[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
From: jay alvarez <ldapb0y@yahoo.com>
Date: Thu, 30 Jun 2005 22:56:11 -0700 (PDT)
Cc: openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=6rhhTVT1W1Y+hoMWpGxmxbwSGexZ3BHYEGiyG8ePBzD+pVCszb1IENVzrqOun2mwRrrcREZhUEMs7zYxAMex/5jmCI6slCa9qHAXPTcT75i2nAFjh0iapkLt272P5hPTQb5DB4G7BgxG0oquf/3fIHJAnmsQ7+hmG4jiTzp2Xus= ;
In-reply-to: <6.2.1.2.0.20050630214943.0a5efb70@mail.openldap.org>

-- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

> Your description here implies that slapd(8) is
> logging some sort of error due to a bad DN in
> slapd.conf(5).   But if that was so, you'd
> never get as far as:
> 
> >I get this:
> >
> >ldap_sasl_interactive_bind_s: No such object (32)
> 
> 

My config looks like this:

sasl-host   gaheris.camlann.pregi.net
sasl-realm CAMLANN.PREGI.NET
sasl-regexp
      uid=(.*),cn=camlann.pregi.net,cn=gssapi,cn=auth
      uid=$1,ou=staff,dc=preginet

My access list is simple:

access to * by users read

That is, to allow everyone who have authenticated.

And as you've said...

> As far as your question regarding "users",
> slapd-access(5)
> says:
>    The keyword users means access is granted to
>    authenticated clients.

so, when I'm using sasl/gssapi for authentication, it
goes without saying that I'm already authenticated,
right? How come when I do:

ldapsearch -b 'ou=staff,dc=preginet" mail

I got these:

ldap_sasl_interactive_bind_s: No such object (32)

My debug.log contains these lines:

     PRESENT
Jul  1 13:24:57 gaheris slapd[1267]: =>
access_allowed: search access to "" "objectClass"
requested
Jul  1 13:24:57 gaheris slapd[1267]: => acl_get: [1]
attr objectClass
Jul  1 13:24:57 gaheris slapd[1267]: => acl_mask:
access to entry "", attr "objectClass" requested
Jul  1 13:24:57 gaheris slapd[1267]: => acl_mask: to
all values by "", (=n)
Jul  1 13:24:57 gaheris slapd[1267]: <= check
a_dn_pat: users
Jul  1 13:24:57 gaheris slapd[1267]: <= acl_mask: no
more <who> clauses, returning =n (stop)
Jul  1 13:24:57 gaheris slapd[1267]: =>
access_allowed: search access denied by =n

What's with that "no more <who> clauses"??

If I were to change my access list above to:

access to * by * read

and do the same search again, I got these results:

SASL/GSSAPI authentication started
SASL username: matato@CAMLANN.PREGI.NET
SASL SSF: 56
SASL installing layers
dn: ou=staff,dc=preginet

dn: uid=matato,ou=staff,dc=preginet
mail: jayson@asti.dost.gov.ph

I can't see what makes this thing too difficult for
me. I almost thought configuration of kerberos server
is the hardest part, yet I ended up being too dumb
because of this access controls, that is.. I still
haven't even played with regexp yet.

-Jay

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Follow-Ups:
- Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Multimaster replication problem
Next by Date: Re: Multimaster replication problem
Index(es):
- Chronological
- Thread