[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Insufficient acces in some cases
- To: Clément OUDOT <clement.oudot@worteks.com>
- Subject: Re: Insufficient acces in some cases
- From: Ervin Hegedüs <airween@gmail.com>
- Date: Tue, 18 Sep 2018 22:23:22 +0200
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=v1NNeuPUg2sTyv1Aq7CjU82ZG8jwaImmXCfv65kN4GQ=; b=VJjHGDTHiooiog5RBSx4ZApF+2JI9lqfyHoq7G3lhiAfEi68DuoOAKHbNjQ7aYTj5A PwWrBzq/LxBcOkT8umT/Yhm6RaH4o9JNE4JYky/7Uzwauu5/tuWVbXW66DzOD0HjmlD8 1FRIgwhyNz9LTTy0Hdf5jf6yEq1WpngRKWPsI20bu4tiJhjmOLEanAoY7SkrsHXKbcaE GsYKiPJ/KxDo6IpyQudsd16xDiav4PU+PRdwTXSH4kULsP/l0Jl3BD2qVLjFK923sTXl oI4/OzzSG7PphJ691NMVRL7oeqHiw9awiXGEReDhYcZXOQZhXLzml5mxdIUIq6tgz9DE emTw==
- In-reply-to: <fd4e62f0-9f5d-b746-41a5-0cc35b840765@worteks.com>
- References: <20180918161109.GA28878@arxnet.hu> <fd4e62f0-9f5d-b746-41a5-0cc35b840765@worteks.com>
- User-agent: Mutt/1.5.24 (2015-08-30)
Hi,
thanks for reply,
On Tue, Sep 18, 2018 at 09:40:00PM +0200, Clément OUDOT wrote:
> Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit :
> > Hi, there is an interesting insufficient access problem...
> >
> > There are 3 (in dev environment 2) multimaster ldap node.
> >
> > There is a simple web frontend, written in PHP, where user can
> > change its own password, or can get a link to set up a new pass
> > if old one had lost.
> >
> > In some cases (some users) the user can't change the own password
> > through PHP. When I change it from webserver with ldapmodify and
> > a simple ldif file, it works as well.
> >
> > But when I try to modify the passwd through PHP, I got
> > "Insufficient access" error, and these lines are in syslog:
> >
> >
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" "objectClass" requested
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] ou=djp,dc=wificloud,dc=company,dc=hu
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
...
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> > Sep 18 17:48:13 dev-ldap-01 slapd[12125]:
> >
>
> I would say that the PHP application is sending some garbage to the
> directory. What application are you using for password change, is it LTB
> Self Service Password ?
no, that's a custom development, which will be extend with many
other features - no matter now.
But then I don't understand, why comes this error only few users
(total number of users is about 200 now, we know about 2-3
affected user).
Anyway, I thought it also what you wrote, and switched back to
native LDAP (instead of LDAPS), and make a capture at LDAP side.
There aren't any garbage in packets, all request contains
absolutely normal lines... If you interesting about it, I can
send you a cap file - but that contains sensitive datas, of
course.
I just can share some screenshots about the traffic, hope it
seems that no other garbage:
https://www.dropbox.com/sh/x8ol6cfc39zj7cp/AADCo3CgcHPQnvOre4hjuULpa
Thanks again,
a.