[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd question with GSSAPI

To: "Derek T. Yarnell" <derek@cs.umd.edu>, OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Re: slurpd question with GSSAPI
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 26 Aug 2004 15:44:43 -0700
Content-disposition: inline
In-reply-to: <1093554447l.13747l.7l@scorponok.cs.umd.edu>
References: <1093536249l.13747l.1l@scorponok.cs.umd.edu> <2B3E26C72F7F5C7A1E5219D3@cadabra-dsl.stanford.edu> <728A35B7E35E932D585253D2@cadabra-dsl.stanford.edu> <1093541287l.13747l.3l@scorponok.cs.umd.edu> <01BD21748B8474F078495417@cadabra-dsl.stanford.edu> <1093554447l.13747l.7l@scorponok.cs.umd.edu>

--On Thursday, August 26, 2004 9:07 PM +0000 "Derek T. Yarnell" <derek@cs.umd.edu> wrote:

Sorry I ran into another problem with ACL's now, but from the debuging  I
can't tell why,

bdb_dn2entry("cn=testgroup2,ou=groups,dc=csic,dc=umd,dc=edu")
=> bdb_dn2id( "cn=testgroup2,ou=groups,dc=csic,dc=umd,dc=edu" )
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
(-30990)
=> access_allowed: write access to "ou=groups,dc=csic,dc=umd,dc=edu"
"children" requested
=> acl_get: [2] attr children
=> acl_mask: access to entry "ou=groups,dc=csic,dc=umd,dc=edu", attr
"children" requested
=> acl_mask: to all values by "uid=host/torch.cs.umd.edu@csic.umd.edu,
cn=cs.umd.edu,cn=gssapi,cn=auth", (=n)
<= check a_dn_pat: uid=host/torch.cs.umd.edu@cs.umd.edu,cn=cs.umd.edu,
cn=gssapi,cn=auth
<= check a_dn_pat: uid=host/torch.cs.umd.edu@csic.umd.edu,cn=cs.umd.
edu,cn=gssapi,cn=auth
<= acl_mask: [2] applying +0 (stop)
<= acl_mask: [2] mask: =n
=> access_allowed: write access denied by =n
bdb_add: no write access to parent
send_ldap_result: conn=1 op=4 p=3
send_ldap_response: msgid=5 tag=105 err=50

it gives the right id, but then seems to not match either of the write
acls.

sasl-regexp     uid=(.*)@CSIC.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
                ldap:///dc=csic,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*)@CS.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
                ldap:///dc=cs,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*),cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
                ldap:///dc=cs,dc=umd,dc=edu??sub?uid=$1
sasl-regexp     uid=(.*),cn=CSIC.UMD.EDU,cn=GSSAPI,cn=auth
                ldap:///dc=csic,dc=umd,dc=edu??sub?uid=$1

Just a note, but aren't all incoming connections going to match one of the first two sasl-regexp's?

sasl-realm      CS.UMD.EDU
sasl-host       ripper.cs.umd.edu

access to attrs=userPassword
        by * auth

access to *
        by dn="uid=host/torch.cs.umd.edu@CS.UMD.EDU,cn=cs.umd.edu,
cn=gssapi,cn=auth"
        by dn="uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=cs.umd.edu,
cn=gssapi,cn=auth"
        by * read


In your initial email to me, I see a space at:

"cn=cs.umd.edu, cn=gssapi,cn=auth"
              ^
              ^

Is that just how the emailer wrote it, or does that space actually exist in your ACL?

I didn't see it say the DN was converted to "nothing", which is what I would expect if you are not really mapping these into DN's.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Openldap 2.2.17
  - From: "Jonathan Carpenter" <jonathan@valuelinx.net>

References:
- slurpd question with GSSAPI
  - From: "Derek T. Yarnell" <derek@cs.umd.edu>
- Re: slurpd question with GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slurpd question with GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slurpd question with GSSAPI
  - From: "Derek T. Yarnell" <derek@cs.umd.edu>
- Re: slurpd question with GSSAPI
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slurpd question with GSSAPI
  - From: "Derek T. Yarnell" <derek@cs.umd.edu>

Prev by Date: Re: JDBCLDAP Bridge Error
Next by Date: Openldap 2.2.17
Index(es):
- Chronological
- Thread