[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3996) syncrepl with subordinate back-meta keeps reconnecting.

> I don't know how relevant this is, but I tried a similar ldapsearch
> query from the DN of the syncrepl consumer.  Even though the ACLs
> decline access to to the subtree in question, it seems slapd still
> chases down into the meta-backend, given the log below.
>
> Should the server's search continue into the meta-backends even though
> the ACLs deny access?  Obviously, the client never received any entries
> that it was forbidden to access.

back-meta, by design, doesn't honor ACLs, as documented in slapd-meta(5). 
The same happens for most of the backends that do not actually store data.
 The only backends that fully honor ACLs are back-bdb, hdb, ldbm and sql. 
ACLs are only honored on the data that is returned, because the frontend
takes care of this.  So, among the others, "search" permissions are not
honored; only "read" permissions are.

p.

>
> KRB5CCNAME=/etc/krb5.tkt.ldap ldapsearch -Y gssapi -H
> ldaps://wassup.svl.ibm.com/ -l 0 -z 4096 -b ou=ecmbi,o=ibm '*' +
>
> # Deny access to replicate the SSO DIT
> access to dn.sub="ou=sso,ou=ecmbi,o=ibm"
>         by dn.base="uid=LDAP Replication Slave,ou=Services,ou=ecmbi,o=ibm"
> none
>         by * read
>
> database        meta
> readonly        on
> nretries        forever
> suffix          "ou=sso,ou=ecmbi,o=ibm"
> uri             "ldaps://bluepages.ibm.com/c=us,ou=sso,ou=ecmbi,o=ibm"
> suffixmassage   "c=us,ou=sso,ou=ecmbi,o=ibm" "c=us,ou=bluepages,o=ibm.com"
> uri             "ldaps://bluepages.ibm.com/c=cn,ou=sso,ou=ecmbi,o=ibm"
> suffixmassage   "c=cn,ou=sso,ou=ecmbi,o=ibm" "c=cn,ou=bluepages,o=ibm.com"
> uri             "ldap:///ou=sso,ou=ecmbi,o=ibm";
> suffixmassage   "ou=sso,ou=ecmbi,o=ibm" "ou=SSO Stub,ou=ecmbi,o=ibm"
>
> #uri             "ldap:///ou=sso,ou=ecmbi,o=ibm";
> #suffixmassage   "ou=sso,ou=ecmbi,o=ibm" "ou=Build
> Accounts,ou=ecmbi,o=ibm"
> subordinate
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database        bdb
> suffix          "ou=ecmbi,o=ibm"
>
> # an unusable rootdn for features that require it.
> rootdn          "cn=LDAP Directory Master,ou=DSE,ou=ecmbi,o=ibm"
>
> directory       /var/lib/ldap
>
> cachesize       1024
> checkpoint      1024 15
> # Indices to maintain for this database
> index entryUUID,entryCSN                eq
> index objectClass                       eq,pres
> index ou,cn,mail,surname,givenname      eq,pres,sub
> index uidNumber,gidNumber,loginShell    eq,pres
> index uid,memberUid                     eq,pres,sub
> index nisMapName,nisMapEntry            eq,pres,sub
> index member,uniqueMember               eq
>
> ### Index for krb5
> index krb5PrincipalName                 eq
>
> index notesShortName                    eq
>
> # enable this server as a syncrepl master
> overlay         syncprov
> syncprov-checkpoint 100 10
> syncprov-sessionlog 100
>
> Sep 14 17:07:49 wassup slapd[17843]: @(#) $OpenLDAP: slapd 2.3.7 (Sep  2
> 2005 10:16:32) $
> pfnguyen@swapus.svl.ibm.com:/home/pfnguyen/openldap-2.3.7/servers/slapd
> Sep 14 17:07:49 wassup slapd[17844]: slapd starting
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 fd=15 ACCEPT from
> IP=9.30.47.49:57906 (IP=0.0.0.0:636)
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 fd=15 TLS established
> tls_ssf=256 ssf=256
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=0 BIND dn="" method=163
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=0 RESULT tag=97 err=14
> text=
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=1 BIND dn="" method=163
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=1 RESULT tag=97 err=14
> text=
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=2 BIND dn="" method=163
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=2 BIND
> authcid="ldap/swapus.svl.ibm.com" authzid="ldap/swapus.svl.ibm.com"
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=2 RESULT tag=97 err=0 text=
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=2 BIND dn="uid=ldap
> replication slave,ou=services,ou=ecmbi,o=ibm" mech=GSSAPI ssf=56
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=3 SRCH
> base="ou=ecmbi,o=ibm" scope=2 deref=0 filter="(objectClass=*)"
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=3 SRCH attr=* +
> Sep 14 17:07:58 wassup slapd[17844]: conn=0 op=3 meta_back_single_dobind:
> ldap_result=0 nretries=-1
> Sep 14 17:07:59 wassup last message repeated 9 times
> Sep 14 17:07:59 wassup slapd[17844]: conn=1 fd=20 ACCEPT from
> IP=127.0.0.1:55695 (IP=0.0.0.0:389)
> Sep 14 17:07:59 wassup slapd[17844]: conn=1 op=0 BIND dn="" method=128
> Sep 14 17:07:59 wassup slapd[17844]: conn=1 op=0 RESULT tag=97 err=0 text=
> Sep 14 17:07:59 wassup slapd[17844]: conn=1 op=1 SRCH base="ou=SSO
> Stub,ou=ecmbi,o=ibm" scope=2 deref=0 filter="(objectClass=*)"
> Sep 14 17:07:59 wassup slapd[17844]: conn=1 op=1 SRCH attr=* +
> Sep 14 17:07:59 wassup slapd[17844]: conn=1 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "EMPLOYEECOUNTRYCODE" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "IBMSERIALNUMBER" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "PRIMARYNODE" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "PRIMARYUSERID" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription "PDIF"
> inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "ISMANAGER" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "MANAGERCOUNTRYCODE" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "CALLUPNAME" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "MIDDLEINITIAL" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "NOTESEMAIL" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "NOTESMAILDOMAIN" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "NOTESMAILFILE" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "NOTESMAILSERVER" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "DIRECTORYALIAS" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription "DEPT"
> inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription "DIV"
> inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATETIELINE" inserted.
> Sep 14 17:07:59 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATETELEPHONENUMBER" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "PREFERREDFIRSTNAME" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATEPOSTALCODE" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "TIELINE" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATEADDRESS2" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATEADDRESS1" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "NOTESID" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "JOBRESPONSIBILITIES" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "MANAGERSERIALNUMBER" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "PREFERREDLASTNAME" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "DIVDEPT" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "SECRETARYCOUNTRYCODE" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "SECRETARYSERIALNUMBER" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "TIMESTAMPBPGUI" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "ENTRYTYPE" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "HRORGANIZATIONCODE" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "PASSWORDISEXPIRED" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "PASSWORDISRESET" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "PASSWORDISSTRUCKOUT" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "PASSWORDMODIFYTIMESTAMP" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription "FLOOR"
> inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription "IBMLOC"
> inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "WORKLOC" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "WORKLOCATION" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "WORKPLACEINDICATOR" inserted.
> Sep 14 17:08:00 wassup slapd[17844]: PROXIED attributeDescription
> "HRACTIVE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRASSIGNEE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRASSIGNMENT" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRCOMPANYCODE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRCOUNTRYCODE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRDEPARTMENT" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HREMPLOYEETYPE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRFIRSTNAME" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRINITIAL" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRLASTNAME" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRMANAGERPSC" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRMANAGERSERIAL" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription "HRPSC"
> inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRSERIALNUMBER" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "HRMANAGERINDICATOR" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "TIMESTAMPFEED" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "COREDATAINTEGRITY" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATENODE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATEUSERID" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "FACSIMILETIELINE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "CONTRACTORRECORDEXPIRATION" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "DEPARTMENT" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription "SHIFT"
> inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "INTERNALMAILDROP" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "BACKUPCOUNTRYCODE" inserted.
> Sep 14 17:08:01 wassup slapd[17844]: PROXIED attributeDescription
> "BACKUPSERIALNUMBER" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "ADDITIONAL" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription "BACKUP"
> inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATELOCALITYNAME" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "ALTERNATEST" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "INFOTELEPHONENUMBER" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "CONTRACTORCOMPANY" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "PHONEMAILNUMBER" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "TERRITORY" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "PAGERSERVICEPROVIDER" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "PAGERID" inserted.
> Sep 14 17:08:02 wassup slapd[17844]: PROXIED attributeDescription
> "PAGERTYPE" inserted.
> Sep 14 17:08:04 wassup slapd[17844]: PROXIED attributeDescription
> "BLUEPAGESNOTESIDERROR" inserted.
> Sep 14 17:08:09 wassup slapd[17844]: PROXIED attributeDescription
> "ISODMMANAGER" inserted.
> Sep 14 17:08:09 wassup slapd[17844]: PROXIED attributeDescription
> "HRDIVISION" inserted.
> Sep 14 17:08:09 wassup slapd[17844]: PROXIED attributeDescription
> "HRFAMILYNAME" inserted.
> Sep 14 17:08:09 wassup slapd[17844]: PROXIED attributeDescription
> "HRMIDDLENAME" inserted.
> Sep 14 17:08:09 wassup slapd[17844]: PROXIED attributeDescription
> "HRPREFERREDNAME" inserted.
> Sep 14 17:08:14 wassup slapd[17844]: conn=0 op=3 SEARCH RESULT tag=101
> err=3 nentries=38 text=
> Sep 14 17:08:14 wassup slapd[17844]: conn=0 op=4 UNBIND
> Sep 14 17:08:14 wassup slapd[17844]: conn=0 fd=15 closed
> Sep 14 17:08:14 wassup slapd[17844]: conn=1 op=2 UNBIND
> Sep 14 17:08:14 wassup slapd[17844]: conn=1 fd=20 closed
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497