[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and SASL

To: openldap-software@openldap.org
Subject: Re: OpenLDAP and SASL
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 09 Sep 2009 11:42:47 +0200
In-reply-to: <4AA7178E.9070908@gmail.com> (Jittinan Suwanrueangsri's message of "Wed, 09 Sep 2009 09:48:46 +0700")
References: <4A9FF58C.5040505@gmail.com> <874ori7u3s.fsf@rubin.avci.de> <4AA49777.9040005@gmail.com> <87y6oqew5a.fsf@rubin.avci.de> <4AA7178E.9070908@gmail.com>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:

> Dieter Kluenter wrote:
>
>Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:

>         access to attrs=userPassword
>                 by self write
>                 by anonymous auth
>                 by * none
>         access to dn.subtree="ou=System,dc=example,dc=com"
>                 by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write
>                 by users read
>
>         access to *
>                 by self write
>                 by users read
>                 by * none

This access rules will not allow anonymous auth access to basedn special
attribute entry,

> => hdb_dn2id("uid=matt,ou=users,dc=example,dc=com")
> <= hdb_dn2id: got id=0x5
> entry_decode: ""
> <= entry_decode()
> send_ldap_result: conn=0 op=1 p=3
> SASL [conn=0] Failure: no secret in database
> send_ldap_result: conn=0 op=1 p=3
> send_ldap_response: msgid=2 tag=97 err=49
> ber_flush2: 62 bytes to sd 16
> <== slap_sasl_bind: rc=49
[...]

sasl reports 'no secret in database, check your access rules! 
[...]

Please run slapd in debugging mode acl, this will show you the applied
access rules. You should see something like this:

> acl_mask: access to entry "o=avci,c=de", attr "entry" requested
=> acl_mask: to all values by "", (=0) 
<= check a_dn_pat: users
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=xd) (stop)
<= acl_mask: [3] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
[...]
> acl_mask: access to entry "cn=admanager,o=avci,c=de", attr "objectClass" requested
=> acl_mask: to all values by "", (=0) 
<= check a_dn_pat: users
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=xd) (stop)
<= acl_mask: [3] mask: auth(=xd)
[...]
=> access_allowed: auth access to "cn=admanager,o=avci,c=de" "userPassword" requested
=> acl_get: [1] attr userPassword
[...]



-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: OpenLDAP and SASL
  - From: Jittinan Suwanrueangsri <jittinan2@gmail.com>

References:
- OpenLDAP and SASL
  - From: Jittinan Suwanrueangsri <jittinan2@gmail.com>
- Re: OpenLDAP and SASL
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: OpenLDAP and SASL
  - From: Jittinan Suwanrueangsri <jittinan2@gmail.com>
- Re: OpenLDAP and SASL
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: OpenLDAP and SASL
  - From: Jittinan Suwanrueangsri <jittinan2@gmail.com>

Prev by Date: Re: Strange issue with replication in mirror mode
Next by Date: Re: TLS Info?
Index(es):
- Chronological
- Thread