[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access denied consumer replication (OpenLDAP+Kerberos)



--On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho <dlcarvalho@gmail.com> wrote:

Hi

I try to configure two openldap/kerberos server (provider and
consumer), but I'm having some issues about replication. Under LDAP
log, I have many entries like this: "slap_access_allowed: search
access denied by none(=0)"

These messages are related to consumer access to the Kerberos database
on provider and the kerberos database can't be replicated to the
consumer. The others data are replicated normaly.

These are the ACL under privider:
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by
dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
dc=br" read
  by anonymous auth by * none

olcAccess: {1}to
dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
  by
dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
br" write
  by
dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
br" read
  by
dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
dc=br" read by * none

olcAccess: {2}to attrs=loginShell
  by self write
  by users read
  by * none

olcAccess: {3}to dn.base=""
  by * read

olcAccess: {4}to *
  by users read
  by * none

This is the entity asking permission:

Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
"uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
(=0)

This does not match

by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"

It looks like you put the host entry in the users tree and not the consumer tree.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration