[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cannot authenticate as user himself



but in openldap 1.2.9-5 when i run the server in
debuggind mode i do see that acl checking is done .

--- Yoel Spotts <jds@vasco.com> wrote:
> In the source code for 1.x I saw no acl checking.
> 
> Yoel
> 
> shell b wrote:
> > 
> > hello sir,
> > 
> > u said that that in 1.x no acl checking was done
> on a
> > bind
> > 
> > this is not true i suppose or can u give me some
> > detatils of how did u assume it or have come to
> that
> > conclusion
> > 
> > please
> > let me know
> > 
> > --- Yoel Spotts <jds@vasco.com> wrote:
> > > Just as follow-up, I have done more
> investigation
> > > and discovered that
> > > disregarding the fact that op->o_dn and ndn are
> > > cleared by bind.c,
> > > op->o_dn and ndn are never set to user's dn
> until he
> > > authenticates. But
> > > of course that is too late! I further wondered
> why
> > > this worked in 1.x
> > > and not now and realized that in 1.x no acl
> checking
> > > was done on a bind.
> > > Am I off base?
> > >
> > > Yoel
> > >
> > > Yoel Spotts wrote:
> > > >
> > > > To all,
> > > >
> > > > I have an issue which I think is a bug, but
> would
> > > first like to present
> > > > it in "software" as the error might be my own:
> > > >
> > > > I am using openldap-2.0.7.
> > > >
> > > > I have the following line in my slapd.conf:
> > > >
> > > > access  to dn=".*,ou=users,o=top"
> > > >         by self write
> > > >
> > > > I get an LDAP_INSUFFICIENT_ACCESS when I try
> to
> > > bind as a user (lets say
> > > > "uid=yoel,ou=users,o=top"). (Yes, the password
> is
> > > correct). If I have
> > > > write permission, I should have auth
> permission.
> > > >
> > > > I have stepped through the process and have
> found
> > > the following:
> > > >
> > > > in acl.c in function acl_mask on line 398 (in
> the
> > > code I have) is where
> > > > the acl that I have set up is handled. On the
> next
> > > line, we make sure
> > > > op->o_ndn and op->o_dn are not NULL or empty
> > > strings. When I stepped
> > > > through using a debugger, these values were
> empty
> > > strings, even though
> > > > the dn should be "uid=yoel,ou=users,o=top".
> When I
> > > investigated a bit
> > > > further, I found that in /servers/slapd/bind.c
> > > toward the beginning of
> > > > the funciton, op->o_dn and op->o_ndn are
> cleared
> > > and set to empty
> > > > strings. I would imagine this is the reason
> the
> > > acl fails. Is it
> > > > possible that those should be the connection
> dn's,
> > > i.e. we should be
> > > > clearing conn->c_dn and conn->c_ndn?
> > > >
> > > > If anyone can help, let me know if I made a
> > > mistake or if I should post
> > > > this to the bugs list.
> > > >
> > > > Thanks,
> > > >
> > > > Yoel
> > > > --
> > > > Yoel Spotts                     yoel@vasco.com
> > > > VASCO Data Security, Inc.
> > > http://www.vasco.com
> > >
> > > --
> > > Yoel Spotts                   yoel@vasco.com
> > > VASCO Data Security, Inc.    
> http://www.vasco.com
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Auctions - Buy the things you want at great
> prices! http://auctions.yahoo.com/
> 
> -- 
> Yoel Spotts			yoel@vasco.com
> VASCO Data Security, Inc.	http://www.vasco.com


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/