[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Headaches

To: <openldap-software@OpenLDAP.org>
Subject: ACL Headaches
From: "Bennett, Silas \(GE Infrastructure\)" <Silas.Bennett@ge.com>
Date: Wed, 21 Sep 2005 15:51:28 -0400
Content-class: urn:content-classes:message
Thread-index: AcW+5lg5u9M3QuCQT66fJzwM0Ts9yw==
Thread-topic: ACL Headaches

Hi All,

I am trying to set up openLDAP with Kerberos5 for authentication. I found and followed the _excellent_ howto by Turbo Fredriksson at http://www.bayour.com/LDAPv3-HOWTO.html and almost every thing is working. I can browse, search, & modify the LDAP database using:
	rootdn "cn=ldapadmin,dc=qm"
	rootpw {KERBEROS} ldapadmin@QM

SASL is set up to use GSSAPI correctly, since the following password also works:

	rootpw {SASL} ldapadmin

I am however having a couple of problems. First I cannot succsesfully bind as a user other than the rootdn, and second I cannot bind with write access using any auth method other than simple. I am not sure what I am doing wrong, although I suspect that the issue is with my ACL. I would greatly appreciate any help that is offered.


###############
## Shell Stuff ###
###############

silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: ldapadmin@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent


silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -Y gssapi -a -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: ldapadmin@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent


silasb@dm:/etc/ldap/ldifs$ kinit silasb
Password for silasb@QM:


silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: silasb@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent


silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm" -a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: silasb@QM
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
        additional info: no write access to parent



silasb@dm:/etc/ldap/ldifs$ ldapmodify -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm" -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)


silasb@dm:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
adding new entry "uid=hoke, ou=people, dc=qm"

#################
## End Shell Stuff ##
#################

This would suggest that the keberos authentication is working correctly, but my openLDAP ACL's are screwed up. Quite possible as I am a new to openLDAP. Here is my slapd.access file:

################
## slapd.access ##
################

olcAccess: to dn=".*,dc=qm"
        by dn="cn=ldapadmin,dc=qm" write
        by dn="uid=ldapadmin" write
        by dn="uid=ldapadmin@QM" write
        by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
        by dn="uid=ldapadmin.+\+realm=QM" write
        by dn="uid=silasb" write
        by dn="uid=silasb@QM" write
        by dn="uid=silasb.+\+realm=QM" write
        by self write
        by users read
#       by * read


olcAccess: to dn.base=""
       by dn="cn=ldapadmin,dc=qm" write
       by dn="uid=ldapadmin" write
       by dn="uid=ldapadmin@QM" write
       by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
       by dn="uid=ldapadmin.+\+realm=QM" write
       by dn="uid=silasb" write
       by dn="uid=silasb@QM" write
       by dn="uid=silasb.+\+realm=QM" write
       by self write
       by * read


# The admin dn has full write access, everyone else
# can read everything.
olcAccess: to *
        by dn="cn=ldapadmin,dc=qm" write
        by dn="uid=ldapadmin" write
        by dn="uid=ldapadmin@QM" write
        by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
        by dn="uid=ldapadmin.+\+realm=QM" write
        by dn="uid=silasb" write
        by dn="uid=silasb@QM" write
        by dn="uid=silasb.+\+realm=QM" write
#       by self write
        by * read

Follow-Ups:
- Re: ACL Headaches
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: ACL Headaches
  - From: Karsten Gorling <kgorling@physik.TU-Berlin.DE>
- Re: ACL Headaches
  - From: Karsten Gorling <kgorling@physik.tu-berlin.de>

Prev by Date: Re: OpenLDAP + RHEL4 - time to time database crash (BDB backend)
Next by Date: Re: OpenLDAP + RHEL4 - time to time database crash (BDB backend)
Index(es):
- Chronological
- Thread