[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd access control problems



On Sun, Jan 21, 2007 at 07:59:40PM +0100, Andrea Venturoli wrote:
> Aaron Richton wrote:
> >>I get problems with access control, however, that prevent it from 
> >>working.
> >
> >Yes...given
> >>access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
> >>access to * by * none
> >
> >>The problem is I cannot access the slave database with 
> >>dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
> >because you have no access for anonymous to auth to uid=slurp.
> 
> Ok, but I can't seem to get out of this, even after reading the docs again!
> 
> Now I tried:
> 
> >access to * by dn="uid=slurp,ou=users,dc=biolchim,dc=in" write
> >access to * by * auth
> >#access to * by * none

That will not work either.  The way the acl works is it starts at the top and
works down.  When the slave system tries to log in it will try to authenticate
against the master server with your provided credentials.  it will try to
authenticate against the userPassword record.

When it evals it it matches the first line (access to *), but you only have 1
by clause associated with it and that belongs to uid=slurp.  It will never eval
to the 2nd access line cause it was satisfied with line 1.

add before your first access

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none


> 
> but this won't improve my situation a bit.
> What should I write here?
> 
> 
> 
> >Debugging on the client isn't going to be too informative here. Try 
> >"slapd -d acl" perhaps.
> 
> Tried that too, but I get info on succesful binds and nothing when I try 
> with user slurp.
> 
> 
>  bye & Thanks
> 	av.
> 

Attachment: signature.asc
Description: Digital signature