[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: Help! bind funny?

To: Juan Gonzalo de Silva Medina <gonzalo@caymasa.es>
Subject: Re: Help! bind funny?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 14 May 2000 15:38:29 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <391F2168.46D7A93F@caymasa.es>
References: <3.0.5.32.20000514093846.00956670@infidel.boolean.net> <391F1E1C.BC12E24C@caymasa.es>
At 11:58 PM 5/14/00 +0200, Juan Gonzalo de Silva Medina wrote:
>this is the log for slapd -d 1 -d 4 -d 128 
>
>All execution is with equelas paramenters (except for password...)

>------------------------------------------------------------
>slapd 1.2.10-Release (Thu May 11 17:28:45 CEST 2000)
>
>gonzalo@localhost.localdomain:/usr/local/traer/curso/tmp/openldap-1.2.10/servers/slapd
>ACL: access to dn=.*
>	by dn=^$$
>	by dn=.*,O=RACF
>	by dn=.*
>
>slapd starting
>
>-----[this is with a invalid password]------------------------
>do_bind
>do_bind: version 2 dn (CN=S5540,O=RACF) method 128
>send_ldap_result 49::(03) CLAVE INVALIDA
>ber_get_next on fd 7 failed errno 0 (Success)
>*** got 0 of 0 so far
>
>-----[this is with a right password]--------------------------
>do_bind
>do_bind: version 2 dn (CN=S5540,O=RACF) method 128
>send_ldap_result 0::
>do_bind: bound "CN=S5540,O=RACF" to "CN=S5540,O=RACF"
>send_ldap_result 0::
>do_search

Two send_ldap_result is very bad.  Your backend shouldn't send
a success in this case.

>SRCH "O=PRUEBAS" 2 0    0 0 0
>    filter: (objectclass=*)
>    attrs:
>=> ldbm_back_search
>using base "O=PRUEBAS"
>subtree_candidates: base: "O=PRUEBAS" lookupbase
>dn2entry_r: dn: "O=PRUEBAS"
>=> dn2id( "O=PRUEBAS" )
>=> ldbm_cache_open( "/usr/local/ldapBD/pruebas/dn2id.dbb", 7, 600 )
>ldbm_cache_open (blksize 4096) (maxids 1022) (maxindirect 4)
><= ldbm_cache_open (opened 0)
><= dn2id 1
>=> id2entry_r( 1 )
>=> ldbm_cache_open( "/usr/local/ldapBD/pruebas/id2entry.dbb", 7, 600 )
>ldbm_cache_open (blksize 4096) (maxids 1022) (maxindirect 4)
><= ldbm_cache_open (opened 1)
>=> str2entry
><= str2entry 0x809a7c8
>entry_rdwr_rlock: ID: 1
><= id2entry_r( 1 ) (disk)
>====> cache_return_entry_r
>entry_rdwr_runlock: ID: 1
>=> filter_candidates
>=> list_candidates 0xa1
>=> filter_candidates
>=> ava_candidates 0xa3
>=> index_read( "objectclass" "=" "REFERRAL" )
>=> ldbm_cache_open( "/usr/local/ldapBD/pruebas/objectclass.dbb", 7, 600
>)
>ldbm_cache_open (blksize 4096) (maxids 1022) (maxindirect 4)
><= ldbm_cache_open (opened 2)
><= index_read 0 candidates
><= ava_candidates 0
><= filter_candidates 0
>=> filter_candidates
>=> presence_candidates
>=> index_read( "objectclass" "?" "*" )
><= index_read 3 candidates (allids - not indexed)
><= presence_candidates 3
><= filter_candidates 3
><= list_candidates 3
><= filter_candidates 3
>=> id2entry_r( 1 )
>====> cache_find_entry_dn2id: found id: 1 rw: 0
>entry_rdwr_rtrylock: ID: 1
><= id2entry_r 0x809a7c8 (cache)
>
>=> access_allowed: entry (o=pruebas) attr (objectclass)
>
>=> acl_get: entry (o=pruebas) attr (objectclass)
>=> acl_get: edn O=PRUEBAS
>=> dnpat: [1] .* nsub: 0
>=> acl_get:[1]  backend ACL match
>=> acl_get: [1] check attr objectclass
><= acl_get: [1] backend acl o=pruebas attr: objectclass
>
>=> acl_access_allowed: search access to entry "o=pruebas"
>
>=> acl_access_allowed: search access to value "any" by ""

You are anonymous here.  Should be by "CN=S5540,O=RACF".

><= check a_dnpat: ^$$
>=> string_expand: pattern:  ^$$
>=> string_expand: expanded: ^$
>=> regex_matches: string:   
>=> regex_matches: rc: 0 matches
><= acl_access_allowed: matched by clause #1 access denied
>
>=> access_allowed: exit (o=pruebas) attr (objectclass)
>====> cache_return_entry_r
>entry_rdwr_runlock: ID: 1
>=> id2entry_r( 2 )
>=> ldbm_cache_open( "/usr/local/ldapBD/pruebas/id2entry.dbb", 7, 600 )
><= ldbm_cache_open (cache 1)
>=> str2entry
><= str2entry 0x80a3be8
>entry_rdwr_rlock: ID: 2
><= id2entry_r( 2 ) (disk)
>
>=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
>
>=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
>=> acl_get: edn CN=GONZALO,O=PRUEBAS
>=> dnpat: [1] .* nsub: 0
>=> acl_get:[1]  backend ACL match
>=> acl_get: [1] check attr objectclass
><= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
>
>=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
>
>=> acl_access_allowed: search access to value "any" by ""
><= check a_dnpat: ^$$
>=> string_expand: pattern:  ^$$
>=> string_expand: expanded: ^$
>=> regex_matches: string:   
>=> regex_matches: rc: 0 matches
><= acl_access_allowed: matched by clause #1 access denied
>
>=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
>====> cache_return_entry_r
>entry_rdwr_runlock: ID: 2
>send_ldap_result 0::
>ber_get_next on fd 7 failed errno 0 (Success)
>*** got 0 of 0 so far
>do_unbind
>----------[other with right password]--------------------
>do_bind
>do_bind: version 2 dn (CN=S5540,O=RACF) method 128
>send_ldap_result 0::
>do_bind: bound "CN=S5540,O=RACF" to "CN=S5540,O=RACF"
>send_ldap_result 0::

Again, two send_ldap_result.

>do_search
>SRCH "O=PRUEBAS" 2 0    0 0 0
>    filter: (objectclass=*)
>    attrs:
>=> ldbm_back_search
>using base "O=PRUEBAS"
>subtree_candidates: base: "O=PRUEBAS" lookupbase
>dn2entry_r: dn: "O=PRUEBAS"
>=> dn2id( "O=PRUEBAS" )
>====> cache_find_entry_dn2id: found dn: O=PRUEBAS
><= dn2id 1 (in cache)
>=> id2entry_r( 1 )
>====> cache_find_entry_dn2id: found id: 1 rw: 0
>entry_rdwr_rtrylock: ID: 1
><= id2entry_r 0x809a7c8 (cache)
>====> cache_return_entry_r
>entry_rdwr_runlock: ID: 1
>=> filter_candidates
>=> list_candidates 0xa1
>=> filter_candidates
>=> ava_candidates 0xa3
>=> index_read( "objectclass" "=" "REFERRAL" )
>=> ldbm_cache_open( "/usr/local/ldapBD/pruebas/objectclass.dbb", 7, 600
>)
><= ldbm_cache_open (cache 2)
><= index_read 0 candidates
><= ava_candidates 0
><= filter_candidates 0
>=> filter_candidates
>=> presence_candidates
>=> index_read( "objectclass" "?" "*" )
><= index_read 3 candidates (allids - not indexed)
><= presence_candidates 3
><= filter_candidates 3
><= list_candidates 3
><= filter_candidates 3
>=> id2entry_r( 1 )
>====> cache_find_entry_dn2id: found id: 1 rw: 0
>entry_rdwr_rtrylock: ID: 1
><= id2entry_r 0x809a7c8 (cache)
>
>=> access_allowed: entry (o=pruebas) attr (objectclass)
>
>=> acl_get: entry (o=pruebas) attr (objectclass)
>=> acl_get: edn O=PRUEBAS
>=> dnpat: [1] .* nsub: 0
>=> acl_get:[1]  backend ACL match
>=> acl_get: [1] check attr objectclass
><= acl_get: [1] backend acl o=pruebas attr: objectclass
>
>=> acl_access_allowed: search access to entry "o=pruebas"
>
>=> acl_access_allowed: search access to value "any" by ""

and anonymous here as well.

><= check a_dnpat: ^$$
>=> string_expand: pattern:  ^$$
>=> string_expand: expanded: ^$
>=> regex_matches: string:   
>=> regex_matches: rc: 0 matches
><= acl_access_allowed: matched by clause #1 access denied
>
>=> access_allowed: exit (o=pruebas) attr (objectclass)
>====> cache_return_entry_r
>entry_rdwr_runlock: ID: 1
>=> id2entry_r( 2 )
>====> cache_find_entry_dn2id: found id: 2 rw: 0
>entry_rdwr_rtrylock: ID: 2
><= id2entry_r 0x80a3be8 (cache)
>
>=> access_allowed: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
>
>=> acl_get: entry (cn=Gonzalo,o=pruebas) attr (objectclass)
>=> acl_get: edn CN=GONZALO,O=PRUEBAS
>=> dnpat: [1] .* nsub: 0
>=> acl_get:[1]  backend ACL match
>=> acl_get: [1] check attr objectclass
><= acl_get: [1] backend acl cn=Gonzalo,o=pruebas attr: objectclass
>
>=> acl_access_allowed: search access to entry "cn=Gonzalo,o=pruebas"
>
>=> acl_access_allowed: search access to value "any" by ""
><= check a_dnpat: ^$$
>=> string_expand: pattern:  ^$$
>=> string_expand: expanded: ^$
>=> regex_matches: string:   
>=> regex_matches: rc: 0 matches
><= acl_access_allowed: matched by clause #1 access denied
>
>=> access_allowed: exit (cn=Gonzalo,o=pruebas) attr (objectclass)
>====> cache_return_entry_r
>entry_rdwr_runlock: ID: 2
>send_ldap_result 0::
>ber_get_next on fd 7 failed errno 0 (Success)
>*** got 0 of 0 so far
>do_unbind
>slapd shutting down - waiting for 0 threads to terminate
>slapd shutting down - waiting for backends to close down
>ldbm backend saving nextid
>ldbm backend syncing
>ldbm flushing db (/usr/local/ldapBD/pruebas/dn2id.dbb)
>ldbm flushing db (/usr/local/ldapBD/pruebas/id2entry.dbb)
>ldbm flushing db (/usr/local/ldapBD/pruebas/objectclass.dbb)
>ldbm backend done syncing
>ldbm backend saving nextid
>ldbm backend syncing
>ldbm backend done syncing
>slapd stopping
>----------------------------------------------------------

Note that both executions with the right password behave
as anonymous.  Something is likely a muck with your
backend bind routine.  In particular, you should look
at what you return as edn and make sure it's not getting
clobbered after the call.
Follow-Ups:
- Re: Help! bind funny?
  - From: Juan Gonzalo de Silva Medina <gonzalo@caymasa.es>
References:
- Re: Help! bind funny?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Help! bind funny?
  - From: Juan Gonzalo de Silva Medina <gonzalo@caymasa.es>
- Re: Help! bind funny?
  - From: Juan Gonzalo de Silva Medina <gonzalo@caymasa.es>
Prev by Date: Re: Help! bind funny?
Next by Date: Re: Help! bind funny?
Index(es):
- Chronological
- Thread