[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slurpd access control problems
Hello.
I guess this must be a FAQ, but I tried searching for a whole day and
didn't came up with any answer.
I've got two FreeBSD servers running openldap 2.3.32 in a master/slave
configuration. I'm using slurpd to keep them in sync: I tried this with
the rootdn as the slurp binddn and from a network perspective it works.
Now, I obviously don't want to use rootdn for this, so I created a new
user and I'm using simple authentication (on an SSL layer).
I get problems with access control, however, that prevent it from working.
What I did:
I created this user:
dn: uid=slurpd,ou=users,dc=xxxxxxxx,dc=xx
cn: slurpd
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uid: slurpd
uidNumber: 1033
gidNumber: 389
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
loginShell: /sbin/nologin
homeDirectory: /nonexistent
On the slave I edited slapd.conf as follows:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/local/etc/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
access to * by * none
TLSCertificateFile /usr/local/local/etc/openssl/openldap_newcert.pem
TLSCertificateKeyFile /usr/local/local/etc/openssl/openldap_newcertkey.pem
TLSCACertificateFile /usr/local/local/etc/openssl/netfence_ca.pem
database bdb
suffix "dc=xxxxxxxx,dc=xx"
rootdn "cn=root,dc=xxxxxxxx,dc=xx"
rootpw xxxxxxxx
directory /var/db/openldap-data
index objectClass eq
index uid pres,eq
index rid eq
index cn eq
updatedn "uid=slurp,ou=users,dc=xxxxxxxx,dc=xx"
updateref "ldaps://master.xxxxxxxxx.xx"
The problem is I cannot access the slave database with
dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
What I get is:
slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx'
-b 'dc=xxxxxxxxx,dc=xx' -d 255
ldap_create
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: -1
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x00517000 ptr=0x00517000 end=0x00517039 len=57
0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d
07...`2....$uid=
0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64
slurp,ou=users,d
0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX
c=xxxxxxxx,dc=xx
0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx
ber_scanf fmt ({i) ber:
ber_dump: buf=0x00517000 ptr=0x00517005 end=0x00517039 len=52
0000: 60 32 02 01 03 04 24 75 69 64 3d 73 6c 75 72 70
`2....$uid=slurp
0010: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d XX XX XX
,ou=users,dc=xxx
0020: XX XX XX XX XX 2c 64 63 3d XX XX 80 07 XX XX XX
xxxxx,dc=xx..xxx
0030: XX XX XX XX xxxx
ber_flush: 57 bytes to sd 3
0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d
07...`2....$uid=
0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64
slurp,ou=users,d
0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX
c=xxxxxxxx,dc=xx
0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx
ldap_write: want=57, written=57
0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d
07...`2....$uid=
0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64
slurp,ou=users,d
0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxx,dc=xx
0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx
ldap_result ld 0x515400 msgid 1
ldap_chkResponseList ld 0x515400 msgid 1 all 1
ldap_chkResponseList returns ld 0x515400 NULL
wait4msg ld 0x515400 msgid 1 (infinite timeout)
wait4msg continue ld 0x515400 msgid 1 all 1
** ld 0x515400 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 19 23:10:47 2007
** ld 0x515400 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x515400 Response Queue:
Empty
ldap_chkResponseList ld 0x515400 msgid 1 all 1
ldap_chkResponseList returns ld 0x515400 NULL
ldap_int_select
read1msg: ld 0x515400 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 31 04 00 04 00 .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x00514210 ptr=0x00514210 end=0x0051421c len=12
0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....
read1msg: ld 0x515400 msgid 1 message type bind
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
read1msg: ld 0x515400 0 new referrals
read1msg: mark request completed, ld 0x515400 msgid 1
request done: ld 0x515400 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x00514210 ptr=0x0051421c end=0x0051421c len=0
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
Obviously the same command works if used with rootdn.
What am I doing wrong?
bye & Thanks
av.