[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problems: (was: objectIdentifierMatch)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ACL problems: (was: objectIdentifierMatch)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 27 Sep 2002 06:11:17 -0700
Cc: Howard Chu <hyc@symas.com>, openldap-bugs@OpenLDAP.org
Content-disposition: inline
In-reply-to: <5.1.0.14.0.20020926183732.04653968@127.0.0.1>
References: <5.1.0.14.0.20020925194003.041b2a28@127.0.0.1> <NMEFLNHODBAOPDKNNJALGECDDOAA.hyc@symas.com> <NMEFLNHODBAOPDKNNJALGECDDOAA.hyc@symas.com> <5.1.0.14.0.20020925194003.041b2a28@127.0.0.1> <5.1.0.14.0.20020926183732.04653968@127.0.0.1>

--On Thursday, September 26, 2002 6:39 PM -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

At 10:04 AM 2002-09-26, Quanah Gibson-Mount wrote:

--On Wednesday, September 25, 2002 8:03 PM -0700 "Kurt D. Zeilenga"
<Kurt@OpenLDAP.org> wrote:

Changed the subject as this has nothing to do with the
objectIdentifierMatch issue previously reported.

As far as debugging your problem, I suggest you examine
logs to determine what's going here.  Enabling ACL logging
would likely be particular informative.

The only curious thing I see in your post is your comment:

I am a member of both ldapadmin, and supervisor.  Still,
with this setup, I cannot bind as either of them


This implies you are not authenticating as yourself but as
 cn=supervisor,cn=applications,dc=stanford,dc=edu
or
 cn=ldapadmin,cn=applications,dc=stanford,dc=edu

Or maybe you are authenticating as yourself and assuming
one of these identities.


Well, that is what <should> happen, but isn't happening. ;)

I think the problem lies within the fact that we are using SASL GSSAPI.

I've now exposed the sasl-regexp attributes to * read, and I now get the
correct authcDN of suRegID=<my suRegID>.  I've also tried exposing the
member attribute to * read, but that does not solve the problem either.

do_bind: SASL/GSSAPI bind:
dn="suRegID=85e49978f61311d2a3662436000baa77,cn=People,dc=stanford,dc=ed
u"

I've also allowed access to * by users search

My suRegID is a group member of Supervisor and of LdapAdmin.

Neither of these groups includes the above DN.

In fact, if you had looked at the snippet from the logs, you'd see that I'd made a typo, and the DN from the logs exacly matches my DN present in supervisor and ldapadmin.

--Quanah

# supervisor, Applications, stanford.edu
dn: cn=supervisor,cn=Applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: supervisor
member:
suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
member:
suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu

# ldapAdmin, Applications, stanford.edu
dn: cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu
objectClass: groupOfNames
cn: ldapAdmin
member:
suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
member:
suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
member:
suRegID=118217f4e76411d184232436000baa77,cn=People,dc=stanford,dc=edu

What I see in the logs is that when the ldapsearch goes through, is that
it is reporting that I'm not a member:

Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 248973
local4.debug] => bdb_group: gr dn:
"cn=supervisor,cn=applications,dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 231450 local4.debug] => bdb_group:
op dn:
"suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 529798
local4.debug] => bdb_group: oc: "groupOfNames" at: "member" Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 461965 local4.debug] =>
bdb_group: tr dn: "dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 749508 local4.debug]
bdb_dn2entry_rw("cn=supervisor,cn=applications,dc=stanford,dc=edu") Sep
26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 157115 local4.debug] =>
bdb_dn2id( "cn=supervisor,cn=applications,dc=stanford,dc=edu" ) Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 697587 local4.debug] <=
bdb_dn2id: got id=0x00000005 Sep 26 09:56:50 ldap2.Stanford.EDU
slapd[16583]: [ID 548982 local4.debug] entry_decode:
"cn=supervisor,cn=Applications,dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 184541 local4.debug] <=
entry_decode(cn=supervisor,cn=Applications,dc=stanford,dc=edu) Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 257784 local4.debug] =>
bdb_group: found group:
"cn=supervisor,cn=applications,dc=stanford,dc=edu" Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 721865 local4.debug] <= bdb_group:
found objectClass groupOfNames and member Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 114958 local4.debug]

dnNormalize:

<suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu>
Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 631365
local4.debug] <= bdb_group:
"suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
not in "cn=supervisor,cn=applications,dc=stanford,dc=edu": member Sep 26
09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 416987 local4.debug] ====>
bdb_cache_return_entry_r( 5 ): created (0) Sep 26 09:56:50
ldap2.Stanford.EDU slapd[16583]: [ID 340953 local4.debug] bdb_group: rc=1

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- ACL problems: (was: objectIdentifierMatch)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: objectIdentifierMatch (ITS#2095)
  - From: "Howard Chu" <hyc@symas.com>
- Re: ACL problems: (was: objectIdentifierMatch)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ACL problems: (was: objectIdentifierMatch)
Next by Date: ldap_search_s: Operations error (ITS#2114)
Index(es):
- Chronological
- Thread