[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.access dn.regex sasl



I suspect you didn't read slapd.access(5) carefully enough, and you didn't undestand the implications of some of the directives you're using. Your rules present many errors, some of which might just be harmless, depending on the context. I also suspect the ones you're reporting are not the only ACLs defined in your slapd.conf. Finally, you don't indicate what version of OpenLDAP you're using. It is always a good practice to indicate it; when dealing with ACLs it becomes almost mandatory before one can determine the reason for a given behavior. Since many information that are necessary to exactly track your problem are missing, I won't speculate on it, I'll rather wait for further information.

p.

Dennis Matotek wrote:

Hi all,

I have a problem with slapd.access and dn.regex and sasl.

Firstly sasl seems to need auth access to uid, userPassword, and
objectClass by * to authenticate and work. Is there anyway of defining
this (ie, so everyone doesn't have auth access)?

Secondly when I have this in my slapd.access file:
access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
       by self write
       by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
       by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
       by group.expand="cn=Replicator,ou=Group,dc=utiba" write
       by * auth

Authentication works.

When I have:
access to dn.regex="^.+$"
with exactly the same attrs and by clauses as above it fails. I'm trying
to build a regex but it fails even at the most open. Can someone please
explain what's going on?

here's the logs..

when it fails
------------------------------------
access_allowed: auth access to "uid=dennis,ou=Utiba,ou=People,dc=utiba"
"uid" requested
May  6 11:28:41 blackops slapd[30775]: => dn: [1]
May  6 11:28:41 blackops slapd[30775]: => dn: [2] cn=subschema
May  6 11:28:41 blackops slapd[30775]: => dnpat: [3] ^.+$ nsub: 0
May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] matched
May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] attr uid
May  6 11:28:41 blackops slapd[30775]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
May  6 11:28:41 blackops slapd[30775]: => acl_mask: to value by "", (=n)
May  6 11:28:41 blackops slapd[30775]: <= acl_mask: no more <who>
clauses, returning =n (stop)
May  6 11:28:41 blackops slapd[30775]: => access_allowed: auth access
denied by =n
May  6 11:28:41 blackops slapd[30775]: <= test_filter 50
May  6 11:28:41 blackops slapd[30775]: bdb_search: 4605 does not match
filter
May  6 11:28:41 blackops slapd[30775]: send_ldap_result: conn=1 op=0 p=3
May  6 11:28:41 blackops slapd[30775]: send_ldap_result: err=0
matched="" text=""
May  6 11:28:41 blackops slapd[30775]: <==slap_sasl2dn: Converted SASL
name to <nothing>
May  6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
slapAuthcDN="uid=dennis,cn=digest-md5,cn=auth"
May  6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
authzid="dennis"
May  6 11:28:41 blackops slapd[30775]: SASL [conn=1] Failure: no secret
in database
---------------------------------

when it works
---------------------------------
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
"uid=dennis,ou=Utiba,ou=People,dc=utiba" "uid" requested
May  6 11:34:56 blackops slapd[11754]: => dn: [1]
May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
May  6 11:34:56 blackops slapd[11754]: => dn: [3]
ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr uid
May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
May  6 11:34:56 blackops slapd[11754]: => acl_mask: to value by "", (=n)
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
<uid=root,ou=System,ou=People,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
<uid=root,ou=system,ou=people,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
auth(=x) (stop)
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
granted by auth(=x)
May  6 11:34:56 blackops slapd[11754]: <= test_filter 6
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
matched="" text=""
May  6 11:34:56 blackops slapd[11754]: <==slap_sasl2dn: Converted SASL
name to uid=dennis,ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: getdn: dn:id converted to
uid=dennis,ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
slapAuthcDN="uid=dennis,ou=utiba,ou=people,dc=utiba"
May  6 11:34:56 blackops slapd[11754]: => bdb_search
May  6 11:34:56 blackops slapd[11754]:
bdb_dn2entry("uid=dennis,ou=utiba,ou=people,dc=utiba")
May  6 11:34:56 blackops slapd[11754]: base_candidates: base:
"uid=dennis,ou=utiba,ou=people,dc=utiba" (0x000011fd)
May  6 11:34:56 blackops slapd[11754]: => test_filter
May  6 11:34:56 blackops slapd[11754]:     PRESENT
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
"uid=dennis,ou=Utiba,ou=People,dc=utiba" "objectClass" requested
May  6 11:34:56 blackops slapd[11754]: => dn: [1]
May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
May  6 11:34:56 blackops slapd[11754]: => dn: [3]
ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr objectClass
May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "objectClass" requested
May  6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
(=n)
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
<uid=root,ou=System,ou=People,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
<uid=root,ou=system,ou=people,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
auth(=x) (stop)
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
granted by auth(=x)
May  6 11:34:56 blackops slapd[11754]: <= test_filter 6
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
"uid=dennis,ou=Utiba,ou=People,dc=utiba" "userPassword" requested
May  6 11:34:56 blackops slapd[11754]: => dn: [1]
May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
May  6 11:34:56 blackops slapd[11754]: => dn: [3]
ou=utiba,ou=people,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr userPassword
May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "userPassword" requested
May  6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
(=n)
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
uid=root,ou=System,ou=People,dc=utiba
May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
<uid=root,ou=System,ou=People,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
<uid=root,ou=system,ou=people,dc=utiba>
May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
auth(=x) (stop)
May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
granted by auth(=x)
May  6 11:34:56 blackops slapd[11754]: slap_auxprop:
str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
May  6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
matched="" text=""
May  6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
authzid="dennis"
May  6 11:34:56 blackops slapd[11754]: SASL proxy authorize [conn=0]:
authcid="dennis" authzid="dennis"
May  6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND authcid="dennis"
May  6 11:34:56 blackops slapd[11754]: SASL Authorize [conn=0]:  proxy
authorization allowed
May  6 11:34:56 blackops slapd[11754]: send_ldap_sasl: err=0 len=40
May  6 11:34:56 blackops slapd[11754]: send_ldap_response: msgid=2
tag=97 err=0
May  6 11:34:56 blackops slapd[11754]: <== slap_sasl_bind: rc=0
May  6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND
dn="uid=dennis,ou=utiba,ou=people,dc=utiba" mech=DIGEST-MD5 ssf=128
May  6 11:34:56 blackops slapd[11754]: do_bind: SASL/DIGEST-MD5 bind:
dn="uid=dennis,ou=utiba,ou=people,dc=utiba" ssf=128
------------------------------------

Regards,

Dennis


-----------------
Utiba Pty Ltd This message has been scanned for viruses and
dangerous content by Utiba mail server and is believed to be clean.





SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497