[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI Binds openldap 2.1.12



Ok, let me explain a little more,

cn=staff,dc=csic,dc=umd,dc=edu

is the rootdn, so it should be able to see anything, anywhere. 

uid=derek,ou=staff,dc=csic,dc=umd,dc=edu

is say a user, I want to be able to bind so that they could change certain
attributes on their dn.

so, my access rights right now is this,

access to attr=uid,uidNumber,gidNumber,homeDirectory,mailLocalAddress
        by dn="cn=staff,dc=csic,dc=umd,dc=edu"
        by users read
access to attr=loginShell,gecos,cn,mailroutingaddress,mailHost
        by dn="cn=staff,dc=csic,dc=umd,dc=edu"
        by self write
        by users read

You would have to be authenticated to just read the attributes and some you would
be able to write to.

I would obviously like to do this with GSSAPI, so I don't need to put any passwords,
etc in the ldap database. 

On Wed, Jan 22, 2003 at 09:55:15PM -0800, Howard Chu wrote:
> You need to fix your ACLs. In the GSSAPI case, the log shows you bound as
>   uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
> while in the simple bind you used
>   cn=staff,dc=csic,dc=umd,dc=edu
> 
> Clearly these are not the same, and your ACL only references the second DN
> above.
> 
> Also, your ACL doesn't specify any rights for the cn=staff DN. Was that just
> a cut/paste error?
> 
> Finally, you probably want an "access to *" clause after the other, to assign
> privileges to everything else.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Derek T. Yarnell
> 
> > I am having a issue with getting my gssapi/sasl binds
> > working. I was wondering
> > if someone could give me a little insight,
> >
> > ldapsearch -Y GSSAPI -b 'dc=csic,dc=umd,dc=edu' '(uid=derek)'
> >
> > Here is the server output,
> >
> > Jan 22 14:43:36 queasy slapd[10595]: conn=0 fd=13 ACCEPT from
> > IP=127.0.0.1:56125 (IP=0.0.0.0:389)
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=0 BIND dn=""
> > method=163
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=1 BIND dn=""
> > method=163
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND dn=""
> > method=163
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND authcid="derek"
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 AUTHZ
> > dn="uid=derek,ou=staff,dc=csic,dc=umd,dc=edu" mech=GSSAPI ssf=56
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SRCH
> > base="ou=staff,dc=csic,dc=umd,dc=edu" scope=2 filter="(uid=derek)"
> > Jan 22 14:43:36 queasy slapd[10604]: <=
> > bdb_equality_candidates: index_param failed (18)
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SEARCH
> > RESULT tag=101 err=0 nentries=0 text=
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=4 UNBIND
> > Jan 22 14:43:36 queasy slapd[10604]: conn=0 fd=13 closed
> >
> > ----------------------------------------------------------
> > derek@queasy:~> /csic/openldap/bin/ldapsearch -Y GSSAPI -b
> > 'ou=staff,dc=csic,dc=umd,dc=edu' '(uid=derek)'
> > SASL/GSSAPI authentication started
> > SASL SSF: 56
> > SASL installing layers
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <ou=staff,dc=csic,dc=umd,dc=edu> with scope sub
> > # filter: (uid=derek)
> > # requesting: ALL
> > #
> >
> > # search result
> > search: 4
> > result: 0 Success
> >
> > # numResponses: 1
> > ----------------------------------------------------------
> >
> > But it doesn't return anything, but a normal bind will return
> > something,
> >
> > ----------------------------------------------------------
> > derek@queasy:~> /csic/openldap/bin/ldapsearch -x -D
> > 'cn=staff,dc=csic,dc=umd,dc=edu' -b 'dc=csic,dc=umd,dc=edu'
> > -W '(uid=derek)'
> > Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <dc=csic,dc=umd,dc=edu> with scope sub
> > # filter: (uid=derek)
> > # requesting: ALL
> > #
> >
> > # derek, staff, csic.umd.edu
> > dn: uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
> > objectClass: csicAccount
> > objectClass: account
> > cn: Derek Yarnell
> > uid: derek
> > uidNumber: 2174
> > gidNumber: 10
> > homeDirectory: /afs/csic/staff/derek
> > loginShell: /bin/tcsh
> > mailHost: cs.umd.edu
> > mailRoutingAddress: derek@cs.umd.edu
> > mailLocalAddress: derek@cs.umd.edu
> >
> > # search result
> > search: 2
> > result: 0 Success
> >
> > # numResponses: 2
> > # numEntries: 1
> > ----------------------------------------------------------
> >
> > here is my sasl-regex,
> >
> >
> > sasl-regexp     uid=(.*),cn=gssapi,cn=auth
> >                 uid=$1,ou=staff,dc=csic,dc=umd,dc=edu
> >
> >
> > and the only other access control i have,
> >
> > access to attr=loginShell,gecos,cn,mailroutingaddress
> >         by dn="cn=staff,dc=csic,dc=umd,dc=edu"
> >         by self write
> >         by users read
> >
> > thanks for any help.
> >
> >
> > --
> > ---
> > Derek T. Yarnell
> > University of Maryland
> > Computer Science Department Unix Staff
> > derek@cs.umd.edu
> >
> 

-- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu