[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SyncRepl Chaining

To: espeake@oreillyauto.com
Subject: Re: SyncRepl Chaining
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Fri, 06 Sep 2013 09:56:40 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.8.4 edge02-zcs.vmware.com E27184D6
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1378486603; bh=BAxpb+ny2zZL5imrmyN4U3ujTiidg+no6ssWH8K6uJk=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=Tqv/I+KNwYKnlvGiDFbLy5h9U4WsTo/r0YWEHWBFHhCOzdg9OywAiNjJAO1DcHQQ5 PGHRS6aJRibzriOYUgwBdGIfnOPKh3bWvYXxtDeW8/LH5gJctihcs9Kguj7ajC99LF ks1VHURdtVJcxZaZjjBhQoRGzlv6UHaIn8Biy18Y=
In-reply-to: <OFB198C1DA.D982C580-ON86257BDE.005C9E55-86257BDE.005CA25B@LocalDomain>
References: <OF6221F983.DA1F8092-ON86257BCC.004EF16C-86257BCC.00512A01@LocalDomain> <6CA876FB752413CB29E2EA6B@[192.168.1.22]> <OF025EAA37.81DCFA28-ON86257BDE.00508792-86257BDE.00513044@LocalDomain> <C0B20AD5CD5F41CE59386554@[192.168.1.22]> <OF5A07E42A.4C217BE1-ON86257BDE.0055CC85-86257BDE.0055F196@LocalDomain> <2B0E0E65085221BA0FB7BE66@[192.168.1.22]> <OF654A949D.245F7EA3-ON86257BDE.005A7A63-86257BDE.005B103D@LocalDomain> <0E60476DA07A935954D7321C@[192.168.1.22]> <OFB198C1DA.D982C580-ON86257BDE.005C9E55-86257BDE.005CA25B@LocalDomain>

--On Friday, September 06, 2013 11:52 AM -0500 espeake@oreillyauto.comwrote:




From:	Quanah Gibson-Mount <quanah@zimbra.com>
To:	espeake@oreillyauto.com
Cc:	openldap-technical@openldap.org
Date:	09/06/2013 11:45 AM
Subject:	Re: SyncRepl Chaining



--On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com
wrote:

Here is the olcAcces from the slapcat on the database.  Rule {0} should
what it is using but becaus eof it not authenticating rule {2} is being
applied instead.


Did you mean to paste your rules in here and forget? ;)

--Quanah

Yep.  had a hungry child calling me while I was trying to get this out.

olcAccess: {0}to *
    by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read
    by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read
    by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
    by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write
    by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write

As you have no break clause, this is the only ACL that ever applies. Sincethere is no anonymous read access to userPassword, it is impossible toauthenticate as any user. Thus your inability to authenticate any user isentirely caused by your broken ACLs.


--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: SyncRepl Chaining
  - From: espeake@oreillyauto.com

References:
- SyncRepl Chaining
  - From: espeake@oreillyauto.com
- Re: SyncRepl Chaining
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: SyncRepl Chaining
  - From: espeake@oreillyauto.com
- Re: SyncRepl Chaining
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: SyncRepl Chaining
  - From: espeake@oreillyauto.com

Prev by Date: Re: 2.4.36: test050-syncrepl-multimaster failed for mdm
Next by Date: Re: Antw: Re: Log service time?
Index(es):
- Chronological
- Thread