[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Fwd: Trying to figure out access policies
At 10:35 AM 6/27/2006, Jason Lixfeld wrote:
>Ok, I think I'm making some headway, but I'm still a little confused.
>
>I didn't realize that by putting in an access entry to permit
>specific stuff, you have to put other entries in for everything else
>or else it's an implicit deny. That being said, I modified my
>slapd.conf as follows:
>
>access to attrs=userPassword
> by self write
> by anonymous auth
> by * none
The following by clause is not reached as the above "by *" applies.
Order matters.
> by dn.exact="cn=proxyuser,dc=example,dc=ca" read
>
>access to *
> by * read
>
>(also, I've tried variations on attrs and attr, as well as dn= and
>dn.exact=, all to no avail)
>
>and I'm running slapd -d acl.
>
>Now, when I run the ldapsearch call, I get closer; that is, I get the
>search DN returned to me, but I still don't get the password:
>
># ldapsearch -D "cn=proxyuser,dc=example,dc=ca" -b
>'ou=auth,dc=example,dc=ca' -x -W '(uid=jlixfeld.example.ca)'
>userPassword
>Enter LDAP Password:
># extended LDIF
>#
># LDAPv3
># base <ou=auth,dc=example,dc=ca> with scope subtree
># filter: (uid=jlixfeld.example.ca)
># requesting: userPassword
>#
>
># jlixfeld.example.ca, users, auth, example.ca
>dn: uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>#
>
>=> access_allowed: auth access to "cn=proxyuser,dc=example,dc=ca"
>"userPassword" requested
>=> acl_get: [1] attr userPassword
>access_allowed: no res from state (userPassword)
>=> acl_mask: access to entry "cn=proxyuser,dc=example,dc=ca", attr
>"userPassword" requested
>=> acl_mask: to value by "", (=0)
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= acl_mask: [2] applying auth(=xd) (stop)
><= acl_mask: [2] mask: auth(=xd)
>=> access_allowed: auth access granted by auth(=xd)
>=> access_allowed: search access to
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "uid"
>requested
>=> acl_get: [2] attr uid
>=> acl_mask: access to entry
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr
>"uid" requested
>=> acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0)
><= check a_dn_pat: *
><= acl_mask: [1] applying read(=rscxd) (stop)
><= acl_mask: [1] mask: read(=rscxd)
>=> access_allowed: search access granted by read(=rscxd)
>=> access_allowed: read access to
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "entry"
>requested
>=> acl_get: [2] attr entry
>=> acl_mask: access to entry
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr
>"entry" requested
>=> acl_mask: to all values by "cn=proxyuser,dc=example,dc=ca", (=0)
><= check a_dn_pat: *
><= acl_mask: [1] applying read(=rscxd) (stop)
><= acl_mask: [1] mask: read(=rscxd)
>=> access_allowed: read access granted by read(=rscxd)
>=> access_allowed: read access to
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca"
>"userPassword" requested
>=> acl_get: [1] attr userPassword
>access_allowed: no res from state (userPassword)
>=> acl_mask: access to entry
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr
>"userPassword" requested
>=> acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0)
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= check a_dn_pat: *
><= acl_mask: [3] applying none(=0) (stop)
><= acl_mask: [3] mask: none(=0)
>=> access_allowed: read access denied by none(=0)
>send_search_entry: conn 9 access to attribute userPassword, value #0
>not allowed
>
>Correct me if I'm wrong but the "read access denied by none"
>indicates that the bind isn't happening as proxyuser?
>
>Also, what does "access_allowed: no res from state" mean? It's the
>only debug part that I can't quite decipher.
>
>Begin forwarded message:
>
>>From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>
>>Date: June 27, 2006 12:38:14 PM EDT (CA)
>>To: OpenLDAP software list <openldap-software@openldap.org>
>>Subject: Trying to figure out access policies
>>
>>I think I'm somewhat versed in the basics of OpenLDAP, but the
>>concept of access policies eludes me because they are far beyond my
>>current level of comprehension. That being said, I'm doing some
>>trial by fire to try to make sense of how they work and hopefully
>>will then be able to relate some of what I read in the manual to
>>what I've made happen in tests...
>>
>>I'm trying to get a proxyuser working so I don't have to do
>>everything as Manager.
>>
>>I put this entry into my slapd.conf as per some tutorials I read:
>>
>>access to attrs=userPassword
>> by dn="cn=Proxyuser,dc=example,dc=ca" read
>>
>>and likewise, these entries into my ldap.conf:
>>
>>binddn cn=Proxyuser,dc=example,dc=ca
>>bindpw ****
>>rootbinddn cn=Proxyuser,dc=example,dc=ca
>>
>>and finally, the Proxyuser password in /etc/ldap.secret.
>>
>>Being unsure if the lookups for ldap.conf and ldap.secret is in / etc or /usr/local/etc (Using a FreeBSD system here), I symlinked
>>each so they are available in both locations.
>>
>>After that was all said and done, I restarted slapd and tried to do
>>a search using the proxyuser as the binddn:
>>
>># ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b
>>'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword
>>Enter LDAP Password:
>>ldap_bind: Invalid credentials (49)
>>
>># all.log
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from
>>IP=127.0.0.1:54632 (IP=0.0.0.0:389)
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND
>>dn="cn=Proxyuser,dc=example,dc=ca" method=128
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97
>>err=49 text=
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed
>>(connection lost)
>>
>>It would seem to me that it's not complaining about the password,
>>so I assume it's complaining about the access entry in slapd.conf.
>>I removed the access entry from slapd.conf and was able to perform
>>the same search as above without a problem.
>>
>>Anyone have any pointers on what I can look at as the source of
>>this problem?
>>
>>Also, I'm a little confused about the difference between binddn and
>>rootbinddn. If I understand correctly, rootbinddn is the DN used
>>to bind if the user executing the command is root, while binddn is
>>the DN used to bind if the user executing the command is any user
>>other than root. Is this correct? I ask because if I run
>>ldapsearch as root with no additional arguments and check the logs,
>>it seems to bind anonymously so I'm not sure if my understanding of
>>binddn vs. rootbinddn is correct:
>>
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from
>>IP=127.0.0.1:58244 (IP=0.0.0.0:389)
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0
>>text=
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base=""
>>scope=2 deref=0 filter="(objectClass=*)"
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT
>>tag=101 err=32 nentries=0 text=
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed
>>
>>Thanks in advance for any insight on either or both of these points...