[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access denied consumer replication (OpenLDAP+Kerberos)
Hi Quanah. Thanks for your reply!
I was following this link to configure the provider/consumer:
http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php.
Under item "2. Kerberos client install", at the end, I was guided to
create a principal starting with ldap/dns02... But... I created 3
principals: host/dns02... ldap/dns02.. and ldaps/dns02...
And under item "8. Provider modifications" I was instruted to map
uid=ldap/... to ou=consumers
# 1.2.1.
add: olcAuthzRegexp
olcAuthzRegexp: uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
cn=$1,ou=consumers,dc=example,dc=com
I deleted the principals host/dns02... and ldaps/dns02... and the
replication started to work.
Thanks very mch!
Daniel
--
Daniel Lopes de Carvalho
dlcarvalho@gmail.com
daniellopescarvalho (skype)
19 9357-5618 (claro)
19 8251-6023 (tim)
On Thu, Oct 4, 2012 at 2:57 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> --On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho
> <dlcarvalho@gmail.com> wrote:
>
>> Hi
>>
>> I try to configure two openldap/kerberos server (provider and
>> consumer), but I'm having some issues about replication. Under LDAP
>> log, I have many entries like this: "slap_access_allowed: search
>> access denied by none(=0)"
>>
>> These messages are related to consumer access to the Kerberos database
>> on provider and the kerberos database can't be replicated to the
>> consumer. The others data are replicated normaly.
>>
>> These are the ACL under privider:
>> olcAccess: {0}to attrs=userPassword,shadowLastChange
>> by
>> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
>> dc=br" read
>> by anonymous auth by * none
>>
>> olcAccess: {1}to
>> dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
>> by
>> dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
>> br" write
>> by
>> dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
>> br" read
>> by
>> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
>> dc=br" read by * none
>>
>> olcAccess: {2}to attrs=loginShell
>> by self write
>> by users read
>> by * none
>>
>> olcAccess: {3}to dn.base=""
>> by * read
>>
>> olcAccess: {4}to *
>> by users read
>> by * none
>
>
> This is the entity asking permission:
>
>
> Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
> "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
> (=0)
>
> This does not match
>
> by
> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
>
> It looks like you put the host entry in the users tree and not the consumer
> tree.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration