[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cannot authenticate as user himself



Just as follow-up, I have done more investigation and discovered that
disregarding the fact that op->o_dn and ndn are cleared by bind.c,
op->o_dn and ndn are never set to user's dn until he authenticates. But
of course that is too late! I further wondered why this worked in 1.x
and not now and realized that in 1.x no acl checking was done on a bind.
Am I off base?

Yoel

Yoel Spotts wrote:
> 
> To all,
> 
> I have an issue which I think is a bug, but would first like to present
> it in "software" as the error might be my own:
> 
> I am using openldap-2.0.7.
> 
> I have the following line in my slapd.conf:
> 
> access  to dn=".*,ou=users,o=top"
>         by self write
> 
> I get an LDAP_INSUFFICIENT_ACCESS when I try to bind as a user (lets say
> "uid=yoel,ou=users,o=top"). (Yes, the password is correct). If I have
> write permission, I should have auth permission.
> 
> I have stepped through the process and have found the following:
> 
> in acl.c in function acl_mask on line 398 (in the code I have) is where
> the acl that I have set up is handled. On the next line, we make sure
> op->o_ndn and op->o_dn are not NULL or empty strings. When I stepped
> through using a debugger, these values were empty strings, even though
> the dn should be "uid=yoel,ou=users,o=top". When I investigated a bit
> further, I found that in /servers/slapd/bind.c toward the beginning of
> the funciton, op->o_dn and op->o_ndn are cleared and set to empty
> strings. I would imagine this is the reason the acl fails. Is it
> possible that those should be the connection dn's, i.e. we should be
> clearing conn->c_dn and conn->c_ndn?
> 
> If anyone can help, let me know if I made a mistake or if I should post
> this to the bugs list.
> 
> Thanks,
> 
> Yoel
> --
> Yoel Spotts                     yoel@vasco.com
> VASCO Data Security, Inc.       http://www.vasco.com

-- 
Yoel Spotts			yoel@vasco.com
VASCO Data Security, Inc.	http://www.vasco.com