[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ENC: ENC: RES: sasl proxy authorization and regexp
- To: <openldap-software@OpenLDAP.org>
- Subject: ENC: ENC: RES: sasl proxy authorization and regexp
- From: "Raissa Dantas Freire de Medeiros" <raissad@ucb.br>
- Date: Fri, 26 Mar 2004 16:47:14 -0300
- Content-class: urn:content-classes:message
- Thread-index: AcQTXpF8mbOxPWyqT1WDTrNYig7xRwACu93l
- Thread-topic: ENC: RES: sasl proxy authorization and regexp
-----Mensagem original-----
De: Pierangelo Masarati [mailto:ando@sys-net.it]
Enviada: sex 26/3/2004 15:10
Para: Raissa Dantas Freire de Medeiros
Cc: openldap-software@OpenLDAP.org
Assunto: Re: ENC: RES: sasl proxy authorization and regexp
> Hello!
>
> I am using the 2.2.5 version. The log is bellow.
>
> I modified my user Joao to the following:
>
> dn: uid=joao,cn=Alunos,cn=CampusII,dc=ucb,dc=br
> changetype: modify
> replace: saslAuthzTo
> saslAuthzTo: dn.regex:uid=.*,cn=Alunos,ou=CampusI,dc=ucb,dc=br
>
> I am trying to execute the command:
>
> ldapadd -f ./ucb3.ldif -U joao@ares.cesmic.ucb.br -X
> "dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" -Y DIGEST-MD5
>
> And the error is:
>
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
> additional info: SASL(-14): authorization failure: not
> authorized
>
> I have the ACL "access to * by
> dn.base="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write" in my
> slapd.conf.
This seems to be a poor ACL, because anonymous can't bind.
You should use
access to attrs=userPassword
by * auth
(you may add write permission to someone, if needed,
e.g. by self or so) and then
access to *
by dn.exact="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write
Ok, that was just one of my ACLs. I've already had the ACLs you suggested. Anyway, no success with the regular expression.
Try this and let me know. A detailed log of the server,
especially of the saslauthz phase, would help as well.
But I don't think you'll get there, without anonymous
auth permission.
Here is the log.
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=359
SASL [conn=0] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=0]: authcid="joao@ares.cesmic.ucb.br"
slap_sasl_getdn: id=joao@ares.cesmic.ucb.br [len=23]
getdn: u:id converted to uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth,272)=0
<<< dnNormalize: <uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth"
SASL Canonicalize [conn=0]: authzid="dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br"
slap_sasl_getdn: id=dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br [len=49]
>>> dnNormalize: <uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br>
=> ldap_bv2dn(uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br,0)
<= ldap_bv2dn(uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br,272)=0
<<< dnNormalize: <uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br>
==>slap_sasl2dn: converting SASL name uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br to a DN
slap_sasl_regexp: converting SASL name uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authzDN="uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br"
SASL Authorize [conn=0]: authcid="joao@ares.cesmic.ucb.br" authzid="dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br"
==>slap_sasl_authorized: can uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth become uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br?
==>slap_sasl_check_authz: does uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br match saslAuthzTo rule in uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth?
<==slap_sasl_check_authz: saslAuthzTo check returning 32
<== slap_sasl_authorized: return 48
SASL Authorize [conn=0]: authorization disallowed (48)
SASL [conn=0] Failure: not authorized
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized"
send_ldap_response: msgid=2 tag=97 err=50
ber_flush: 62 bytes to sd 10
0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA
0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori
0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure:
0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized
ldap_write: want=62, written=62
0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA
0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori
0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure:
0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized
<== slap_sasl_bind: rc=50
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it