[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Got error while enabling SASL



Thks Dan, it worked.

Now hopefully last query from my side (sorry to bother you so much)
>> As i gave:
     access to dn.subtree="ou=System,o=xyz"
          by dn="uid=sasluser21,ou=System,o=xyz" read
          by anonymous auth

So, will giving anonymous privilege any issue? 
I read following:
Next is by anonymous auth. This phrase grants an anonymous user (one who has not yet authenticated) permission to authenticate using a password. More accurately, it indicates that when a user submits a request for authentication, the directory server is allowed to perform an authentication operation (which amounts to comparing the submitted password with the value in the userPassword attribute for the corresponding user's entry).

What is its impact, Please put some light on it?

Thanks and Regards,
Gaurav Gugnani

On Wed, Feb 8, 2012 at 10:25 PM, Dan White <dwhite@olp.net> wrote:
On 02/08/12 21:51 +0530, Gaurav Gugnani wrote:
Hello Dan,

Thks for replying. But there is 1 Q's:
Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*

Because you were passing '-U uid=sasluser21' to ldapsearch. '\3D' is the
hex escape value for '='.

I executed ldapwhoami and here are the findings:

ldapwhoami -Y digest-md5 -U sasluser21
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
      additional info: SASL(-13): user not found: no secret in database

*Logs:*

ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5
ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2
ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to
uid=sasluser21,cn=DIGEST-MD5,cn=auth
ldap-test0 slapd[25625]: >>> dnNormalize:
<uid=sasluser21,cn=DIGEST-MD5,cn=auth>
ldap-test0 slapd[25625]: <<< dnNormalize:
<uid=sasluser21,cn=digest-md5,cn=auth>
ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name
uid=sasluser21,cn=digest-md5,cn=auth to a DN
ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
string='uid=sasluser21,cn=digest-md5,cn=auth'
ldap-test0 slapd[25625]: ==> rewrite_rule_apply
rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=sasluser21,cn=digest-md5,cn=auth' [1 pass

ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
res={0,'uid=sasluser21,ou=System,o=xyz'}
ldap-test0 slapd[25625]: slap_parseURI: parsing
uid=sasluser21,ou=System,o=xyz
ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=xyz>
ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=xyz>
ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to
uid=sasluser21,ou=system,o=xyz
ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to
uid=sasluser21,ou=system,o=xyz
ldap-test0 slapd[25625]: => bdb_search
ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,ou=system,o=xyz")
ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=system,o=xyz")
ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a
ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=xyz"
ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,ou=System,o=xyz)
ldap-test0 slapd[25625]: => access_allowed: auth access to
"uid=sasluser21,ou=System,o=xyz" "entry" requested
ldap-test0 slapd[25625]: => dn: [2] o=xyz
ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz
ldap-test0 slapd[25625]: => acl_get: [4] attr entry
ldap-test0 slapd[25625]: => acl_mask: access to entry
"uid=sasluser21,ou=System,o=xyz", attr "entry" requested
ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0)
ldap-test0 slapd[25625]: <= check a_dn_pat: self
ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0
(stop)
ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0
ldap-test0 slapd[25625]: => access_allowed: no more rules

Notice "auth access denied".

On Wed, Feb 8, 2012 at 9:32 PM, Dan White <dwhite@olp.net> wrote:
You might need a more permissive (by anonymous auth) ACL here, for
dn.base="ou=System,o=xyz" and "attrs=entry".

See slapd.access(5).

Read through the manpage for slapd.access, and fix your ACL config as
described above.

--
Dan White