[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd.access dn.regex sasl
Hi all,
Thanks Pierangelo, further information below.
openldap-2.2.23-5mdk on LE2005 (mandriva).
I have had another look at the slapd.access man page.
the slapd.access.conf is basically the original that comes with openldap
package.. and here is the changed access file. I gathered it was failing
in the first tests. I have added the uid=admin (which is the
saslauthzto id) - have understood that correctly in the control section
of the slapd.access man page?
access to dn.regex=".*$"
#access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
by self write
by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
by dn.exact,expand="uid=admin,ou=System,ou=People,dc=utiba" auth
by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
by group.expand="cn=Replicator,ou=Group,dc=utiba" write
by * auth
access to dn.regex="^([^,])?ou=Utiba,ou=People,([^dc=])$"
attrs=uid,uidNumber,gidNumber
by self write
by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
by users read
# ACL allowing samba domain controllers to add user accounts
access to dn.regex="^([^,]+,)?ou=People,dc=utiba$"
attrs=entry,children,posixAccount,sambaSamAccount
by dn.exact,expand="uid=root,ou=People,dc=utiba" write
by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
by group.expand="cn=Replicator,ou=Group,dc=utiba" write
by users read
by anonymous read
# allow users to modify their own "address book" entries:
access to dn.regex="([^,]+,)?ou=People,dc=uitba$"
attrs=inetOrgPerson,mail
by self write
by dn.exact,expand="uid=root,ou=People,dc=utiba" write
by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
by group.expand="cn=Replicator,ou=Group,dc=utiba" write
by users read
by anonymous read
# Allow samba domain controllers to create groups and group mappings
access to dn.regex="^([^,]+,)?ou=Group,dc=utiba$"
attrs=entry,children,posixGroup,sambaGroupMapping
by dn.exact,expand="uid=root,ou=People,dc=utiba" write
by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
by group.expand="cn=Replicator,ou=Group,dc=utiba" write
by users read
by anonymous read
# Allow samba domain controllers to create machine accounts
access to dn.regex="^([^,]+,)?ou=Hosts,ou=System,dc=utiba$"
attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
by dn.exact,expand="uid=root,ou=People,dc=utiba" write
by group.expand="cn=Domain Controllers,ou=Grodc=utiba" write
by group.expand="cn=Replicator,ou=Groudc=utiba" write
by users read
by anonymous read
# Allow samba to create idmap entries
access to dn.regex="^([^,]+,)?ou=Idmap,dc=utiba$"
attrs=entry,children,sambaIdmapEntry
by dn.exact,expand="uid=root,ou=People,dc=utiba" write
by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
by group.expand="cn=Replicator,ou=Group,dc=utiba" write
by users read
by anonymous read
# Allow users in the domain to add entries to the "global address book":
# For use with Evolution, the attrs list could be modified to be:
# attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
# if evolutionperson.schema and calendar.schema are available
access to dn.regex="^([^,]+,)?ou=Contacts,ou=People,dc=utiba$"
attrs=children,entry,inetOrgPerson
by dn.sub,expand="ou=People,dc=utiba" write
by group.expand="cn=Replicator,ou=Group,dc=utiba" write
by users read
On Fri, 2005-05-06 at 08:29 +0200, Pierangelo Masarati wrote:
> I suspect you didn't read slapd.access(5) carefully enough, and you
> didn't undestand the implications of some of the directives you're
> using. Your rules present many errors, some of which might just be
> harmless, depending on the context. I also suspect the ones you're
> reporting are not the only ACLs defined in your slapd.conf. Finally,
> you don't indicate what version of OpenLDAP you're using. It is always
> a good practice to indicate it; when dealing with ACLs it becomes almost
> mandatory before one can determine the reason for a given behavior.
> Since many information that are necessary to exactly track your problem
> are missing, I won't speculate on it, I'll rather wait for further
> information.
>
> p.
>
> Dennis Matotek wrote:
>
> >Hi all,
> >
> >I have a problem with slapd.access and dn.regex and sasl.
> >
> >Firstly sasl seems to need auth access to uid, userPassword, and
> >objectClass by * to authenticate and work. Is there anyway of defining
> >this (ie, so everyone doesn't have auth access)?
> >
> >Secondly when I have this in my slapd.access file:
> >access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
> >attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
> > by self write
> > by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
> > by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
> > by group.expand="cn=Replicator,ou=Group,dc=utiba" write
> > by * auth
> >
> >Authentication works.
> >
> >When I have:
> >access to dn.regex="^.+$"
> >with exactly the same attrs and by clauses as above it fails. I'm trying
> >to build a regex but it fails even at the most open. Can someone please
> >explain what's going on?
> >
> >here's the logs..
> >
> >when it fails
> >------------------------------------
> >access_allowed: auth access to "uid=dennis,ou=Utiba,ou=People,dc=utiba"
> >"uid" requested
> >May 6 11:28:41 blackops slapd[30775]: => dn: [1]
> >May 6 11:28:41 blackops slapd[30775]: => dn: [2] cn=subschema
> >May 6 11:28:41 blackops slapd[30775]: => dnpat: [3] ^.+$ nsub: 0
> >May 6 11:28:41 blackops slapd[30775]: => acl_get: [3] matched
> >May 6 11:28:41 blackops slapd[30775]: => acl_get: [3] attr uid
> >May 6 11:28:41 blackops slapd[30775]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
> >May 6 11:28:41 blackops slapd[30775]: => acl_mask: to value by "", (=n)
> >May 6 11:28:41 blackops slapd[30775]: <= acl_mask: no more <who>
> >clauses, returning =n (stop)
> >May 6 11:28:41 blackops slapd[30775]: => access_allowed: auth access
> >denied by =n
> >May 6 11:28:41 blackops slapd[30775]: <= test_filter 50
> >May 6 11:28:41 blackops slapd[30775]: bdb_search: 4605 does not match
> >filter
> >May 6 11:28:41 blackops slapd[30775]: send_ldap_result: conn=1 op=0 p=3
> >May 6 11:28:41 blackops slapd[30775]: send_ldap_result: err=0
> >matched="" text=""
> >May 6 11:28:41 blackops slapd[30775]: <==slap_sasl2dn: Converted SASL
> >name to <nothing>
> >May 6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
> >slapAuthcDN="uid=dennis,cn=digest-md5,cn=auth"
> >May 6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
> >authzid="dennis"
> >May 6 11:28:41 blackops slapd[30775]: SASL [conn=1] Failure: no secret
> >in database
> >---------------------------------
> >
> >when it works
> >---------------------------------
> >May 6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba" "uid" requested
> >May 6 11:34:56 blackops slapd[11754]: => dn: [1]
> >May 6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
> >May 6 11:34:56 blackops slapd[11754]: => dn: [3]
> >ou=utiba,ou=people,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
> >May 6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr uid
> >May 6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
> >May 6 11:34:56 blackops slapd[11754]: => acl_mask: to value by "", (=n)
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
> ><uid=root,ou=System,ou=People,dc=utiba>
> >May 6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
> ><uid=root,ou=system,ou=people,dc=utiba>
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
> >May 6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
> >auth(=x) (stop)
> >May 6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
> >May 6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
> >granted by auth(=x)
> >May 6 11:34:56 blackops slapd[11754]: <= test_filter 6
> >May 6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
> >May 6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
> >matched="" text=""
> >May 6 11:34:56 blackops slapd[11754]: <==slap_sasl2dn: Converted SASL
> >name to uid=dennis,ou=utiba,ou=people,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: getdn: dn:id converted to
> >uid=dennis,ou=utiba,ou=people,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
> >slapAuthcDN="uid=dennis,ou=utiba,ou=people,dc=utiba"
> >May 6 11:34:56 blackops slapd[11754]: => bdb_search
> >May 6 11:34:56 blackops slapd[11754]:
> >bdb_dn2entry("uid=dennis,ou=utiba,ou=people,dc=utiba")
> >May 6 11:34:56 blackops slapd[11754]: base_candidates: base:
> >"uid=dennis,ou=utiba,ou=people,dc=utiba" (0x000011fd)
> >May 6 11:34:56 blackops slapd[11754]: => test_filter
> >May 6 11:34:56 blackops slapd[11754]: PRESENT
> >May 6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba" "objectClass" requested
> >May 6 11:34:56 blackops slapd[11754]: => dn: [1]
> >May 6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
> >May 6 11:34:56 blackops slapd[11754]: => dn: [3]
> >ou=utiba,ou=people,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
> >May 6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr objectClass
> >May 6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "objectClass" requested
> >May 6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
> >(=n)
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
> ><uid=root,ou=System,ou=People,dc=utiba>
> >May 6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
> ><uid=root,ou=system,ou=people,dc=utiba>
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
> >May 6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
> >auth(=x) (stop)
> >May 6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
> >May 6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
> >granted by auth(=x)
> >May 6 11:34:56 blackops slapd[11754]: <= test_filter 6
> >May 6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba" "userPassword" requested
> >May 6 11:34:56 blackops slapd[11754]: => dn: [1]
> >May 6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
> >May 6 11:34:56 blackops slapd[11754]: => dn: [3]
> >ou=utiba,ou=people,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
> >May 6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr userPassword
> >May 6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "userPassword" requested
> >May 6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
> >(=n)
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
> >uid=root,ou=System,ou=People,dc=utiba
> >May 6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
> ><uid=root,ou=System,ou=People,dc=utiba>
> >May 6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
> ><uid=root,ou=system,ou=people,dc=utiba>
> >May 6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
> >May 6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
> >auth(=x) (stop)
> >May 6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
> >May 6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
> >granted by auth(=x)
> >May 6 11:34:56 blackops slapd[11754]: slap_auxprop:
> >str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
> >May 6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
> >May 6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
> >matched="" text=""
> >May 6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
> >authzid="dennis"
> >May 6 11:34:56 blackops slapd[11754]: SASL proxy authorize [conn=0]:
> >authcid="dennis" authzid="dennis"
> >May 6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND authcid="dennis"
> >May 6 11:34:56 blackops slapd[11754]: SASL Authorize [conn=0]: proxy
> >authorization allowed
> >May 6 11:34:56 blackops slapd[11754]: send_ldap_sasl: err=0 len=40
> >May 6 11:34:56 blackops slapd[11754]: send_ldap_response: msgid=2
> >tag=97 err=0
> >May 6 11:34:56 blackops slapd[11754]: <== slap_sasl_bind: rc=0
> >May 6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND
> >dn="uid=dennis,ou=utiba,ou=people,dc=utiba" mech=DIGEST-MD5 ssf=128
> >May 6 11:34:56 blackops slapd[11754]: do_bind: SASL/DIGEST-MD5 bind:
> >dn="uid=dennis,ou=utiba,ou=people,dc=utiba" ssf=128
> >------------------------------------
> >
> >Regards,
> >
> >Dennis
> >
> >
> >-----------------
> >Utiba Pty Ltd
> >This message has been scanned for viruses and
> >dangerous content by Utiba mail server and is
> >believed to be clean.
> >
> >
>
>
>
> SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>
>
> -----------------
> Utiba Pty Ltd
> This message has been scanned for viruses and
> dangerous content by Utiba mail server and is
> believed to be clean.
>
-----------------
Utiba Pty Ltd
This message has been scanned for viruses and
dangerous content by Utiba mail server and is
believed to be clean.