[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Anonymously binding despite '-U ....' to ldapsearch

To: "'Turbo Fredriksson'" <turbo@bayour.com>, <openldap-software@OpenLDAP.org>
Subject: RE: Anonymously binding despite '-U ....' to ldapsearch
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 26 Feb 2003 08:53:06 -0800
Importance: Normal
In-reply-to: <877kbnko39.fsf@papadoc.bayour.com>

Judging from your ACLs, you're still using the old format for SASL DNs. See
the 2.1 Admin Guide for details on the new SASL DN format.

In OpenLDAP 2.1.12, the SASL authorization DN is logged with AUTHZ keyword
instead of BIND. This inconsistency has been fixed in 2.1.13, using BIND
throughout. So, one of the reasons you're not seeing the DN you expect is
because you're grepping for the wrong log message.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
> Fredriksson
> Sent: Wednesday, February 26, 2003 8:24 AM
> To: openldap-software@OpenLDAP.org
> Subject: Anonymously binding despite '-U ....' to ldapsearch
>
>
> I don't seem to be able to view 'secret' information in my
> new system. Object 'cn=admin' should have a userPassword entry,
> but I can't see it (exept from 'slapcat')...
>
> ----- s n i p -----
> [majorskan.pts/2]$ ldapsearch -U turbo -LLL cn=admin  userPassword
> SASL/GSSAPI authentication started
> SASL username: turbo@BAYOUR.COM
> SASL SSF: 56
> SASL installing layers
> dn: cn=admin,dc=bayour,dc=com
> ----- s n i p -----
>
> Running slapd with '-d -1' shows:
> ----- s n i p -----
> majorskan:~# egrep 'BIND dn|_sasl_bind' /tmp/slapd-1.out
> do_sasl_bind: dn () mech GSSAPI
> conn=0 op=1 BIND dn="" method=163
> <== slap_sasl_bind: rc=14
> do_sasl_bind: dn () mech GSSAPI
> conn=0 op=2 BIND dn="" method=163
> <== slap_sasl_bind: rc=14
> do_sasl_bind: dn () mech GSSAPI
> conn=0 op=3 BIND dn="" method=163
> <== slap_sasl_bind: rc=0
> ----- s n i p -----
>
> Where's the DN!? I bind anonymously, why? I know that 2.1 of OpenLDAP
> is quite different, but I've looked through the mailarchive, but can't
> seem to find anything special...
>
>
> Softwares:
> OpenLDAP	v2.1.12
> Cyrus SASL	v2.1.12
> Berkeley DB	v4.1.25
>
> Supported SASL Mechanisms:
> ----- s n i p -----
> [majorskan.pts/2]$ ldapsearch -h localhost -x -b "" -s base
> -LLL supportedSASLMechanisms
> dn:
> supportedSASLMechanisms: NTLM
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: CRAM-MD5
> ----- s n i p -----
>
> ACLs:
> ----- s n i p -----
> access to attribute=userPassword
>         by dn="cn=admin,dc=bayour,dc=com" write
>         by dn="uid=turbo\\+realm=BAYOUR.COM" write
>         by anonymous auth
>         by self write
>         by * none
>
> access to *
>         by dn="cn=admin,dc=bayour,dc=com" write
>         by dn="uid=turbo\\+realm=BAYOUR.COM" write
>         by * read
> ----- s n i p -----
>
> Kerberos ticket:
> ----- s n i p -----
> [majorskan.pts/2]$ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: turbo@BAYOUR.COM
>
> Valid starting     Expires            Service principal
> 02/26/03 16:24:58  02/27/03 02:24:56  krbtgt/BAYOUR.COM@BAYOUR.COM
> 02/26/03 16:25:00  02/27/03 02:24:56
> ldap/majorskan.bayour.com@BAYOUR.COM
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
> ----- s n i p -----
>

Follow-Ups:
- Re: Anonymously binding despite '-U ....' to ldapsearch
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Anonymously binding despite '-U ....' to ldapsearch
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: RE: BDB log.xxx Files
Next by Date: RE: OpenLDAP in Production
Index(es):
- Chronological
- Thread