[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help! bind funny?



I need to deploy my system but an error stop me...

The system is:

-Linux: Redhat 6.1-2.2.14
-openldap: 1.2.10

My slapd.conf is:

-----------------------------------------------------------------------

include         /usr/local/etc/openldap/slapd.at.conf
include         /usr/local/etc/openldap/slapd.oc.conf
 
schemacheck     off
#referral       ldap://root.openldap.org/
 
pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args
 
#######################################################################
# ldbm database definitions
#######################################################################
database        ldbm
suffix          "o=pruebas"
rootdn          "cn=root, o=pruebas"
rootpw          <rootpw>
directory       /usr/local/ldapBD/pruebas
defaultaccess none
access to dn=".*"
        by dn="^$$" none
        by dn=".*,O=RACF" read
        by * none
 
 
###############################################################
# V.1 RACF backend
#Database que implementa la posibilidad de Bind a través de la
#autenficación en RACF.
#NOTAS:
#       - el formato del dn para el bind es:
#               CN=<USUARIO>,....
#       - la falta de parametros no está considerada, siendo
#       todos obligatorios.
#       - El servidor puede ser tanto en nombre como en ip
#       - No tiene sentido definir un root, ya que no utiliza
###############################################################
database racf
suffix          "o=racf"
servidor        srvtrj.villasis.monte
puerto          9302
transaccion     PLOGON

---------------------------------------------------------------

The last database (racf) is my own backend for bind command, this
backend do user autentication in a external system (where all
users+password on defined)...

The ACL for database ldbm ("pruebas") stop all actions for anonymous
users and giving read access for conections with bind at database "racf"

I populate the pruebas database wiht a lot of entrys.

Well, if I bind to racf database with a invalid user o password the
backed return error and not accion is aloved (this work fine at my
test).

If I bind with a right user+password and search the database pruebas I
get a abnormal execution....

I execute:

ldapserarch -w mypassword -D "CN=S5540, O=RACF" -b "o=pruebas"
objectclass=*

Some search are right and return entrys for database pruebas, but other
are wrong...

The log (slapd -d 128):

----------------------------------------------------------------
ACL: access to dn=.*
        by dn=^$$
        by dn=.*,O=RACF
        by dn=.*

slapd starting
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: matched by clause #1 access denied
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (objectclass)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "o=pruebas"
=> acl_access_allowed: search access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (o=pruebas) attr (objectclass)
=> access_allowed: entry (o=pruebas) attr (entry)
=> acl_get: entry (o=pruebas) attr (entry)
<= acl_get: [1] backend acl o=pruebas attr: entry
=> acl_access_allowed: read access to entry "o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (o=pruebas) attr (entry)
=> acl_get: entry (o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl o=pruebas attr: objectclass
=> acl_access_allowed: read access to entry "o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> acl_get: entry (o=pruebas) attr (o)
<= acl_get: [1] backend acl o=pruebas attr: o
=> acl_access_allowed: read access to entry "o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> acl_get: entry (o=pruebas) attr (description)
<= acl_get: [1] backend acl o=pruebas attr: description
=> acl_access_allowed: read access to entry "o=pruebas"
/ldapsearch.3±*mv -f /usr/local/bin/ud /usr/local/bin/ud-im 775 ud
/usr/local/binp1
abeledURL)Ù<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: search access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (entry)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (entry)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: entry
=> acl_access_allowed: read access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (entry)
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
=> acl_access_allowed: read access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (cn)
<= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: cn
=> acl_access_allowed: read access to entry "cn=Gonzalo,o=pruebas"
=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"
<= acl_access_allowed: matched by clause #2 access granted
  
---------------------------------------------------------------------------------

The diference is:

=> acl_access_allowed: search access to value "any" by ""

And

=> acl_access_allowed: read access to value "any" by "CN=S5540,O=RACF"

But is the same execution...

Any idee?

Thanks

P.S.: Sorry for my english

--
Juan Gonzalo de Silva Medina