[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP and SASL
Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
> Dieter Kluenter wrote:
>
>Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:
> access to attrs=userPassword
> by self write
> by anonymous auth
> by * none
> access to dn.subtree="ou=System,dc=example,dc=com"
> by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
> by users read
>
> access to *
> by self write
> by users read
> by * none
This access rules will not allow anonymous auth access to basedn special
attribute entry,
> => hdb_dn2id("uid=matt,ou=users,dc=example,dc=com")
> <= hdb_dn2id: got id=0x5
> entry_decode: ""
> <= entry_decode()
> send_ldap_result: conn=0 op=1 p=3
> SASL [conn=0] Failure: no secret in database
> send_ldap_result: conn=0 op=1 p=3
> send_ldap_response: msgid=2 tag=97 err=49
> ber_flush2: 62 bytes to sd 16
> <== slap_sasl_bind: rc=49
[...]
sasl reports 'no secret in database, check your access rules!
[...]
Please run slapd in debugging mode acl, this will show you the applied
access rules. You should see something like this:
> acl_mask: access to entry "o=avci,c=de", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: users
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=xd) (stop)
<= acl_mask: [3] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
[...]
> acl_mask: access to entry "cn=admanager,o=avci,c=de", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: users
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=xd) (stop)
<= acl_mask: [3] mask: auth(=xd)
[...]
=> access_allowed: auth access to "cn=admanager,o=avci,c=de" "userPassword" requested
=> acl_get: [1] attr userPassword
[...]
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E