[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access denied consumer replication (OpenLDAP+Kerberos)
- To: openldap-technical@openldap.org
- Subject: Access denied consumer replication (OpenLDAP+Kerberos)
- From: Daniel Lopes de Carvalho <dlcarvalho@gmail.com>
- Date: Thu, 4 Oct 2012 13:50:44 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=FDzo0KufdxmeFpC1czjAug++ggk40CAChTpCj0TL5rE=; b=KXf7eqEF5ljbzLAKf4/2glTm2HfwgbyK6WlsXMtdjson1Gxu4gjN7y6SlPxigP4tLc aUD0NFzdDd83V6PjdA/0FL0sQZzRNVSNLzpL8xbTGKb8mYqOFUwX38g2UKzyyg6PHGwf 1mgFZ52ppOUfy2+4w2qukm6Y+faPVGfJL8a3HPPbE0YE042k1h+qVhUzi7wQlmusPe9W a1ogw4RpHr2kb72f8y6iIEXvGmoKwfwZnU5xvcvLhP7ro0D7qGnwVVBNoXF3UjoS3eo6 OQuwKUncQmcne6S6u6DNfMHz5R/LdEFgJTFDFmoXHCffipsL3I8R6Z9yLLwR75mZONuU UBpg==
Hi
I try to configure two openldap/kerberos server (provider and
consumer), but I'm having some issues about replication. Under LDAP
log, I have many entries like this: "slap_access_allowed: search
access denied by none(=0)"
These messages are related to consumer access to the Kerberos database
on provider and the kerberos database can't be replicated to the
consumer. The others data are replicated normaly.
These are the ACL under privider:
olcAccess: {0}to attrs=userPassword,shadowLastChange
by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
by anonymous auth by * none
olcAccess: {1}to
dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
by dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
write
by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read by * none
olcAccess: {2}to attrs=loginShell
by self write
by users read
by * none
olcAccess: {3}to dn.base=""
by * read
olcAccess: {4}to *
by users read
by * none
And bellow the ldap log snnipet:
=> access_allowed: search access to
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
"objectClass" requested
Oct 4 12:00:29 dns01 slapd[1163]: => dn: [2]
ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] matched
Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] attr objectClass
Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: access to entry
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
attr "objectClass" requested
Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
"uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
(=0)
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbadm,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbkdc,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
ou=consumers,ou=ldap,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: *
Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] applying none(=0) (stop)
Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] mask: none(=0)
Oct 4 12:00:29 dns01 slapd[1163]: => slap_access_allowed: search
access denied by none(=0)
Oct 4 12:00:29 dns01 slapd[1163]: => access_allowed: no more rules
Can anyone help me?
Regards
Daniel