[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: GSSAPI Binds openldap 2.1.12
You need to fix your ACLs. In the GSSAPI case, the log shows you bound as
uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
while in the simple bind you used
cn=staff,dc=csic,dc=umd,dc=edu
Clearly these are not the same, and your ACL only references the second DN
above.
Also, your ACL doesn't specify any rights for the cn=staff DN. Was that just
a cut/paste error?
Finally, you probably want an "access to *" clause after the other, to assign
privileges to everything else.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Derek T. Yarnell
> I am having a issue with getting my gssapi/sasl binds
> working. I was wondering
> if someone could give me a little insight,
>
> ldapsearch -Y GSSAPI -b 'dc=csic,dc=umd,dc=edu' '(uid=derek)'
>
> Here is the server output,
>
> Jan 22 14:43:36 queasy slapd[10595]: conn=0 fd=13 ACCEPT from
> IP=127.0.0.1:56125 (IP=0.0.0.0:389)
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=0 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=1 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND authcid="derek"
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 AUTHZ
> dn="uid=derek,ou=staff,dc=csic,dc=umd,dc=edu" mech=GSSAPI ssf=56
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SRCH
> base="ou=staff,dc=csic,dc=umd,dc=edu" scope=2 filter="(uid=derek)"
> Jan 22 14:43:36 queasy slapd[10604]: <=
> bdb_equality_candidates: index_param failed (18)
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SEARCH
> RESULT tag=101 err=0 nentries=0 text=
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=4 UNBIND
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 fd=13 closed
>
> ----------------------------------------------------------
> derek@queasy:~> /csic/openldap/bin/ldapsearch -Y GSSAPI -b
> 'ou=staff,dc=csic,dc=umd,dc=edu' '(uid=derek)'
> SASL/GSSAPI authentication started
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <ou=staff,dc=csic,dc=umd,dc=edu> with scope sub
> # filter: (uid=derek)
> # requesting: ALL
> #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
> ----------------------------------------------------------
>
> But it doesn't return anything, but a normal bind will return
> something,
>
> ----------------------------------------------------------
> derek@queasy:~> /csic/openldap/bin/ldapsearch -x -D
> 'cn=staff,dc=csic,dc=umd,dc=edu' -b 'dc=csic,dc=umd,dc=edu'
> -W '(uid=derek)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=csic,dc=umd,dc=edu> with scope sub
> # filter: (uid=derek)
> # requesting: ALL
> #
>
> # derek, staff, csic.umd.edu
> dn: uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
> objectClass: csicAccount
> objectClass: account
> cn: Derek Yarnell
> uid: derek
> uidNumber: 2174
> gidNumber: 10
> homeDirectory: /afs/csic/staff/derek
> loginShell: /bin/tcsh
> mailHost: cs.umd.edu
> mailRoutingAddress: derek@cs.umd.edu
> mailLocalAddress: derek@cs.umd.edu
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> ----------------------------------------------------------
>
> here is my sasl-regex,
>
>
> sasl-regexp uid=(.*),cn=gssapi,cn=auth
> uid=$1,ou=staff,dc=csic,dc=umd,dc=edu
>
>
> and the only other access control i have,
>
> access to attr=loginShell,gecos,cn,mailroutingaddress
> by dn="cn=staff,dc=csic,dc=umd,dc=edu"
> by self write
> by users read
>
> thanks for any help.
>
>
> --
> ---
> Derek T. Yarnell
> University of Maryland
> Computer Science Department Unix Staff
> derek@cs.umd.edu
>