[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Connection failures from OS X, appears to be TLS-related

To: "Aaron Richton" <richton@nbcs.rutgers.edu>
Subject: Re: Connection failures from OS X, appears to be TLS-related
From: "Ben Beuchler" <insyte@gmail.com>
Date: Mon, 22 May 2006 16:00:11 -0500
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KWlG2nwsw/qY1yZy2kYu2Iba7ZcUobShqJACdWvn4SkaM4EvDtf8FLxcmChI7G4vpAlnRs7A0Noq92KOq9XNGyUnC3Y9r0cvpA5O7wGxikk48mNBdcSm0U80IUuvIwvjRx+fooPaZOAaToQXH9t3Drs9EBADKtebPqha+4PtR8g=
In-reply-to: <Pine.SOL.4.58.0605051939090.10297@toolbox.rutgers.edu>
References: <479b70ed0605050920y36c7c5bbn661085417f858b76@mail.gmail.com> <Pine.SOL.4.58.0605051939090.10297@toolbox.rutgers.edu>

falling through to a simple bind, server side. The trick is to make OS X
do a simple bind (if that's what you want), which you do by either not
supporting SASL or pretending to not support SASL. One idea would be to
disable SASL in autoconf. I currently ACL out supportedSASLMechanisms.


Care to share the ACL you're using?  I've tried both of these:

access to dn.base="" attrs=supportedSASLMechanisms
       by * none

access to attrs=supportedSASLMechanisms
        by * none

In both cases, anonymous binds are still able to read
supportedSASLMechanisms.  The ACL logs indicate that it's falling
through to the database default:

May 22 15:52:13 swozzle slapd[31751]: conn=0 fd=11 ACCEPT from
IP=150.253.90.107:63718 (IP=150.253.10.37:6666)
May 22 15:52:13 swozzle slapd[31751]: conn=0 fd=11 TLS established
tls_ssf=256 ssf=256
May 22 15:52:13 swozzle slapd[31751]: conn=0 op=0 BIND dn="" method=128
May 22 15:52:13 swozzle slapd[31751]: conn=0 op=0 RESULT tag=97 err=0 text=
May 22 15:52:13 swozzle slapd[31751]: conn=0 op=1 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
May 22 15:52:13 swozzle slapd[31751]: conn=0 op=1 SRCH
attr=supportedSASLMechanisms
May 22 15:52:13 swozzle slapd[31751]: => access_allowed: search access
to "" "objectClass" requested
May 22 15:52:13 swozzle slapd[31751]: => access_allowed: backend
default search access granted to "(anonymous)"
May 22 15:52:13 swozzle slapd[31751]: => access_allowed: read access
to "" "entry" requested
May 22 15:52:13 swozzle slapd[31751]: => access_allowed: backend
default read access granted to "(anonymous)"
May 22 15:52:13 swozzle slapd[31751]: => access_allowed: read access
to "" "supportedSASLMechanisms" requested
May 22 15:52:13 swozzle slapd[31751]: => access_allowed: backend
default read access granted to "(anonymous)"
May 22 15:52:13 swozzle slapd[31751]: conn=0 op=1 ENTRY dn=""
May 22 15:52:13 swozzle slapd[31751]: conn=0 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
May 22 15:52:13 swozzle slapd[31751]: conn=0 op=2 UNBIND
May 22 15:52:13 swozzle slapd[31751]: conn=0 fd=11 closed


Any thoughts?

Thanks!

Follow-Ups:
- Re: Connection failures from OS X, appears to be TLS-related
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

References:
- Connection failures from OS X, appears to be TLS-related
  - From: "Ben Beuchler" <insyte@gmail.com>
- Re: Connection failures from OS X, appears to be TLS-related
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: openldap 2.2.23 packaged with Debian Sarge
Next by Date: TLS failures with OS X clients
Index(es):
- Chronological
- Thread