[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL Headaches
- To: <openldap-software@OpenLDAP.org>
- Subject: ACL Headaches
- From: "Bennett, Silas \(GE Infrastructure\)" <Silas.Bennett@ge.com>
- Date: Wed, 21 Sep 2005 15:51:28 -0400
- Content-class: urn:content-classes:message
- Thread-index: AcW+5lg5u9M3QuCQT66fJzwM0Ts9yw==
- Thread-topic: ACL Headaches
Hi All,
I am trying to set up openLDAP with Kerberos5 for authentication. I found and followed the _excellent_ howto by Turbo Fredriksson at http://www.bayour.com/LDAPv3-HOWTO.html and almost every thing is working. I can browse, search, & modify the LDAP database using:
rootdn "cn=ldapadmin,dc=qm"
rootpw {KERBEROS} ldapadmin@QM
SASL is set up to use GSSAPI correctly, since the following password also works:
rootpw {SASL} ldapadmin
I am however having a couple of problems. First I cannot succsesfully bind as a user other than the rootdn, and second I cannot bind with write access using any auth method other than simple. I am not sure what I am doing wrong, although I suspect that the issue is with my ACL. I would greatly appreciate any help that is offered.
###############
## Shell Stuff ###
###############
silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: ldapadmin@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -Y gssapi -a -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: ldapadmin@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
silasb@dm:/etc/ldap/ldifs$ kinit silasb
Password for silasb@QM:
silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: silasb@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm" -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: silasb@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm" -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
adding new entry "uid=hoke, ou=people, dc=qm"
#################
## End Shell Stuff ##
#################
This would suggest that the keberos authentication is working correctly, but my openLDAP ACL's are screwed up. Quite possible as I am a new to openLDAP. Here is my slapd.access file:
################
## slapd.access ##
################
olcAccess: to dn=".*,dc=qm"
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin" write
by dn="uid=ldapadmin@QM" write
by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
by dn="uid=ldapadmin.+\+realm=QM" write
by dn="uid=silasb" write
by dn="uid=silasb@QM" write
by dn="uid=silasb.+\+realm=QM" write
by self write
by users read
# by * read
olcAccess: to dn.base=""
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin" write
by dn="uid=ldapadmin@QM" write
by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
by dn="uid=ldapadmin.+\+realm=QM" write
by dn="uid=silasb" write
by dn="uid=silasb@QM" write
by dn="uid=silasb.+\+realm=QM" write
by self write
by * read
# The admin dn has full write access, everyone else
# can read everything.
olcAccess: to *
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin" write
by dn="uid=ldapadmin@QM" write
by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
by dn="uid=ldapadmin.+\+realm=QM" write
by dn="uid=silasb" write
by dn="uid=silasb@QM" write
by dn="uid=silasb.+\+realm=QM" write
# by self write
by * read