[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access denied consumer replication (OpenLDAP+Kerberos)

To: openldap-technical@openldap.org
Subject: Access denied consumer replication (OpenLDAP+Kerberos)
From: Daniel Lopes de Carvalho <dlcarvalho@gmail.com>
Date: Thu, 4 Oct 2012 13:50:44 -0300
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=FDzo0KufdxmeFpC1czjAug++ggk40CAChTpCj0TL5rE=; b=KXf7eqEF5ljbzLAKf4/2glTm2HfwgbyK6WlsXMtdjson1Gxu4gjN7y6SlPxigP4tLc aUD0NFzdDd83V6PjdA/0FL0sQZzRNVSNLzpL8xbTGKb8mYqOFUwX38g2UKzyyg6PHGwf 1mgFZ52ppOUfy2+4w2qukm6Y+faPVGfJL8a3HPPbE0YE042k1h+qVhUzi7wQlmusPe9W a1ogw4RpHr2kb72f8y6iIEXvGmoKwfwZnU5xvcvLhP7ro0D7qGnwVVBNoXF3UjoS3eo6 OQuwKUncQmcne6S6u6DNfMHz5R/LdEFgJTFDFmoXHCffipsL3I8R6Z9yLLwR75mZONuU UBpg==

Hi

I try to configure two openldap/kerberos server (provider and
consumer), but I'm having some issues about replication. Under LDAP
log, I have many entries like this: "slap_access_allowed: search
access denied by none(=0)"

These messages are related to consumer access to the Kerberos database
on provider and the kerberos database can't be replicated to the
consumer. The others data are replicated normaly.

These are the ACL under privider:
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
  by anonymous auth by * none

olcAccess: {1}to
dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
  by dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
write
  by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
  by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read by * none

olcAccess: {2}to attrs=loginShell
  by self write
  by users read
  by * none

olcAccess: {3}to dn.base=""
  by * read

olcAccess: {4}to *
  by users read
  by * none

And bellow the ldap log snnipet:

=> access_allowed: search access to
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
"objectClass" requested
Oct  4 12:00:29 dns01 slapd[1163]: => dn: [2]
ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: => acl_get: [2] matched
Oct  4 12:00:29 dns01 slapd[1163]: => acl_get: [2] attr objectClass
Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: access to entry
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
attr "objectClass" requested
Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
"uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
(=0)
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbadm,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbkdc,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
ou=consumers,ou=ldap,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: *
Oct  4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] applying none(=0) (stop)
Oct  4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] mask: none(=0)
Oct  4 12:00:29 dns01 slapd[1163]: => slap_access_allowed: search
access denied by none(=0)
Oct  4 12:00:29 dns01 slapd[1163]: => access_allowed: no more rules

Can anyone help me?

Regards

Daniel

Follow-Ups:
- Re: Access denied consumer replication (OpenLDAP+Kerberos)
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Filter a ldap connection for a user comming from an IP source
Next by Date: Re: Problem converting slapd.conf to cn=config format
Index(es):
- Chronological
- Thread