[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with ACL 'domain='

To: openldap-software@OpenLDAP.org
Subject: Problem with ACL 'domain='
From: Turbo Fredriksson <turbo@bayour.com>
Date: 22 Jul 2003 12:08:41 +0200
Organization: LDAP/Kerberos expert wannabe
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

I'm setting up a 2.1.21 server at home, so I can test
the new server types...

The idea is/was to use ACI's in the database, so I don't
have to maintain a complicated ACL. The ACL I'm trying to
use is:
----- s n i p -----
# We need to do SASL auth, so the Root DSE must be readable to anyone
access to dn="" attr=supportedSASLMechanisms,objectClass,entry
        by domain=.*\.bayour\.com read
        by domain=localhost read
----- s n i p -----

This works if I use 'by * read'. I'm running the slapd on 192.168.1.4
and doing the search on the same host. Looking for supportedSASLMechanisms,
nothing is retreived. The IP resolvs correctly:
----- s n i p -----
[tuzjfi.tty2]$ host 192.168.1.4
4.1.168.192.in-addr.arpa domain name pointer tuzjfi.bayour.com.
[tuzjfi.tty2]$ host tuzjfi.bayour.com
tuzjfi.bayour.com has address 192.168.1.4
----- s n i p -----

Looking at 'cn=Connection 2,cn=Connections,cn=Monitor', the
following is shown:
----- s n i p -----
dn: cn=Connection 2,cn=Connections,cn=Monitor
description: 2 : 3 : 2/1/0/1 : 2/2/0 : rx : cn=anonymous : ldap:/// : unknown
 : IP=192.168.1.4:1977 : IP=0.0.0.0:389 : 20030722095839Z : 20030722095839Z
----- s n i p -----

Running slapd in debug mode (-d -1) shows this snippet:
----- s n i p -----
conn=0 fd=18 ACCEPT from IP=192.168.1.4:1866 (IP=0.0.0.0:389)
[...]
=> test_filter
    PRESENT
=> access_allowed: search access to "" "objectClass" requested
=> dn: [1]
=> acl_get: [1] matched
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl  attr: objectClass
=> acl_mask: access to entry "", attr "objectClass" requested
=> acl_mask: to all values by "", (=n)
<= check a_domain_pat: .*.bayour.com
=> string_expand: pattern:  .*.bayour.com
=> string_expand: expanded: .*.bayour.com
=> regex_matches: string:        unknown
=> regex_matches: rc: 1 no matches
<= check a_domain_pat: localhost
=> string_expand: pattern:  localhost
=> string_expand: expanded: localhost
=> regex_matches: string:        unknown
=> regex_matches: rc: 1 no matches
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: search access denied by =n
<= test_filter 50
----- s n i p -----


Now, both the monitor and the debug output claims 'unknown'... Why?


Starting slapd as 'slapd -h ldap://127.0.0.1:389/' (or ldap://0.0.0.0:389/),
the supportedSASLMechanisms is shown, but NOT if I'm leaving the '-h'
option out... Why?

Thanx for any help and explanation (I got it working by using
ldap://0.0.0.0:389/, but I'd like to know WHY :).

Follow-Ups:
- Re: Problem with ACL 'domain='
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Problem with ACL 'domain='
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: RE: TLS or plain?
Next by Date: Re: OpenLDAP server, Solaris 9 client
Index(es):
- Chronological
- Thread