[Date Prev][Date Next] [Chronological] [Thread] [Top]

Binding problem

To: openldap-software@OpenLDAP.org
Subject: Binding problem
From: Pedro González Franco <pedrogf@tid.es>
Date: Thu, 09 Mar 2000 16:50:17 +0100
Organization: Telefónica I+D
Posted-date: Thu, 9 Mar 2000 16:46:14 +0100 (MET)

  We are testing an OpenLDAD 2.0A3 which contains users information. We
restrict the access to some user attributes to the user itself. One of
this fields is "userPassword". When trying to access with user
authentication, the binding function is not able to access to the user
password. According to the debug information, it seems that the call to
the access function from "do_bind" doesn't include the user DN but an
empty string.

  Has anybody found such a problem?

  Thanks.

-----

  The security section of the configuration file only contains:

access to dn=".*,o=org1,c=es" attr=userPassword
       by self              write
       by self              read
       by *                 none
access to dn=".*,o=org1,c=es"
       by self              write
       by *                 read

-----

  The items stored in the LDAP server are:

cn=usr1, o=org1, c=es
cn=usr1
sn=Usuario 1
objectclass=person
telephonenumber=7111
userpassword=1111

cn=usr2, o=org1, c=es
cn=usr2
sn=Usuario 2
objectclass=person
telephonenumber=7222
userpassword=2222

cn=usr3, o=org1, c=es
cn=usr3
sn=Usuario 3
objectclass=person
telephonenumber=7333
userpassword=3333

------

  The query which returns an "Insufficient access" error is:


ldapsearch -p 2001 -D "cn=usr1,o=org1,c=es" -w 1111 -b "o=org1,c=es"
"objectclass=*"

------

  The traces obtained are:

do_bind
do_bind operation: dn=
do_bind operation: ndn=
ber_scanf fmt ({iat) ber:
ber_dump: buf 0x7e228, ptr 0x7e22b, end 0x7e24b
         ` 1e 02 01 03 04 13  c  n  =  u  s  r  1  ,  o
         =  o  r  g  1  ,  c  =  e  s 80 04  1  1  1  1
        (end)
bind: dn = (cn=usr1,o=org1,c=es)
ber_scanf fmt (o}) ber:
ber_dump: buf 0x7e228, ptr 0x7e245, end 0x7e24b
        80 04  1  1  1  1
do_bind: version=3 dn="cn=usr1,o=org1,c=es" method=128
conn=1 op=0 BIND dn="CN=USR1,O=ORG1,C=ES" method=128====>
cache_find_entry_dn2id("CN=USR1,O=ORG1,C=ES"): 14 (1 tries)
<= dn2id 14 (in cache)
=> id2entry_r( 14 )
entry_rdwr_rtrylock: ID: 14
====> cache_find_entry_id( 14 ) "cn=usr1, o=org1, c=es" (found) (1
tries)
<= id2entry_r( 14 ) 0x91758 (cache)

=> access_allowed: entry (cn=usr1, o=org1, c=es) attr (entry)

=> acl_get: entry (cn=usr1, o=org1, c=es) attr (entry)
=> acl_get: edn CN=USR1,O=ORG1,C=ES
=> dnpat: [1] .*,o=org1,c=es nsub: 0
=> acl_get:[1]  backend ACL match
=> acl_get: [1] check attr entry
=> dnpat: [2] .*,o=org1,c=es nsub: 0
=> acl_get:[2]  backend ACL match
=> acl_get: [2] check attr entry
<= acl_get: [2] backend acl cn=usr1, o=org1, c=es attr: entry

=> acl_access_allowed: auth access to entry "cn=usr1, o=org1, c=es"

=> acl_access_allowed: auth access to value "any" by ""
<= check a_dn_pat: self
<= check a_dn_pat: .*
<= acl_access_allowed: matched by clause #2 access granted

=> access_allowed: exit (cn=usr1, o=org1, c=es) attr (entry)

=> access_allowed: entry (cn=usr1, o=org1, c=es) attr (userpassword)

=> acl_get: entry (cn=usr1, o=org1, c=es) attr (userpassword)
=> acl_get: edn CN=USR1,O=ORG1,C=ES
=> dnpat: [1] .*,o=org1,c=es nsub: 0
=> acl_get:[1]  backend ACL match
=> acl_get: [1] check attr userpassword
<= acl_get: [1] backend acl cn=usr1, o=org1, c=es attr: userpassword

=> acl_access_allowed: auth access to entry "cn=usr1, o=org1, c=es"

=> acl_access_allowed: auth access to value "any" by ""
<= check a_dn_pat: self
<= check a_dn_pat: self
<= check a_dn_pat: .*
<= acl_access_allowed: matched by clause #3 access denied

=> access_allowed: exit (cn=usr1, o=org1, c=es) attr (userpassword)
send_ldap_result: conn=1 op=0 p=3
send_ldap_result: 50::
send_ldap_response: msgid=1 tag=97 err=50
conn=1 op=0 RESULT tag=97 err=50 text=


==> ldbm_back_bind: dn: CN=USR1,O=ORG1,C=ES
dn2entry_r: dn: "CN=USR1,O=ORG1,C=ES"
=> dn2id( "CN=USR1,O=ORG1,C=ES" )
====> cache_find_entry_dn2id("CN=USR1,O=ORG1,C=ES"): 14 (1 tries)


-- 
   "La felicidad no es hacer lo que nos gusta,
    sino que nos guste lo que hacemos."

                              Johann W. Goethe

begin:vcard 
n:Gonzalez Franco;Pedro
tel;work:983 36 7739
x-mozilla-html:FALSE
org:Telefonica I+D;Infraestructura de Voz sobre IP
adr:;;Parque Tecnologico de Boecillo;Boecillo;Valladolid;47151;España
version:2.1
email;internet:pedrogf@tid.es
x-mozilla-cpt:;4608
fn:Pedro Gonzalez Franco
end:vcard

Follow-Ups:
- Re: Binding problem
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: How do I create a server for root?
Next by Date: Ldap bind with custom attribute other than userpassword
Index(es):
- Chronological
- Thread