[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: slapd.access dn.regex sasl

To: openldap-list <OpenLDAP-software@OpenLDAP.org>
Subject: Re: slapd.access dn.regex sasl
From: Dennis Matotek <dennis@utiba.com>
Date: Fri, 06 May 2005 17:06:59 +1000
In-reply-to: <427B0EC9.3090401@sys-net.it>
References: <1115343989.22874.44.camel@blackops.cpc.net.au> <427B0EC9.3090401@sys-net.it>
Utiba-mailscanner-mcpcheck:
Hi all,

Thanks Pierangelo, further information below.

openldap-2.2.23-5mdk on LE2005 (mandriva).

I have had another look at the slapd.access man page.

the slapd.access.conf is basically the original that comes with openldap
package.. and here is the changed access file. I gathered it was failing
in the first tests.  I have added the uid=admin (which is the
saslauthzto id) - have understood that correctly in the control section
of the slapd.access man page?

access to dn.regex=".*$"
#access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
        by self write
        by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
        by dn.exact,expand="uid=admin,ou=System,ou=People,dc=utiba" auth
        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by * auth

access to dn.regex="^([^,])?ou=Utiba,ou=People,([^dc=])$"
        attrs=uid,uidNumber,gidNumber
        by self write
        by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
        by users read

# ACL allowing samba domain controllers to add user accounts
access to dn.regex="^([^,]+,)?ou=People,dc=utiba$"
        attrs=entry,children,posixAccount,sambaSamAccount
        by dn.exact,expand="uid=root,ou=People,dc=utiba" write
        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by users read
        by anonymous read

# allow users to modify their own "address book" entries:
access to dn.regex="([^,]+,)?ou=People,dc=uitba$"
        attrs=inetOrgPerson,mail
        by self write
        by dn.exact,expand="uid=root,ou=People,dc=utiba" write
        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by users read
        by anonymous read

# Allow samba domain controllers to create groups and group mappings
access to dn.regex="^([^,]+,)?ou=Group,dc=utiba$"
        attrs=entry,children,posixGroup,sambaGroupMapping
        by dn.exact,expand="uid=root,ou=People,dc=utiba" write
        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by users read
        by anonymous read

# Allow samba domain controllers to create machine accounts
access to dn.regex="^([^,]+,)?ou=Hosts,ou=System,dc=utiba$"
        attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
        by dn.exact,expand="uid=root,ou=People,dc=utiba" write
        by group.expand="cn=Domain Controllers,ou=Grodc=utiba" write
        by group.expand="cn=Replicator,ou=Groudc=utiba" write
        by users read
        by anonymous read

# Allow samba to create idmap entries
access to dn.regex="^([^,]+,)?ou=Idmap,dc=utiba$"
        attrs=entry,children,sambaIdmapEntry
        by dn.exact,expand="uid=root,ou=People,dc=utiba" write
        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by users read
        by anonymous read
# Allow users in the domain to add entries to the "global address book":
# For use with Evolution, the attrs list could be modified to be:
# attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
# if evolutionperson.schema and calendar.schema are available
access to dn.regex="^([^,]+,)?ou=Contacts,ou=People,dc=utiba$"
       attrs=children,entry,inetOrgPerson
        by dn.sub,expand="ou=People,dc=utiba" write
        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
        by users read


On Fri, 2005-05-06 at 08:29 +0200, Pierangelo Masarati wrote:
> I suspect you didn't read slapd.access(5) carefully enough, and you 
> didn't undestand the implications of some of the directives you're 
> using.  Your rules present many errors, some of which might just be 
> harmless, depending on the context.  I also suspect the ones you're 
> reporting are not the only ACLs defined in your slapd.conf.  Finally, 
> you don't indicate what version of OpenLDAP you're using.  It is always 
> a good practice to indicate it; when dealing with ACLs it becomes almost 
> mandatory before one can determine the reason for a given behavior.  
> Since many information that are necessary to exactly track your problem 
> are missing, I won't speculate on it, I'll rather wait for further 
> information.
> 
> p.
> 
> Dennis Matotek wrote:
> 
> >Hi all,
> >
> >I have a problem with slapd.access and dn.regex and sasl.
> >
> >Firstly sasl seems to need auth access to uid, userPassword, and
> >objectClass by * to authenticate and work. Is there anyway of defining
> >this (ie, so everyone doesn't have auth access)?
> >
> >Secondly when I have this in my slapd.access file:
> >access to dn.subtree="ou=Utiba,ou=People,dc=utiba"
> >attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLastSet,uid,objectClass
> >        by self write
> >        by dn.exact,expand="uid=root,ou=System,ou=People,dc=utiba" write
> >        by group.expand="cn=Domain Controllers,ou=Group,dc=utiba" write
> >        by group.expand="cn=Replicator,ou=Group,dc=utiba" write
> >        by * auth
> >
> >Authentication works.
> >
> >When I have:
> >access to dn.regex="^.+$"
> >with exactly the same attrs and by clauses as above it fails. I'm trying
> >to build a regex but it fails even at the most open. Can someone please
> >explain what's going on?
> >
> >here's the logs..
> >
> >when it fails
> >------------------------------------
> >access_allowed: auth access to "uid=dennis,ou=Utiba,ou=People,dc=utiba"
> >"uid" requested
> >May  6 11:28:41 blackops slapd[30775]: => dn: [1]
> >May  6 11:28:41 blackops slapd[30775]: => dn: [2] cn=subschema
> >May  6 11:28:41 blackops slapd[30775]: => dnpat: [3] ^.+$ nsub: 0
> >May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] matched
> >May  6 11:28:41 blackops slapd[30775]: => acl_get: [3] attr uid
> >May  6 11:28:41 blackops slapd[30775]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
> >May  6 11:28:41 blackops slapd[30775]: => acl_mask: to value by "", (=n)
> >May  6 11:28:41 blackops slapd[30775]: <= acl_mask: no more <who>
> >clauses, returning =n (stop)
> >May  6 11:28:41 blackops slapd[30775]: => access_allowed: auth access
> >denied by =n
> >May  6 11:28:41 blackops slapd[30775]: <= test_filter 50
> >May  6 11:28:41 blackops slapd[30775]: bdb_search: 4605 does not match
> >filter
> >May  6 11:28:41 blackops slapd[30775]: send_ldap_result: conn=1 op=0 p=3
> >May  6 11:28:41 blackops slapd[30775]: send_ldap_result: err=0
> >matched="" text=""
> >May  6 11:28:41 blackops slapd[30775]: <==slap_sasl2dn: Converted SASL
> >name to <nothing>
> >May  6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
> >slapAuthcDN="uid=dennis,cn=digest-md5,cn=auth"
> >May  6 11:28:41 blackops slapd[30775]: SASL Canonicalize [conn=1]:
> >authzid="dennis"
> >May  6 11:28:41 blackops slapd[30775]: SASL [conn=1] Failure: no secret
> >in database
> >---------------------------------
> >
> >when it works
> >---------------------------------
> >May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba" "uid" requested
> >May  6 11:34:56 blackops slapd[11754]: => dn: [1]
> >May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
> >May  6 11:34:56 blackops slapd[11754]: => dn: [3]
> >ou=utiba,ou=people,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
> >May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr uid
> >May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "uid" requested
> >May  6 11:34:56 blackops slapd[11754]: => acl_mask: to value by "", (=n)
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
> ><uid=root,ou=System,ou=People,dc=utiba>
> >May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
> ><uid=root,ou=system,ou=people,dc=utiba>
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
> >May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
> >auth(=x) (stop)
> >May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
> >May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
> >granted by auth(=x)
> >May  6 11:34:56 blackops slapd[11754]: <= test_filter 6
> >May  6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
> >May  6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
> >matched="" text=""
> >May  6 11:34:56 blackops slapd[11754]: <==slap_sasl2dn: Converted SASL
> >name to uid=dennis,ou=utiba,ou=people,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: getdn: dn:id converted to
> >uid=dennis,ou=utiba,ou=people,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
> >slapAuthcDN="uid=dennis,ou=utiba,ou=people,dc=utiba"
> >May  6 11:34:56 blackops slapd[11754]: => bdb_search
> >May  6 11:34:56 blackops slapd[11754]:
> >bdb_dn2entry("uid=dennis,ou=utiba,ou=people,dc=utiba")
> >May  6 11:34:56 blackops slapd[11754]: base_candidates: base:
> >"uid=dennis,ou=utiba,ou=people,dc=utiba" (0x000011fd)
> >May  6 11:34:56 blackops slapd[11754]: => test_filter
> >May  6 11:34:56 blackops slapd[11754]:     PRESENT
> >May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba" "objectClass" requested
> >May  6 11:34:56 blackops slapd[11754]: => dn: [1]
> >May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
> >May  6 11:34:56 blackops slapd[11754]: => dn: [3]
> >ou=utiba,ou=people,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
> >May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr objectClass
> >May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "objectClass" requested
> >May  6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
> >(=n)
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
> ><uid=root,ou=System,ou=People,dc=utiba>
> >May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
> ><uid=root,ou=system,ou=people,dc=utiba>
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
> >May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
> >auth(=x) (stop)
> >May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
> >May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
> >granted by auth(=x)
> >May  6 11:34:56 blackops slapd[11754]: <= test_filter 6
> >May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access to
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba" "userPassword" requested
> >May  6 11:34:56 blackops slapd[11754]: => dn: [1]
> >May  6 11:34:56 blackops slapd[11754]: => dn: [2] cn=subschema
> >May  6 11:34:56 blackops slapd[11754]: => dn: [3]
> >ou=utiba,ou=people,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] matched
> >May  6 11:34:56 blackops slapd[11754]: => acl_get: [3] attr userPassword
> >May  6 11:34:56 blackops slapd[11754]: => acl_mask: access to entry
> >"uid=dennis,ou=Utiba,ou=People,dc=utiba", attr "userPassword" requested
> >May  6 11:34:56 blackops slapd[11754]: => acl_mask: to all values by "",
> >(=n)
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: self
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => string_expand: pattern:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: => string_expand: expanded:
> >uid=root,ou=System,ou=People,dc=utiba
> >May  6 11:34:56 blackops slapd[11754]: >>> dnNormalize:
> ><uid=root,ou=System,ou=People,dc=utiba>
> >May  6 11:34:56 blackops slapd[11754]: <<< dnNormalize:
> ><uid=root,ou=system,ou=people,dc=utiba>
> >May  6 11:34:56 blackops slapd[11754]: <= check a_dn_pat: *
> >May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] applying
> >auth(=x) (stop)
> >May  6 11:34:56 blackops slapd[11754]: <= acl_mask: [5] mask: auth(=x)
> >May  6 11:34:56 blackops slapd[11754]: => access_allowed: auth access
> >granted by auth(=x)
> >May  6 11:34:56 blackops slapd[11754]: slap_auxprop:
> >str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
> >May  6 11:34:56 blackops slapd[11754]: send_ldap_result: conn=0 op=0 p=3
> >May  6 11:34:56 blackops slapd[11754]: send_ldap_result: err=0
> >matched="" text=""
> >May  6 11:34:56 blackops slapd[11754]: SASL Canonicalize [conn=0]:
> >authzid="dennis"
> >May  6 11:34:56 blackops slapd[11754]: SASL proxy authorize [conn=0]:
> >authcid="dennis" authzid="dennis"
> >May  6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND authcid="dennis"
> >May  6 11:34:56 blackops slapd[11754]: SASL Authorize [conn=0]:  proxy
> >authorization allowed
> >May  6 11:34:56 blackops slapd[11754]: send_ldap_sasl: err=0 len=40
> >May  6 11:34:56 blackops slapd[11754]: send_ldap_response: msgid=2
> >tag=97 err=0
> >May  6 11:34:56 blackops slapd[11754]: <== slap_sasl_bind: rc=0
> >May  6 11:34:56 blackops slapd[11754]: conn=0 op=1 BIND
> >dn="uid=dennis,ou=utiba,ou=people,dc=utiba" mech=DIGEST-MD5 ssf=128
> >May  6 11:34:56 blackops slapd[11754]: do_bind: SASL/DIGEST-MD5 bind:
> >dn="uid=dennis,ou=utiba,ou=people,dc=utiba" ssf=128
> >------------------------------------
> >
> >Regards,
> >
> >Dennis
> >
> >
> >-----------------
> >Utiba Pty Ltd 
> >This message has been scanned for viruses and
> >dangerous content by Utiba mail server and is 
> >believed to be clean.
> >  
> >
> 
> 
> 
>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
> 
> 
> -----------------
> Utiba Pty Ltd 
> This message has been scanned for viruses and
> dangerous content by Utiba mail server and is 
> believed to be clean.
> 


-----------------
Utiba Pty Ltd 
This message has been scanned for viruses and
dangerous content by Utiba mail server and is 
believed to be clean.
Follow-Ups:
- Re: slapd.access dn.regex sasl
  - From: "Pierangelo Masarati" <ando@sys-net.it>
References:
- slapd.access dn.regex sasl
  - From: Dennis Matotek <dennis@utiba.com>
- Re: slapd.access dn.regex sasl
  - From: Pierangelo Masarati <ando@sys-net.it>
Prev by Date: Re: slapd.access dn.regex sasl
Next by Date: successor of ldap_perror()?
Index(es):
- Chronological
- Thread