bdb_dn2entry("uid=dennis,ou=utiba,ou=people,dc=utiba")
May  6 11:34:56 blackops slapd[11754]: base_candidates: base:
"uid=dennis,ou=utiba,ou=people,dc=utiba" (0x000011fd)
May  6 11:34:56 blackops slapd[11754]: => test_filter
May  6 11:34:56 blackops slapd[11754]:     PRESENT
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
"uid=dennis,ou=Utiba,ou=People,dc=utiba" "objectClass" requested
May  6 11:34:56 blackops slapd[11754]: => dn: [1]
May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
May  6 11:34:56 blackops slapd[11754]: => dn: [3]
ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr objectClass
May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "objectClass" requested
May  6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
(=n)
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
<uid=root,ou=System,ou=People,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
<uid=root,ou=system,ou=people,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
auth(=x) (stop)
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
granted by auth(=x)
May  6 11:34:56 blackops slapd[11754]: <= test_filter 6
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
"uid=dennis,ou=Utiba,ou=People,dc=utiba" "userPassword" requested
May  6 11:34:56 blackops slapd[11754]: => dn: [1]
May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
May  6 11:34:56 blackops slapd[11754]: => dn: [3]
ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr userPassword
May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "userPassword" requested
May  6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
(=n)
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
<uid=root,ou=System,ou=People,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
<uid=root,ou=system,ou=people,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
auth(=x) (stop)
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
granted by auth(=x)
May  6 11:34:56 blackops slapd[11754]: slap_auxprop:
str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
matched="" text=""
May  6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
authzid="dennis"
May  6 11:34:56 blackops slapd[11754]: SASL proxy authorize [conn=0]:
authcid="dennis" authzid="dennis"
May  6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND authcid="dennis"
May  6 11:34:56 blackops slapd[11754]: SASL Authorize [conn=0]:  proxy
authorization allowed
May  6 11:34:56 blackops slapd[11754]: send_ldap_sasl: err=0 len=40
May  6 11:34:56 blackops slapd[11754]: send_ldap_response: msgid=2
tag=97 err=0
May  6 11:34:56 blackops slapd[11754]: <== slap_sasl_bind: rc=0
May  6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND
dn="uid=dennis,ou=utiba,ou=people,dc=utiba" mech=DIGEST-MD5 ssf=128
May  6 11:34:56 blackops slapd[11754]: do_bind: SASL/DIGEST-MD5 bind:
dn="uid=dennis,ou=utiba,ou=people,dc=utiba" ssf=128
------------------------------------

Regards,

Dennis


-----------------
Utiba Pty Ltd 
This message has been scanned for viruses and
dangerous content by Utiba mail server and is 
believed to be clean.