[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slave/Replica server authentication/authorization question

--On Wednesday, February 25, 2004 3:31 PM -0600 "Aaron M. Hirsch" <Aaron.Hirsch@atosorigin.com> wrote:

Hash: SHA1

Here are my ACL's on my master server...

access to attrs=userPassword,telephoneNumber,mobile,mail
~     by self write
~     by anonymous auth
~     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
~     by * none

access to *
~     by group.base="cn=ldapAdmin,dc=cellnet,dc=com" write
~     by * read

However whenever I try to use these in the slave/replica, minus the
group.base entries, I can no longer log into my Linux machines.  When
I remove all ACL's from the slave/replica then logins work again.  So,
I'm really drawing blanks!  I'm wondering if I need to add the replica
user to the ACL's but am not sure that would help.

Back to digging... :)

Well, that makes sense to me. You are saying that the attribute userPassword is readable by nobody, so how can a server that is connecting check that attribute to verify login capability? I think you'd need at least compare on userpassword for anonymous (but I'm not sure, since we use Kerberos instead of passwords in the directory).


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html