[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SyncRepl - no write access

To: openldap-software@OpenLDAP.org
Subject: Re: SyncRepl - no write access
From: Turbo Fredriksson <turbo@bayour.com>
Date: Fri, 07 Jan 2005 15:12:05 +0100
In-reply-to: <50E6DE2D054354F4FBBD898D@cadabra-dsl.stanford.edu> (Quanah Gibson-Mount's message of "Thu, 06 Jan 2005 11:23:36 -0800")
Organization: LDAP/Kerberos expert wannabe
References: <87wtuqh06e.fsf@pumba.bayour.com> <50E6DE2D054354F4FBBD898D@cadabra-dsl.stanford.edu>
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.2 (gnu/linux)

Quoting Quanah Gibson-Mount <quanah@stanford.edu>:

> updatedn="cn=Manager,dc=stanford,dc=edu"

What's this? Is this specified with 'root{dn,pw}' on
the provider? It exists (with 'userPassword: {xxx}')
in the DB? Can it be 'kerberized'?

I ask because no matter what I do, the consumer can't
update it's database (it tries to write as anonymous).


On the provider I kinit as 'ldap/provider' and then I start
the provider slapd, modify (as myself) an attribute in the
'o=Bortheiry,c=SE' object.

On the consumer I kinit as 'ldap/consumer-1'. After starting
the consumer slapd, I get the  following output (slapd w/ '-d 384'):

----- s n i p -----
=> access_allowed: write access to "o=Bortheiry,c=SE" "o" requested
=> dn: [2]
=> dn: [3]
=> dn: [4] cn=monitor
=> dn: [5] cn=subschema
=> acl_get: [6] attr o
=> acl_mask: access to entry "o=Bortheiry,c=SE", attr "o" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: cn=ldap/provider,ou=ldap,ou=system,o=bayour.com,c=se
<= aci_mask grant =rsc deny =n
<= acl_mask: [3] applying +rsc (stop)
<= acl_mask: [3] mask: =rsc
=> access_allowed: write access denied by =rsc
syncrepl_entry : be_modify failed (50)
acl: no-user-mod syncreplCookie: modify access granted
acl: no-user-mod structuralObjectClass: modify access granted
acl: no-user-mod entryUUID: modify access granted
acl: no-user-mod creatorsName: modify access granted
acl: no-user-mod createTimestamp: modify access granted
acl: no-user-mod entryCSN: modify access granted
acl: no-user-mod modifiersName: modify access granted
acl: no-user-mod modifyTimestamp: modify access granted
----- s n i p -----

But just a few lines below this (and a few lines above), a _search_ access
works just as expected:

----- s n i p -----
=> access_allowed: search access to "o=Sundqvist,c=SE" "objectClass" requested
=> dn: [2]
=> dn: [3]
=> dn: [4] cn=monitor
=> dn: [5] cn=subschema
=> acl_get: [6] attr objectClass
=> acl_mask: access to entry "o=Sundqvist,c=SE", attr "objectClass" requested
=> acl_mask: to all values by "cn=ldap/provider,ou=ldap,ou=system,o=bayour.com,c=se", (=n)
<= check a_dn_pat: cn=ldap/provider,ou=ldap,ou=system,o=bayour.com,c=se
<= check a_authz.sai_sasl_ssf: ACL 56 > OP 0
<= aci_mask grant =rsc deny =n
<= acl_mask: [3] applying +rsc (stop)
<= acl_mask: [3] mask: =rsc
=> access_allowed: search access granted by =rsc
----- s n i p -----


I've been playing all day with ACL's, but that's "just for show".
It isn't authenticated when it tries to do the update, but authenticated
when it _doesn't_ try to update. Here's my ACL's etc (selected parts) if
I've done something 'obvious' fault:

PROVIDER
----- s n i p -----
sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
            ldap:///c=SE??sub?(krb5PrincipalName=$1@BAYOUR.COM)
include     <a href="http://www.bayour.com/slapd.access.txt";>/etc/ldap/slapd.access</a>
access to * by group.base="cn=Replicators,ou=LDAP,ou=System,o=Bayour.COM,c=SE" sasl_ssf=56 read
            by aci write
sessionlog  1 40
----- s n i p -----

CONSUMER
----- s n i p -----
sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
            ldap:///c=SE??sub?krb5PrincipalName=$1@BAYOUR.COM
include     <a href="http://www.bayour.com/slapd.access.txt";>/etc/ldap/slapd.access</a>
access to * by group.base="cn=Replicators,ou=LDAP,ou=System,o=Bayour.COM,c=SE" sasl_ssf=56 write
            by dn.exact="cn=ldap/provider,ou=LDAP,ou=System,o=Bayour.COM,c=SE" sasl_ssf=56 write
            by aci write
syncrepl    rid=1
            provider=ldaps://pumba.bayour.com
            type=refreshAndPersist
            searchbase="c=SE"
            filter="(objectClass=*)"
            scope=sub
            attrs="*"
            schemachecking=off
            updatedn="cn=ldap/provider,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
            binddn="cn=ldap/consumer-1,ou=LDAP,ou=System,o=Bayour.COM,c=SE"
            bindmethod=sasl
            saslmech=GSSAPI
            realm=BAYOUR.COM
            authcId=ldap/consumer-1
updateref   ldaps://pumba.bayour.com
----- s n i p -----

I've verified that the sasl-regexp works as expected.

Before trying to start any of the slapd's, I regenerate
the database from scratch to make sure I have a known
state to work with.

I'm loading the LDIF with 'slapadd -p -w -i 1' on the
provider and 'slapadd -r -w -i 1' on the consumer.

Follow-Ups:
- Re: SyncRepl - no write access
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>
- Re: SyncRepl - no write access
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- SyncRepl - no write access
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: SyncRepl - no write access
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: back-meta hangs
Next by Date: Re: SyncRepl - no write access
Index(es):
- Chronological
- Thread