[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access denied consumer replication (OpenLDAP+Kerberos)



Hi

I try to configure two openldap/kerberos server (provider and
consumer), but I'm having some issues about replication. Under LDAP
log, I have many entries like this: "slap_access_allowed: search
access denied by none(=0)"

These messages are related to consumer access to the Kerberos database
on provider and the kerberos database can't be replicated to the
consumer. The others data are replicated normaly.

These are the ACL under privider:
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
  by anonymous auth by * none

olcAccess: {1}to
dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
  by dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
write
  by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read
  by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
read by * none

olcAccess: {2}to attrs=loginShell
  by self write
  by users read
  by * none

olcAccess: {3}to dn.base=""
  by * read

olcAccess: {4}to *
  by users read
  by * none

And bellow the ldap log snnipet:

=> access_allowed: search access to
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
"objectClass" requested
Oct  4 12:00:29 dns01 slapd[1163]: => dn: [2]
ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: => acl_get: [2] matched
Oct  4 12:00:29 dns01 slapd[1163]: => acl_get: [2] attr objectClass
Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: access to entry
"cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
attr "objectClass" requested
Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
"uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
(=0)
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbadm,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
cn=krbkdc,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat:
ou=consumers,ou=ldap,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br
Oct  4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: *
Oct  4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] applying none(=0) (stop)
Oct  4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] mask: none(=0)
Oct  4 12:00:29 dns01 slapd[1163]: => slap_access_allowed: search
access denied by none(=0)
Oct  4 12:00:29 dns01 slapd[1163]: => access_allowed: no more rules

Can anyone help me?

Regards

Daniel