[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and SASL



Dieter Kluenter wrote:
Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:

  
Dieter Kluenter wrote:

    Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
    
[...]
  
    There is nothing special to do. ldapsearch -Y DIGEST-MD5 -U foo -w
    secret -H ldap://myhost -b dc=example,dc=com ...
    All you have to do is to set the userPassword value as plaintext,
    otherwise the challenge cannot be created. If you want to parse the
    sasl authentication string to a DN, than you have to define a
    authz-regexp in in slapd.conf(5) and the user has to have a uid
    attribute.
    
[...]
  
I still can not authenticate by using password from userPassword attribute .I
also attach 2 configuration files with this email. Are there any missing
configuration?
    

Could you provide some logs?

[...]
  
# slapd.conf - Configuration file for LDAP SLAPD
##########
authz-regexp 
	uid=([^,]+).*,cn=auth
	uid=$1,ou=Users,dc=example,dc=com
authz-regexp
	email=([^,]+),cn=([^,]+).*,c=TH$
	uid=$2,ou=Users,dc=example,dc=com
sasl-realm example.com
sasl-secprops none
    

Is there any particular reason to define the second authz-regexp rule?

  
access to attrs=userPassword
	by self write
	by anonymous auth
	by * none
access to dn.subtree="ou=System,dc=example,dc=com"
	by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
	by users read
    

  
access to *
	by self write
	by users read
	by * none
    
[...]

run slapd -d acl and post the relevant parts.

-Dieter

  
Dear Dieter Kluenter

1. I have defined the second authz-regexp rule for map sasl external authentication from certificate to ldap 's dn. It's just testing.
2. I test SASL by execute command "ldapsearch -U matt -Y DIGEST-MD5"
3. I also attach output files from option "-d trace" in file debug_trace.log and "-d acl" in file debug_acl.log

Jitttinan Suwanrueangsri

@(#) $OpenLDAP: slapd 2.4.16 (Sep  3 2009 09:51:42) $
	root@ldap.example.com:/home/jittinans/openldap-2.4.16/servers/slapd
ldap_pvt_gethostbyname_a: host=ldap.example.com, r=0
daemon_init: listen on ldap:///
daemon_init: 1 listeners to open...
ldap_url_parse_ext(ldap:///)
daemon: listener initialized ldap:///
daemon_init: 2 listeners opened
ldap_create
slapd init: initiated server.
slap_sasl_init: initialized!
hdb_back_initialize: initialize HDB backend
hdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008)
hdb_db_init: Initializing HDB database
>>> dnPrettyNormal: <dc=example,dc=com>
<<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com>
>>> dnPrettyNormal: <cn=admin,dc=example,dc=com>
<<< dnPrettyNormal: <cn=admin,dc=example,dc=com>, <cn=admin,dc=example,dc=com>
>>> dnNormalize: <ou=System,dc=example,dc=com>
<<< dnNormalize: <ou=system,dc=example,dc=com>
>>> dnNormalize: <cn=Ldap Admins,ou=Groups,dc=example,dc=com>
<<< dnNormalize: <cn=ldap admins,ou=groups,dc=example,dc=com>
oc_check_allowed type "uniqueMember"
hdb_db_init: Initializing HDB database
>>> dnPrettyNormal: <dc=demo,dc=net>
<<< dnPrettyNormal: <dc=demo,dc=net>, <dc=demo,dc=net>
>>> dnPrettyNormal: <cn=admin,dc=demo,dc=net>
<<< dnPrettyNormal: <cn=admin,dc=demo,dc=net>, <cn=admin,dc=demo,dc=net>
>>> dnNormalize: <dc=demo,dc=net>
<<< dnNormalize: <dc=demo,dc=net>
>>> dnNormalize: <dc=demo,dc=net>
<<< dnNormalize: <dc=demo,dc=net>
>>> dnNormalize: <cn=Subschema>
<<< dnNormalize: <cn=subschema>
matching_rule_use_init
    1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) )
    1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) )
    1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) )
    1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) )
    2.5.13.39 (certificateListMatch):     2.5.13.38 (certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) )
    2.5.13.35 (certificateMatch):     2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) )
    2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) )
    2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) )
    2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $ pwdChangedTime $ pwdAccountLockedTime $ pwdFailureTime $ pwdGraceUseTime ) )
    2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation )
    2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember )
    2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress )
    2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) )
    2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey $ pwdHistory ) )
    2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier )
    2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) )
    2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ pwdReset $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) )
    2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) )
    2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) )
    2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) )
    2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) )
    2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) )
    1.2.36.79672281.1.13.3 (rdnMatch):     2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcRelay $ pwdPolicySubentry $ olcPPolicyDefault $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) )
    2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) )
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=module{0}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}hdb"
config_build_entry: "olcDatabase={2}hdb"
backend_startup_one: starting "dc=example,dc=com"
hdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap/example.com).
backend_startup_one: starting "dc=demo,dc=net"
hdb_db_open: database "dc=demo,dc=net": dbenv_open(/var/lib/ldap/demo.net).
slapd starting
slap_listener_activate(8): 
>>> slap_listener(ldap:///)
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 24 contents:
ber_get_next
conn=0 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=189
send_ldap_response: msgid=1 tag=97 err=14
ber_flush2: 236 bytes to sd 16
<== slap_sasl_bind: rc=14
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 309 contents:
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=matt,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=matt,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=matt,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=matt,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=matt,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=([^,]+).*,cn=auth' string='uid=matt,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'uid=matt,ou=Users,dc=example,dc=com'}
slap_parseURI: parsing uid=matt,ou=Users,dc=example,dc=com
ldap_url_parse_ext(uid=matt,ou=Users,dc=example,dc=com)
>>> dnNormalize: <uid=matt,ou=Users,dc=example,dc=com>
<<< dnNormalize: <uid=matt,ou=users,dc=example,dc=com>
<==slap_sasl2dn: Converted SASL name to uid=matt,ou=users,dc=example,dc=com
slap_sasl_getdn: dn:id converted to uid=matt,ou=users,dc=example,dc=com
=> hdb_search
bdb_dn2entry("uid=matt,ou=users,dc=example,dc=com")
=> hdb_dn2id("dc=example,dc=com")
<= hdb_dn2id: got id=0x1
=> hdb_dn2id("ou=users,dc=example,dc=com")
<= hdb_dn2id: got id=0x2
=> hdb_dn2id("uid=matt,ou=users,dc=example,dc=com")
<= hdb_dn2id: got id=0x5
entry_decode: ""
<= entry_decode()
send_ldap_result: conn=0 op=1 p=3
SASL [conn=0] Failure: no secret in database
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 62 bytes to sd 16
<== slap_sasl_bind: rc=49
connection_get(16): got connid=0
connection_read(16): checking for input on id=0
ber_get_next
ber_get_next on fd 16 failed errno=0 (Success)
connection_close: conn=0 sd=16
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd shutdown: initiated
====> bdb_cache_release_all
====> bdb_cache_release_all
slapd destroy: freeing system resources.
slapd stopped.
@(#) $OpenLDAP: slapd 2.4.16 (Sep  3 2009 09:51:42) $
	root@ldap.example.com:/home/jittinans/openldap-2.4.16/servers/slapd
Backend ACL: access to attrs=userPassword
	by self write
	by anonymous auth
	by * none

/usr/local/etc/openldap/slapd.conf: line 50: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to dn.subtree="ou=system,dc=example,dc=com"
	by group/groupOfUniqueNames/uniqueMember.exact="cn=ldap admins,ou=groups,dc=example,dc=com" write
	by users read

Backend ACL: access to *
	by self write
	by users search
	by * none

/usr/local/etc/openldap/slapd.conf: line 57: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to attrs=userPassword
	by anonymous auth
	by self write

/usr/local/etc/openldap/slapd.conf: line 72: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to dn.subtree="dc=demo,dc=net"
	by dn.subtree="dc=demo,dc=net" read

Backend ACL: access to *
	by * none

config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
slapd starting
=> access_allowed: auth access to "uid=matt,ou=Users,dc=example,dc=com" "entry" requested
=> dn: [2] ou=system,dc=example,dc=com
=> acl_get: [3] attr entry
=> slap_access_allowed: result not in cache (entry)
=> acl_mask: access to entry "uid=matt,ou=Users,dc=example,dc=com", attr "entry" requested
=> acl_mask: to all values by "", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: users
<= check a_dn_pat: *
<= acl_mask: [3] applying none(=0) (stop)
<= acl_mask: [3] mask: none(=0)
=> slap_access_allowed: auth access denied by none(=0)
=> access_allowed: no more rules
SASL [conn=0] Failure: no secret in database
daemon: shutdown requested and initiated.
slapd shutdown: waiting for 0 operations/tasks to finish
slapd stopped.
#This is the root of the directory tree
dn: dc=example,dc=com
description: Example.com, your trusted non-existent corporation.
dc: example
o: Example.com
objectClass: top
objectClass: dcObject
objectClass: organization

#Subtree for users
dn: ou=Users,dc=example,dc=com
ou: Users
description: Example.com Users
objectClass: organizationalUnit

#Subtree of Groups
dn: ou=Groups,dc=example,dc=com
ou: Groups
description: Example.com Groups
objectClass: organizationalUnit

#Subtree of System account
dn: ou=System,dc=example,dc=com
ou: System
description: Special accounts used by software applications.
objectClass: organizationalUnit

#
#USERS
#

#Matt Butcher
dn: uid=matt,ou=Users,dc=example,dc=com
ou: Users
#Name info:
uid: matt
cn: Matt Butcher
sn: Butcher
givenName: Matt
givenName: Matthew
displayName: Matt Butcher
#Work info:
title: System Integrator
description: System Integration and IT for Example.com
employeeType: Employee
departmentNumber: 001
employeeNumber: 001-08-98
mail: mbutcher@example.com
mail: matt@example.com
roomNumber: 301
telephoneNumber: +1 555 555 4321
mobile: +1 555 555 6789
st: Illinois
l: Chicago
street: 1234 Cicero Ave.
#Home info:
homePhone: +1 555 555 9876
homePostalAddress: 1234 home street $ Chicago,IL $ 60699-1234
#Misc:
userPassword: secret
preferredLanguage: en-us:en-gb
#Object Classes:
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

#Barbara Jensen:
dn: uid=barbara,ou=Users,dc=example,dc=com
ou: Users
uid: barbara
sn: Jensen
cn: Barbara Jensen
givenName: Barbara
displayName: Barbara Jensen
mail: barbara@example.com
userPassword: 12345
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson

#LDAP Admin Group:
dn: cn=Ldap Admins,ou=Groups,dc=example,dc=com
cn: Ldap Admins
ou: Groups
description: Users who are LDAP Administrators
uniqueMember: uid=barbara,dc=example,dc=com
uniqueMember: uid=matt,dc=example,dc=com
objectClass: groupOfUniqueNames

#Special Account for Authentication:
dn: uid=authenticate,ou=System,dc=example,dc=com
uid: authenticate
ou: System
description: Special account for authenticating users
userPassword: secret
objectClass: account
objectClass: simpleSecurityObject



# slapd.conf - Configuration file for LDAP SLAPD
##########
# Basics #
##########
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel stats
modulepath /usr/local/libexec/openldap
moduleload back_hdb
moduleload ppolicy
###########
# SSL/TLS #
###########
#TLSCACertificateFile /CA/cacert.pem
TLSCACertificatePath /CA/
TLSCertificateFile /usr/local/etc/openldap/cert/ldap.example.com.cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.example.com.key.pem
TLSVerifyClient try
###########
# SASL
###########
authz-regexp 
	uid=([^,]+).*,cn=auth
	uid=$1,ou=Users,dc=example,dc=com
authz-regexp
	email=([^,]+),cn=([^,]+).*,c=TH$
	uid=$2,ou=Users,dc=example,dc=com
sasl-realm example.com
sasl-secprops none
##########################
# Database Configuration #
##########################
database hdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap/example.com
index objectClass eq
index cn sub,eq
########
# ACLs #
########
#access to attrs=uid
#	by anonymous read
#	by users read
access to attrs=userPassword
	by self write
	by anonymous auth
	by * none
access to dn.subtree="ou=System,dc=example,dc=com"
	by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
	by users read

access to *
	by self write
	by users read
	by * none



database hdb
suffix "dc=demo,dc=net"
rootdn "cn=admin,dc=demo,dc=net"
rootpw secret
directory /var/lib/ldap/demo.net
index objectClass eq
index cn eq,sub,pres,approx
index uid eq,sub,pres

access to attrs=userPassword
	by anonymous auth
	by self write
access to dn.sub="dc=demo,dc=net" 
	by dn.sub="dc=demo,dc=net"  read