[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementing PPolicy



Am Wed, 22 Jan 2014 18:14:22 -0700
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

> Just now getting back to this.  I ran the daemon in debug mode, then
> ran the passwd utility on a different server for my uid (got the same 
> results as before and then terminated the daemon) and it output a lot
> on the acl's.  I attached the full log file. Below is the tail end of
> the log:
> 
> ===================================================
> 52e068f8 <= acl_mask: [3] mask: read(=rscxd)
> 52e068f8 => slap_access_allowed: read access granted by read(=rscxd)
> 52e068f8 => access_allowed: read access granted by read(=rscxd)
> 52e068f8 => access_allowed: result not in cache (userPassword)
> 52e068f8 => access_allowed: read access to 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword"
> requested 52e068f8 => acl_get: [1] attr userPassword
> 52e068f8 => acl_mask: access to entry 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" 
> requested
> 52e068f8 => acl_mask: to value by "", (=0)
> 52e068f8 <= check a_dn_pat: self
> 52e068f8 <= check a_dn_pat: anonymous
> 52e068f8 <= acl_mask: [2] applying auth(=xd) (stop)
> 52e068f8 <= acl_mask: [2] mask: auth(=xd)
> 52e068f8 => slap_access_allowed: read access denied by auth(=xd)
> 52e068f8 => access_allowed: no more rules
> 52e068f8 send_search_entry: conn 1000 access to attribute
> userPassword, value #0 not allowed
> 52e068fb => bdb_entry_get: found entry: 
> "uid=jschaeffer,ou=people,dc=harmonywave,dc=com"
> 52e068fb => bdb_entry_get: found entry: 
> "cn=default,ou=policies,dc=harmonywave,dc=com"
> 52e068fb => access_allowed: result not in cache (userPassword)
> 52e068fb => access_allowed: auth access to 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword"
> requested 52e068fb => acl_get: [1] attr userPassword
> 52e068fb => acl_mask: access to entry 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" 
> requested
> 52e068fb => acl_mask: to value by "", (=0)
> 52e068fb <= check a_dn_pat: self
> 52e068fb <= check a_dn_pat: anonymous
> 52e068fb <= acl_mask: [2] applying auth(=xd) (stop)
> 52e068fb <= acl_mask: [2] mask: auth(=xd)
> 52e068fb => slap_access_allowed: auth access granted by auth(=xd)
[...]

There is an anonymous trying to read a userPassword (and probably
trying to modifying it afterwards). Acording to your access rules only
auth permissions are granted to anonymous.

-Dieter

 


-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E