[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL External : only bind with existing dn

Hello

I don't know how to make acl in order to only allow existing users to
bind to the directory with sasl external

I tried this :

access  to dn=".*,ou=people,dc=enatel,dc=local"
        by self write
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

access  to *
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

but it doesn't work

I still think I have a problem in my system, because of the error in my
log :
SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
file or directory

actually, since I make an internal search with sasl-regexp on the dn of
the certificate, a user should be rejected if he is not in the directory

any idea ?

thanks

Francois

> Le lun 10/03/2003 à 17:09, Chapman, Kyle a écrit :
> > have you set any acls?
> > the default is read for all
> > 
> > -----Original Message-----
> > From: Francois Beretti [mailto:francois.beretti@enatel.com]
> > Sent: Monday, March 10, 2003 11:01 AM
> > To: Liste OpenLDAP Software
> > Subject: SASL External : only bind with existing dn
> > 
> > 
> > Hello all
> > 
> > I managed to get SASL External working,
> > with certificates DNs of same form as my directory DNs
> > (cn=francois,ou=people,dc=enatel,dc=local), without using
> > sasl-regexp
> > 
> > but now any user with a certificate with a dn of this form can bind to
> > the directory, even if no entry matching his dn exist
> > 
> > It is normal, as I read in the doc.
> > But is it a good thing ?
> > I have found in the doc that by putting this in slapd.conf I can solve
> > that, forcing slapd to find a matching entry in the database before
> > authorizing the connection :
> > 
> > sasl-regexp
> >  cn=(.*),ou=people,dc=enatel,dc=local
> >  ldap:///ou=people,dc=enatel,dc=local??sub?(cn=$1)
> > 
> > but it doesn't work
> > I still can have this, while I have _no_ entry in my directory (so I
> > have no user "francois") :
> > 
> > [francois@linux-integ ssl]$ ldapsearch -Y external -ZZ
> > SASL/EXTERNAL authentication started
> > SASL username: CN=francois,OU=people,DC=enatel,DC=local
> > SASL SSF: 0
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <> with scope sub
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
> > # search result
> > search: 3
> > result: 32 No such object
> > # numResponses: 1
> > 
> > I also have an error in my log :
> > SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
> > file or directory
> > 
> > just before seeming to be authorized
> > What can I think of this ?
> > I use to think that sasl external doesn't need any secret
> > to be stored by sasl
> > on several posts on this list I have seen :
> > saslpasswd2 -c <username>
> > but never for sasl external
> > 
> > what must I do to solve this ?
> > it seems to be a little error but I don't know what to do...
> > 
> > thanks in advance
> > 
> > Francois
> > 
> > 
> > PS : Here is my log for the ldapsearch :
> > 
> > do_sasl_bind: dn () mech EXTERNAL
> > daemon: select: listen=6 active_threads=1 tvp=NULL
> > conn=5 op=1 BIND dn="" method=163
> > daemon: select: listen=7 active_threads=1 tvp=NULL
> > ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
> > SASL Canonicalize [conn=5]:
> > authcid="cn=francois,ou=people,dc=enatel,dc=local"
> > slap_sasl_getdn: id=cn=francois,ou=people,dc=enatel,dc=local
> > ==>slap_sasl2dn: converting SASL name
> > cn=francois,ou=people,dc=enatel,dc=local to a DN
> > slap_sasl_regexp: converting SASL name
> > cn=francois,ou=people,dc=enatel,dc=local
> > slap_sasl_regexp: converted SASL name to
> > ldap:///ou=people,dc=enatel,dc=local??sub?(cn=francois)
> > slap_parseURI: parsing
> > ldap:///ou=people,dc=enatel,dc=local??sub?(cn=francois)
> > str2filter "(cn=francois)"
> > begin get_filter
> > EQUALITY
> > end get_filter 0
> > >>> dnNormalize: <ou=people,dc=enatel,dc=local>
> > <<< dnNormalize: <ou=people,dc=enatel,dc=local>
> > slap_sasl2dn: performing internal search
> > (base=ou=people,dc=enatel,dc=local, scope=2)
> > => ldbm_back_search
> > dn2entry_r: dn: "ou=people,dc=enatel,dc=local"
> > => dn2id( "ou=people,dc=enatel,dc=local" )
> > => ldbm_cache_open( "dn2id.dbb", 73, 600 )
> > <= ldbm_cache_open (cache 0)
> > <= dn2id NOID
> > dn2entry_r: dn: "dc=enatel,dc=local"
> > => dn2id( "dc=enatel,dc=local" )
> > => ldbm_cache_open( "dn2id.dbb", 73, 600 )
> > <= ldbm_cache_open (cache 0)
> > <= dn2id NOID
> > send_ldap_result: conn=0 op=0 p=3
> > send_ldap_result: err=10 matched="" text=""
> > conn=0 op=0 RESULT tag=101 err=32 text=
> > <==slap_sasl2dn: Converted SASL name to <nothing>
> > SASL Canonicalize [conn=5]:
> > authcDN="cn=francois,ou=people,dc=enatel,dc=local"
> > SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
> > file or directory
> > SASL Authorize [conn=5]:
> > authcid="cn=francois,ou=people,dc=enatel,dc=local"
> > authzid="cn=francois,ou=people,dc=enatel,dc=local"
> > conn=5 op=1 BIND authcid="cn=francois,ou=people,dc=enatel,dc=local"
> > SASL Authorize [conn=5]:  authorization allowed
> > send_ldap_sasl: err=0 len=-1
> > send_ldap_response: msgid=2 tag=97 err=0
> > <== slap_sasl_bind: rc=0
> > conn=5 op=1 AUTHZ dn="cn=francois,ou=people,dc=enatel,dc=local"
> > mech=EXTERNAL ssf=0
> > do_bind: SASL/EXTERNAL bind:
> > dn="cn=francois,ou=people,dc=enatel,dc=local" ssf=0
> > daemon: activity on 1 descriptors
> > daemon: activity on:
> >  10r
> > 
> > daemon: read activity on 10
> > connection_get(10)
> > connection_get(10): got connid=5
> > connection_read(10): checking for input on id=5
> > ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
> > do_search
> > daemon: select: listen=6 active_threads=1 tvp=NULL
> > >>> dnPrettyNormal: <dc=enatel,dc=local>
> > daemon: select: listen=7 active_threads=1 tvp=NULL
> > <<< dnPrettyNormal: <dc=enatel,dc=local>, <dc=enatel,dc=local>
> > daemon: activity on 1 descriptors
> > SRCH "dc=enatel,dc=local" 2 0
> > daemon: select: listen=6 active_threads=1 tvp=NULL
> >     0 0 0
> > daemon: select: listen=7 active_threads=1 tvp=NULL
> > begin get_filter
> > PRESENT
> > end get_filter 0
> >     filter: (objectClass=*)
> >     attrs:
> > 
> > conn=5 op=2 SRCH base="dc=enatel,dc=local" scope=2
> > filter="(objectClass=*)"
> > => ldbm_back_search
> > dn2entry_r: dn: "dc=enatel,dc=local"
> > => dn2id( "dc=enatel,dc=local" )
> > => ldbm_cache_open( "dn2id.dbb", 73, 600 )
> > <= ldbm_cache_open (cache 0)
> > <= dn2id NOID
> > send_ldap_result: conn=5 op=2 p=3
> > send_ldap_result: err=10 matched="" text=""
> > send_ldap_response: msgid=3 tag=101 err=32
> > conn=5 op=2 RESULT tag=101 err=32 text=
> > daemon: activity on 1 descriptors
> > daemon: activity on:
> >  10r
> > 
> > daemon: read activity on 10
> > connection_get(10)
> > connection_get(10): got connid=5
> > connection_read(10): checking for input on id=5
> > ber_get_next on fd 10 failed errno=0 (Success)
> > do_unbind
> > connection_read(10): input error=-2 id=5, closing.
> > conn=5 op=3 UNBIND
> > connection_closing: readying conn=5 sd=10 for close
> > connection_close: deferring conn=5 sd=10
> > connection_resched: attempting closing conn=5 sd=10
> > daemon: select: listen=6 active_threads=1 tvp=NULL
> > connection_close: conn=5 sd=10
> > daemon: select: listen=7 active_threads=1 tvp=NULL
> > daemon: removing 10
> > daemon: activity on 1 descriptors
> > conn=5 fd=10 closed
> > daemon: select: listen=6 active_threads=1 tvp=NULL
> > daemon: select: listen=7 active_threads=1 tvp=NULL
> > NOTICE: This E-mail may contain confidential information. If you are not
> > the addressee or the intended recipient please do not read this E-mail
> > and please immediately delete this e-mail message and any attachments
> > from your workstation or network mail system. If you are the addressee
> > or the intended recipient and you save or print a copy of this E-mail,
> > please place it in an appropriate file, depending on whether
> > confidential information is contained in the message.
> 
>