[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI Binds openldap 2.1.12

To: "Derek T. Yarnell" <derek@cs.umd.edu>
Subject: Re: GSSAPI Binds openldap 2.1.12
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 23 Jan 2003 11:24:55 -0800
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <20030123165649.GB24252@trypticon.cs.umd.edu>
References: <20030122195247.GG13330@trypticon.cs.umd.edu> <001e01c2c2a4$07bd3260$0e01a8c0@CELLO> <20030123165649.GB24252@trypticon.cs.umd.edu>

Derek,

I think you missed a bit of what Howard was saying... We are using GSSAPI quite extensively here @ Stanford with Openldap.

--On Thursday, January 23, 2003 11:56 AM -0500 "Derek T. Yarnell" <derek@cs.umd.edu> wrote:

Ok, let me explain a little more,

cn=staff,dc=csic,dc=umd,dc=edu

is the rootdn, so it should be able to see anything, anywhere.

uid=derek,ou=staff,dc=csic,dc=umd,dc=edu


Is this a typo? ou=staff != cn=staff that I know of.


is say a user, I want to be able to bind so that they could change certain
attributes on their dn.

so, my access rights right now is this,

access to attr=uid,uidNumber,gidNumber,homeDirectory,mailLocalAddress
        by dn="cn=staff,dc=csic,dc=umd,dc=edu"

I'm not sure the above is a valid statement. You are not specifying what type of access (read, write, etc). On top of that, you are saying that only the EXPLICIT dn "cn=staff,dc=csic,dc=umd,dc=edu" has this unknown access. If you want for your UID piece to have that access, you need to do dn.children (which will then allow the subtree access).

        by users read
access to attr=loginShell,gecos,cn,mailroutingaddress,mailHost
        by dn="cn=staff,dc=csic,dc=umd,dc=edu"


Same comment here.

On Howard's comment about access to *, you pretty much have to have that clause. By default, what you have right now, only the things listed does anyone have any type of access to. This means that nothing else has any types of access.

Here is our slapd.acl file for our replicas:

# $Id: slapd.acl,v 1.9 2003/01/03 17:13:37 quanah Exp $
# ACL include file for slapd
#
# this is for testing

access to dn.base=""
       by * read

access to * by dn.base="cn=replicator,cn=Applications,dc=stanford,dc=edu" write by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" read by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read by * break

access to attr=krb5PrincipalName,member
       by * search

access to attr=entry by dn="cn=StanfordMailRouter,cn=Applications,dc=stanford,dc=edu" read

access to dn.children="cn=Accounts,dc=stanford,dc=edu" attr=suSeasSunetID,suMailDrop by dn="cn=StanfordMailRouter,cn=Applications,dc=stanford,dc=edu" read


Note the dn.children line.

--Quanah

        by self write
        by users read

You would have to be authenticated to just read the attributes and some
you would be able to write to.

I would obviously like to do this with GSSAPI, so I don't need to put any
passwords, etc in the ldap database.

On Wed, Jan 22, 2003 at 09:55:15PM -0800, Howard Chu wrote:

You need to fix your ACLs. In the GSSAPI case, the log shows you bound as
  uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
while in the simple bind you used
  cn=staff,dc=csic,dc=umd,dc=edu

Clearly these are not the same, and your ACL only references the second
DN above.

Also, your ACL doesn't specify any rights for the cn=staff DN. Was that
just a cut/paste error?

Finally, you probably want an "access to *" clause after the other, to
assign privileges to everything else.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Derek T.
> Yarnell

> I am having a issue with getting my gssapi/sasl binds
> working. I was wondering
> if someone could give me a little insight,
>
> ldapsearch -Y GSSAPI -b 'dc=csic,dc=umd,dc=edu' '(uid=derek)'
>
> Here is the server output,
>
> Jan 22 14:43:36 queasy slapd[10595]: conn=0 fd=13 ACCEPT from
> IP=127.0.0.1:56125 (IP=0.0.0.0:389)
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=0 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=1 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND dn=""
> method=163
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 BIND authcid="derek"
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=2 AUTHZ
> dn="uid=derek,ou=staff,dc=csic,dc=umd,dc=edu" mech=GSSAPI ssf=56
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SRCH
> base="ou=staff,dc=csic,dc=umd,dc=edu" scope=2 filter="(uid=derek)"
> Jan 22 14:43:36 queasy slapd[10604]: <=
> bdb_equality_candidates: index_param failed (18)
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=3 SEARCH
> RESULT tag=101 err=0 nentries=0 text=
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 op=4 UNBIND
> Jan 22 14:43:36 queasy slapd[10604]: conn=0 fd=13 closed
>
> ----------------------------------------------------------
> derek@queasy:~> /csic/openldap/bin/ldapsearch -Y GSSAPI -b
> 'ou=staff,dc=csic,dc=umd,dc=edu' '(uid=derek)'
> SASL/GSSAPI authentication started
> SASL SSF: 56
> SASL installing layers
> # extended LDIF
> #
> # LDAPv3
> # base <ou=staff,dc=csic,dc=umd,dc=edu> with scope sub
> # filter: (uid=derek)
> # requesting: ALL
> #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
> ----------------------------------------------------------
>
> But it doesn't return anything, but a normal bind will return
> something,
>
> ----------------------------------------------------------
> derek@queasy:~> /csic/openldap/bin/ldapsearch -x -D
> 'cn=staff,dc=csic,dc=umd,dc=edu' -b 'dc=csic,dc=umd,dc=edu'
> -W '(uid=derek)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=csic,dc=umd,dc=edu> with scope sub
> # filter: (uid=derek)
> # requesting: ALL
> #
>
> # derek, staff, csic.umd.edu
> dn: uid=derek,ou=staff,dc=csic,dc=umd,dc=edu
> objectClass: csicAccount
> objectClass: account
> cn: Derek Yarnell
> uid: derek
> uidNumber: 2174
> gidNumber: 10
> homeDirectory: /afs/csic/staff/derek
> loginShell: /bin/tcsh
> mailHost: cs.umd.edu
> mailRoutingAddress: derek@cs.umd.edu
> mailLocalAddress: derek@cs.umd.edu
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> ----------------------------------------------------------
>
> here is my sasl-regex,
>
>
> sasl-regexp     uid=(.*),cn=gssapi,cn=auth
>                 uid=$1,ou=staff,dc=csic,dc=umd,dc=edu
>
>
> and the only other access control i have,
>
> access to attr=loginShell,gecos,cn,mailroutingaddress
>         by dn="cn=staff,dc=csic,dc=umd,dc=edu"
>         by self write
>         by users read
>
> thanks for any help.
>
>
> --
> ---
> Derek T. Yarnell
> University of Maryland
> Computer Science Department Unix Staff
> derek@cs.umd.edu
>


--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- GSSAPI Binds openldap 2.1.12
  - From: "Derek T. Yarnell" <derek@cs.umd.edu>
- RE: GSSAPI Binds openldap 2.1.12
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: GSSAPI Binds openldap 2.1.12
  - From: "Derek T. Yarnell" <derek@cs.umd.edu>

Prev by Date: Re: Help! Redhat 7.2 GUI login as OpenLDAP client
Next by Date: Re: test my LDAP server ONLY using ssh?
Index(es):
- Chronological
- Thread