[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Headaches



Hi All,

I am trying to set up openLDAP with Kerberos5 for authentication. I found and followed the _excellent_ howto by Turbo Fredriksson at http://www.bayour.com/LDAPv3-HOWTO.html and almost every thing is working. I can browse, search, & modify the LDAP database using:
	rootdn "cn=ldapadmin,dc=qm"
	rootpw {KERBEROS} ldapadmin@QM

SASL is set up to use GSSAPI correctly, since the following password also works:

	rootpw {SASL} ldapadmin

I am however having a couple of problems. First I cannot succsesfully bind as a user other than the rootdn, and second I cannot bind with write access using any auth method other than simple. I am not sure what I am doing wrong, although I suspect that the issue is with my ACL. I would greatly appreciate any help that is offered.


###############
## Shell Stuff ###
###############

silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: ldapadmin@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent


silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -Y gssapi -a -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: ldapadmin@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent


silasb@dm:/etc/ldap/ldifs$ kinit silasb
Password for silasb@QM:


silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: silasb@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent


silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm" -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: silasb@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent



silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm" -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
adding new entry "uid=hoke, ou=people, dc=qm"

#################
## End Shell Stuff ##
#################

This would suggest that the keberos authentication is working correctly, but my openLDAP ACL's are screwed up. Quite possible as I am a new to openLDAP. Here is my slapd.access file:

################
## slapd.access ##
################

olcAccess: to dn=".*,dc=qm"
        by dn="cn=ldapadmin,dc=qm" write
        by dn="uid=ldapadmin" write
        by dn="uid=ldapadmin@QM" write
        by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
        by dn="uid=ldapadmin.+\+realm=QM" write
        by dn="uid=silasb" write
        by dn="uid=silasb@QM" write
        by dn="uid=silasb.+\+realm=QM" write
        by self write
        by users read
#       by * read


olcAccess: to dn.base=""
       by dn="cn=ldapadmin,dc=qm" write
       by dn="uid=ldapadmin" write
       by dn="uid=ldapadmin@QM" write
       by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
       by dn="uid=ldapadmin.+\+realm=QM" write
       by dn="uid=silasb" write
       by dn="uid=silasb@QM" write
       by dn="uid=silasb.+\+realm=QM" write
       by self write
       by * read


# The admin dn has full write access, everyone else
# can read everything.
olcAccess: to *
        by dn="cn=ldapadmin,dc=qm" write
        by dn="uid=ldapadmin" write
        by dn="uid=ldapadmin@QM" write
        by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
        by dn="uid=ldapadmin.+\+realm=QM" write
        by dn="uid=silasb" write
        by dn="uid=silasb@QM" write
        by dn="uid=silasb.+\+realm=QM" write
#       by self write
        by * read