[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem

To: Zdenek Styblik <stybla@turnovfree.net>
Subject: Re: ACL problem
From: Il Neofita <asteriskmail@gmail.com>
Date: Thu, 24 Dec 2009 08:52:34 -0500
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=cEPe54JDjIW5g3G4CoHjT0+qr1NPUhn7DNilfbZWF7M=; b=dqLMcVqt8loeL6yMQ4HQzgAJIC81r3nVisAr0fjx+4ZcByN8fN+rzkRVRdV0NOsEjm A/VaqWjDedYV6UvXabF5OuhAHtKy6xyUhUda4PgrFAzkDG54sssPt5MW4RpgFU+e/VjG 3H6Zw0Jhx6XmbaKacg34JexluVj77D2UjvcX4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=YZlPapcISa3/aGxiMCPCnyqiU0jjuaG5SW/gZaNnUnkBSVqZQnVYzZuLrhYY8j4u24 3NTOl2HNZOTImTjEjl9Tv7ZuaSq1hxDRY2pSeoT+L9xA8/gqlE31Wab4zA6g9uMS3r6I e9fXFo8zFwJ923N7PrF4vnqscp3mwo/bJozro=
In-reply-to: <4B331EAE.7010000@turnovfree.net>
References: <7971c2da0912211626v2611e825hb8a34de1be703587@mail.gmail.com> <4B3076E1.7070703@turnovfree.net> <7971c2da0912220638m24d77498uad92ebed04408fcc@mail.gmail.com> <4B331EAE.7010000@turnovfree.net>

Thank you for your reply
You are right the problem was the ACL's order

Thank you for the support

On Thu, Dec 24, 2009 at 2:56 AM, Zdenek Styblik <stybla@turnovfree.net> wrote:
> Il Neofita wrote:
>> Hi
>> I delete everything and I did everything from scratch but I have the
>> same problem
>> I am using RH 5.4
>>
>
> Hello,
>
> I have no idea what the problem might be. Yet, I've noticed you don't
> have HASH type prefix to your passwords, and it should be there.
>
> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
> XXX
> userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
>
> The next thing I can suggest is to strip all ACLs except the basic ones
> and build up, build up...
> I'd also move attrs=userPassword up in the tree, as ACL ends when the
> first match is found. Thus it's possible this ACL is never matched.
>
> Regards,
> Zdenek
>
>
>> I am posting my configuration
>> slapd.conf
>> include         /etc/openldap/schema/core.schema
>> include         /etc/openldap/schema/cosine.schema
>> include         /etc/openldap/schema/inetorgperson.schema
>> include         /etc/openldap/schema/nis.schema
>> include         /etc/openldap/schema/misc.schema
>> include         /etc/openldap/schema/openldap.schema
>> include         /etc/openldap/schema/redhat/autofs.schema
>> include         /etc/openldap/schema/pykota.schema
>>
>> allow bind_v2
>> loglevel 128
>>
>> pidfile         /var/run/openldap/slapd.pid
>> argsfile        /var/run/openldap/slapd.args
>>
>> access to dn.subtree="ou=PyKota,dc=test,dc=xx" by
>> dn="cn=pykotaadmin,dc=test,dc=xx" write
>> access to dn.subtree="ou=people,dc=test,dc=xx"
>>        by dn="cn=mmm,dc=test,dc=xx" manage
>>        by dn="cn=pykotaadmin,dc=test,dc=xx" manage
>>        by * read
>> access to dn.subtree="ou=Groups,dc=test,dc=xx" by
>> dn="cn=pykotaadmin,dc=test,dc=xx" write
>>
>> access  to *
>>        by self         write
>>        by users        read
>>        by *            none
>>
>> access to attrs=userPassword
>>          by self =w
>>          by anonymous auth
>>
>> database        bdb
>> suffix          "dc=test,dc=xx"
>> rootdn          "cn=admin,dc=test,dc=xx"
>> rootpw          {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF
>>
>> directory       /var/lib/ldap
>>
>> index objectClass                       eq,pres
>> index ou,cn,mail,surname,givenname      eq,pres,sub
>> index uidNumber,gidNumber,loginShell    eq,pres
>> index uid,memberUid                     eq,pres,sub
>> index nisMapName,nisMapEntry            eq,pres,sub
>> index pykotaUserName pres,eq,sub
>> index pykotaGroupName pres,eq,sub
>> index pykotaPrinterName pres,eq,sub
>> index pykotaBillingCode pres,eq,sub
>> index pykotaLastJobIdent eq
>>
>>
>> my ldif
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=test,dc=xx> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # test.xx
>> dn: dc=test,dc=xx
>> objectClass: dcObject
>> objectClass: organization
>> o: Directory Server
>> dc:: dGVzdCA=
>>
>> # admin, test.xx
>> dn: cn=admin,dc=test,dc=xx
>> objectClass: organizationalRole
>> objectClass: posixAccount
>> cn:: YWRtaW4g
>> gidNumber: 500
>> homeDirectory: /home/admin
>> uid: admin
>> uidNumber: 500
>>
>> # mmm, test.xx
>> dn: cn=mmm,dc=test,dc=xx
>> cn:: bW1tIA==
>> sn: mmm
>> objectClass: person
>> objectClass: top
>> userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
>>
>> # people, test.xx
>> dn: ou=people,dc=test,dc=xx
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: people
>> description: Fictional example organizational unit
>>
>> # bjensen, people, test.xx
>> dn: uid=bjensen,ou=people,dc=test,dc=xx
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> cn: Babs Jensen
>> sn: Jensen
>> givenName: Babs
>> uid: bjensen
>> ou: people
>> description: Fictional example person
>> telephoneNumber: 555-5557
>> userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 6
>> # numEntries: 5
>>
>>
>> And this is the log
>> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access to
>> "cn=mmm,dc=test,dc=xx" "userPassword" requested
>> Dec 22 09:42:07 sim slapd[11187]: => dn: [1] ou=pykota,dc=test,dc=xx
>> Dec 22 09:42:07 sim slapd[11187]: => dn: [2] ou=people,dc=test,dc=xx
>> Dec 22 09:42:07 sim slapd[11187]: => dn: [3] ou=groups,dc=test,dc=xx
>> Dec 22 09:42:07 sim slapd[11187]: => acl_get: [4] attr userPassword
>> Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state
>> (userPassword)
>> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: access to entry
>> "cn=mmm,dc=test,dc=xx", attr "userPassword" requested
>> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: to value by "", (=0)
>> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: self
>> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: users
>> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: *
>> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] applying none(=0) (stop)
>> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] mask: none(=0)
>> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access
>> denied by none(=0)
>>
>>
>> Thank you
>>
>> On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik <stybla@turnovfree.net> wrote:
>>> Il Neofita wrote:
>>>> Hi
>>> Hello,
>>>
>>>> I am new and probably I am facing a very basic error
>>>>
>>>> I am tring to create an admin for a subset
>>>>
>>>> I create this ldif
>>>> dn: cn=mmmm,dc=test,dc=xx
>>>> cn: mmmm
>>>> sn: mmmm
>>>> objectClass: person
>>>> objectClass: top
>>>> userPassword: test
>>>>
>>> If you added it exactly like this-
>>> 1] delete dn: cn=mmmm,dc=test,dc=xx
>>> 2] use % slappasswd; to generate password HASH
>>> 3] add DN again
>>>
>>> --- SNIP ---
>>> slappasswd -s test
>>> {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>>> --- SNIP ---
>>> --- SNIP ---
>>> dn: cn=mmmm,dc=test,dc=xx
>>> cn: mmmm
>>> sn: mmmm
>>> objectClass: person
>>> objectClass: top
>>> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>>> --- SNIP ---
>>>
>>> Just a morning loto :)
>>>
>>> Regards,
>>> Zdenek
>>>
>>>> then on sladp.conf
>>>>
>>>> ...
>>>> access to dn.subtree="ou=people,dc=test,dc=xx"
>>>>         by dn="cn=mmmm,dc=test,dc=xx" write
>>>>         by * read
>>>> ...
>>>>
>>>> Restarted ldap
>>>>
>>>> ldapsearch -x  -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)'
>>>> ldap_bind: Invalid credentials (49)
>>>>
>>>> What am I do wrong?
>>>
>>> --
>>> Zdenek Styblik
>>> Net/Linux admin
>>> OS TurnovFree.net
>>> email: stybla@turnovfree.net
>>> jabber: stybla@jabber.turnovfree.net
>>>
>
>
> --
> Zdenek Styblik
> Net/Linux admin
> OS TurnovFree.net
> email: stybla@turnovfree.net
> jabber: stybla@jabber.turnovfree.net
>

References:
- ACL problem
  - From: Il Neofita <asteriskmail@gmail.com>
- Re: ACL problem
  - From: Zdenek Styblik <stybla@turnovfree.net>
- Re: ACL problem
  - From: Il Neofita <asteriskmail@gmail.com>
- Re: ACL problem
  - From: Zdenek Styblik <stybla@turnovfree.net>

Prev by Date: Renaming of attributes in ldap schema
Next by Date: Chain overlay not available in Debian lenny?
Index(es):
- Chronological
- Thread