[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: Trying to figure out access policies



At 10:35 AM 6/27/2006, Jason Lixfeld wrote:
>Ok, I think I'm making some headway, but I'm still a little confused.
>
>I didn't realize that by putting in an access entry to permit  
>specific stuff, you have to put other entries in for everything else  
>or else it's an implicit deny.  That being said, I modified my  
>slapd.conf as follows:
>
>access to attrs=userPassword
>        by self         write
>        by anonymous    auth
>        by *            none

The following by clause is not reached as the above "by *" applies. 
Order matters. 

>        by dn.exact="cn=proxyuser,dc=example,dc=ca" read
>
>access to *
>        by * read
>
>(also, I've tried variations on attrs and attr, as well as dn= and  
>dn.exact=, all to no avail)
>
>and I'm running slapd -d acl.
>
>Now, when I run the ldapsearch call, I get closer; that is, I get the  
>search DN returned to me, but I still don't get the password:
>
># ldapsearch -D "cn=proxyuser,dc=example,dc=ca" -b  
>'ou=auth,dc=example,dc=ca' -x -W '(uid=jlixfeld.example.ca)'  
>userPassword
>Enter LDAP Password:
># extended LDIF
>#
># LDAPv3
># base <ou=auth,dc=example,dc=ca> with scope subtree
># filter: (uid=jlixfeld.example.ca)
># requesting: userPassword
>#
>
># jlixfeld.example.ca, users, auth, example.ca
>dn: uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>#
>
>=> access_allowed: auth access to "cn=proxyuser,dc=example,dc=ca"  
>"userPassword" requested
>=> acl_get: [1] attr userPassword
>access_allowed: no res from state (userPassword)
>=> acl_mask: access to entry "cn=proxyuser,dc=example,dc=ca", attr  
>"userPassword" requested
>=> acl_mask: to value by "", (=0)
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= acl_mask: [2] applying auth(=xd) (stop)
><= acl_mask: [2] mask: auth(=xd)
>=> access_allowed: auth access granted by auth(=xd)
>=> access_allowed: search access to  
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "uid"  
>requested
>=> acl_get: [2] attr uid
>=> acl_mask: access to entry  
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr  
>"uid" requested
>=> acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0)
><= check a_dn_pat: *
><= acl_mask: [1] applying read(=rscxd) (stop)
><= acl_mask: [1] mask: read(=rscxd)
>=> access_allowed: search access granted by read(=rscxd)
>=> access_allowed: read access to  
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "entry"  
>requested
>=> acl_get: [2] attr entry
>=> acl_mask: access to entry  
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr  
>"entry" requested
>=> acl_mask: to all values by "cn=proxyuser,dc=example,dc=ca", (=0)
><= check a_dn_pat: *
><= acl_mask: [1] applying read(=rscxd) (stop)
><= acl_mask: [1] mask: read(=rscxd)
>=> access_allowed: read access granted by read(=rscxd)
>=> access_allowed: read access to  
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca"  
>"userPassword" requested
>=> acl_get: [1] attr userPassword
>access_allowed: no res from state (userPassword)
>=> acl_mask: access to entry  
>"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr  
>"userPassword" requested
>=> acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0)
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= check a_dn_pat: *
><= acl_mask: [3] applying none(=0) (stop)
><= acl_mask: [3] mask: none(=0)
>=> access_allowed: read access denied by none(=0)
>send_search_entry: conn 9 access to attribute userPassword, value #0  
>not allowed
>
>Correct me if I'm wrong but the "read access denied by none"  
>indicates that the bind isn't happening as proxyuser?
>
>Also, what does "access_allowed: no res from state" mean?  It's the  
>only debug part that I can't quite decipher.
>
>Begin forwarded message:
>
>>From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>
>>Date: June 27, 2006 12:38:14 PM EDT (CA)
>>To: OpenLDAP software list <openldap-software@openldap.org>
>>Subject: Trying to figure out access policies
>>
>>I think I'm somewhat versed in the basics of OpenLDAP, but the  
>>concept of access policies eludes me because they are far beyond my  
>>current level of comprehension.  That being said, I'm doing some  
>>trial by fire to try to make sense of how they work and hopefully  
>>will then be able to relate some of what I read in the manual to  
>>what I've made happen in tests...
>>
>>I'm trying to get a proxyuser working so I don't have to do  
>>everything as Manager.
>>
>>I put this entry into my slapd.conf as per some tutorials I read:
>>
>>access to attrs=userPassword
>>       by dn="cn=Proxyuser,dc=example,dc=ca" read
>>
>>and likewise, these entries into my ldap.conf:
>>
>>binddn cn=Proxyuser,dc=example,dc=ca
>>bindpw ****
>>rootbinddn cn=Proxyuser,dc=example,dc=ca
>>
>>and finally, the Proxyuser password in /etc/ldap.secret.
>>
>>Being unsure if the lookups for ldap.conf and ldap.secret is in / etc or /usr/local/etc (Using a FreeBSD system here), I symlinked  
>>each so they are available in both locations.
>>
>>After that was all said and done, I restarted slapd and tried to do  
>>a search using the proxyuser as the binddn:
>>
>># ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b  
>>'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword
>>Enter LDAP Password:
>>ldap_bind: Invalid credentials (49)
>>
>># all.log
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from  
>>IP=127.0.0.1:54632 (IP=0.0.0.0:389)
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND  
>>dn="cn=Proxyuser,dc=example,dc=ca" method=128
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97  
>>err=49 text=
>>Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed  
>>(connection lost)
>>
>>It would seem to me that it's not complaining about the password,  
>>so I assume it's complaining about the access entry in slapd.conf.   
>>I removed the access entry from slapd.conf and was able to perform  
>>the same search as above without a problem.
>>
>>Anyone have any pointers on what I can look at as the source of  
>>this problem?
>>
>>Also, I'm a little confused about the difference between binddn and  
>>rootbinddn.  If I understand correctly, rootbinddn is the DN used  
>>to bind if the user executing the command is root, while binddn is  
>>the DN used to bind if the user executing the command is any user  
>>other than root.  Is this correct?  I ask because if I run  
>>ldapsearch as root with no additional arguments and check the logs,  
>>it seems to bind anonymously so I'm not sure if my understanding of  
>>binddn vs. rootbinddn is correct:
>>
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from  
>>IP=127.0.0.1:58244 (IP=0.0.0.0:389)
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0  
>>text=
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base=""  
>>scope=2 deref=0 filter="(objectClass=*)"
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT  
>>tag=101 err=32 nentries=0 text=
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND
>>Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed
>>
>>Thanks in advance for any insight on either or both of these points...