[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problems: (was: objectIdentifierMatch)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ACL problems: (was: objectIdentifierMatch)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 26 Sep 2002 10:04:47 -0700
Cc: Howard Chu <hyc@symas.com>, openldap-bugs@OpenLDAP.org
Content-disposition: inline
In-reply-to: <5.1.0.14.0.20020925194003.041b2a28@127.0.0.1>
References: <NMEFLNHODBAOPDKNNJALGECDDOAA.hyc@symas.com> <NMEFLNHODBAOPDKNNJALGECDDOAA.hyc@symas.com> <5.1.0.14.0.20020925194003.041b2a28@127.0.0.1>

--On Wednesday, September 25, 2002 8:03 PM -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

Changed the subject as this has nothing to do with the
objectIdentifierMatch issue previously reported.

As far as debugging your problem, I suggest you examine
logs to determine what's going here.  Enabling ACL logging
would likely be particular informative.

The only curious thing I see in your post is your comment:

I am a member of both ldapadmin, and supervisor.  Still,
with this setup, I cannot bind as either of them


This implies you are not authenticating as yourself but as
  cn=supervisor,cn=applications,dc=stanford,dc=edu
or
  cn=ldapadmin,cn=applications,dc=stanford,dc=edu

Or maybe you are authenticating as yourself and assuming
one of these identities.


Well, that is what <should> happen, but isn't happening. ;)

I think the problem lies within the fact that we are using SASL GSSAPI.

I've now exposed the sasl-regexp attributes to * read, and I now get the correct authcDN of suRegID=<my suRegID>. I've also tried exposing the member attribute to * read, but that does not solve the problem either.

do_bind: SASL/GSSAPI bind: dn="suRegID=85e49978f61311d2a3662436000baa77,cn=People,dc=stanford,dc=edu"

I've also allowed access to * by users search

My suRegID is a group member of Supervisor and of LdapAdmin.

# supervisor, Applications, stanford.edu dn: cn=supervisor,cn=Applications,dc=stanford,dc=edu objectClass: groupOfNames cn: supervisor member: suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu member: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu

# ldapAdmin, Applications, stanford.edu dn: cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu objectClass: groupOfNames cn: ldapAdmin member: suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu member: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu member: suRegID=118217f4e76411d184232436000baa77,cn=People,dc=stanford,dc=edu

What I see in the logs is that when the ldapsearch goes through, is that it is reporting that I'm not a member:

Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 248973 local4.debug] => bdb_group: gr dn: "cn=supervisor,cn=applications,dc=stanford,dc=edu" Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 231450 local4.debug] => bdb_group: op dn: "suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu" Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 529798 local4.debug] => bdb_group: oc: "groupOfNames" at: "member" Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 461965 local4.debug] => bdb_group: tr dn: "dc=stanford,dc=edu" Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 749508 local4.debug] bdb_dn2entry_rw("cn=supervisor,cn=applications,dc=stanford,dc=edu") Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 157115 local4.debug] => bdb_dn2id( "cn=supervisor,cn=applications,dc=stanford,dc=edu" ) Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 697587 local4.debug] <= bdb_dn2id: got id=0x00000005 Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 548982 local4.debug] entry_decode: "cn=supervisor,cn=Applications,dc=stanford,dc=edu" Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 184541 local4.debug] <= entry_decode(cn=supervisor,cn=Applications,dc=stanford,dc=edu) Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 257784 local4.debug] => bdb_group: found group: "cn=supervisor,cn=applications,dc=stanford,dc=edu" Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 721865 local4.debug] <= bdb_group: found objectClass groupOfNames and member Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 114958 local4.debug]

dnNormalize:

<suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu> Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 631365 local4.debug] <= bdb_group: "suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu" not in "cn=supervisor,cn=applications,dc=stanford,dc=edu": member Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 416987 local4.debug] ====> bdb_cache_return_entry_r( 5 ): created (0) Sep 26 09:56:50 ldap2.Stanford.EDU slapd[16583]: [ID 340953 local4.debug] bdb_group: rc=1

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: ACL problems: (was: objectIdentifierMatch)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- RE: objectIdentifierMatch (ITS#2095)
  - From: "Howard Chu" <hyc@symas.com>
- ACL problems: (was: objectIdentifierMatch)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: (ITS#2112)
Next by Date: Re: ACL problems: (was: objectIdentifierMatch)
Index(es):
- Chronological
- Thread