[Date Prev][Date Next] [Chronological] [Thread] [Top]

slurpd access control problems



Hello.
I guess this must be a FAQ, but I tried searching for a whole day and didn't came up with any answer.


I've got two FreeBSD servers running openldap 2.3.32 in a master/slave configuration. I'm using slurpd to keep them in sync: I tried this with the rootdn as the slurp binddn and from a network perspective it works.
Now, I obviously don't want to use rootdn for this, so I created a new user and I'm using simple authentication (on an SSL layer).


I get problems with access control, however, that prevent it from working.




What I did:


I created this user:

dn: uid=slurpd,ou=users,dc=xxxxxxxx,dc=xx
cn: slurpd
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uid: slurpd
uidNumber: 1033
gidNumber: 389
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
loginShell: /sbin/nologin
homeDirectory: /nonexistent




On the slave I edited slapd.conf as follows:

include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/local/etc/samba.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
access to * by * none

TLSCertificateFile      /usr/local/local/etc/openssl/openldap_newcert.pem
TLSCertificateKeyFile   /usr/local/local/etc/openssl/openldap_newcertkey.pem
TLSCACertificateFile    /usr/local/local/etc/openssl/netfence_ca.pem


database bdb suffix "dc=xxxxxxxx,dc=xx" rootdn "cn=root,dc=xxxxxxxx,dc=xx" rootpw xxxxxxxx directory /var/db/openldap-data index objectClass eq index uid pres,eq index rid eq index cn eq

updatedn        "uid=slurp,ou=users,dc=xxxxxxxx,dc=xx"
updateref       "ldaps://master.xxxxxxxxx.xx"






The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".


What I get is:

slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx' -b 'dc=xxxxxxxxx,dc=xx' -d 255
ldap_create
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: -1
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x00517000 ptr=0x00517000 end=0x00517039 len=57
0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid=
0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d
0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxxx,dc=xx
0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx
ber_scanf fmt ({i) ber:
ber_dump: buf=0x00517000 ptr=0x00517005 end=0x00517039 len=52
0000: 60 32 02 01 03 04 24 75 69 64 3d 73 6c 75 72 70 `2....$uid=slurp
0010: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d XX XX XX ,ou=users,dc=xxx
0020: XX XX XX XX XX 2c 64 63 3d XX XX 80 07 XX XX XX xxxxx,dc=xx..xxx
0030: XX XX XX XX xxxx
ber_flush: 57 bytes to sd 3
0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid=
0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d
0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxxx,dc=xx
0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx
ldap_write: want=57, written=57
0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid=
0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d
0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxx,dc=xx
0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx
ldap_result ld 0x515400 msgid 1
ldap_chkResponseList ld 0x515400 msgid 1 all 1
ldap_chkResponseList returns ld 0x515400 NULL
wait4msg ld 0x515400 msgid 1 (infinite timeout)
wait4msg continue ld 0x515400 msgid 1 all 1
** ld 0x515400 Connections:
* host: localhost port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 19 23:10:47 2007


** ld 0x515400 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x515400 Response Queue:
   Empty
ldap_chkResponseList ld 0x515400 msgid 1 all 1
ldap_chkResponseList returns ld 0x515400 NULL
ldap_int_select
read1msg: ld 0x515400 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..
ldap_read: want=6, got=6
  0000:  01 31 04 00 04 00                                  .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x00514210 ptr=0x00514210 end=0x0051421c len=12
  0000:  02 01 01 61 07 0a 01 31  04 00 04 00               ...a...1....
read1msg: ld 0x515400 msgid 1 message type bind
ber_scanf fmt ({eaa) ber:
ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9
  0000:  61 07 0a 01 31 04 00 04  00                        a...1....
read1msg: ld 0x515400 0 new referrals
read1msg:  mark request completed, ld 0x515400 msgid 1
request done: ld 0x515400 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9
  0000:  61 07 0a 01 31 04 00 04  00                        a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x00514210 ptr=0x0051421c end=0x0051421c len=0

ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)



Obviously the same command works if used with rootdn.


What am I doing wrong?


bye & Thanks av.