I have been working
with openLDAP for a very short period of time. The platform is RH9, with
the distributed openladap 2.0.7-8 (for business reasons I cannot
upgrade).
I have been trying
authentication, through the use of ACLs, but I am getting a different behaviour
to what I thought I should get.
First of all, I can
authenticate to the directory and I can login to systems both through the
console and ssh.
I am using JXplorer
as a remote client. The ACLs I use are:
# Default
access
#
defaultaccess search
# Simple access
control: read only except passwords
#
# User can access and change own
password
access to dn=".*,dc=eastportanalytics,dc=com"
attrs=userPassword
by self write
by *
auth
# When everything
fails, default to read access
access to
dn=".*,dc=eastportanalytics,dc=com"
by *
read
I can login as a
regular use through JXplorer, but I cannot see anything in the directory.
Only the LDAP administrator can see and modify entries.
The logs for
authenticating as a user, are as follows, but I do not understand exactly what
they are telling me, except that the "auth" rule is used for access and no
further authorisation is allowed. It does not seem that the second ACL is
processed. What am I doing wrong in understanding how the ACL are
used/should be used?
# ./start
daemon: socket() failed errno=97
(Address family not supported by protocol)
Global ACL: access to
dn.regex=.*,dc=eastportanalytics,dc=com
attrs=userPassword
by self write (=wrscx)
by * auth
(=x)
Global ACL: access to
dn.regex=.*,dc=eastportanalytics,dc=com
by * read (=rscx)
slapd starting
=> access_allowed: auth access
to "uid=ds,ou=People,dc=eastportanalytics,dc=com" "userPassword"
requested
=> dnpat: [1] .*,dc=eastportanalytics,dc=com nsub: 0
=>
acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<=
acl_get: [1] acl uid=ds,ou=People,dc=eastportanalytics,dc=com attr:
userPassword
=> acl_mask: access to entry
"uid=ds,ou=People,dc=eastportanalytics,dc=com", attr "userPassword"
requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat:
self
<= check a_dn_pat: *
<= acl_mask: [2] applying auth (=x)
(stop)
<= acl_mask: [2] mask: auth (=x)
=> access_allowed: auth
access granted by auth (=x)
ber_flush: 14 bytes to sd 7
=>
access_allowed: search access to "" "objectClass" requested
=> dnpat: [1]
.*,dc=eastportanalytics,dc=com nsub: 0
=> dnpat: [2]
.*,dc=eastportanalytics,dc=com nsub: 0
<= acl_get: done.
=>
access_allowed: no more rules
=> access_allowed: search access denied by
=n
ber_flush: 14 bytes to sd 7
=> access_allowed: search access to ""
"objectClass" requested
=> dnpat: [1] .*,dc=eastportanalytics,dc=com nsub:
0
=> dnpat: [2] .*,dc=eastportanalytics,dc=com nsub: 0
<= acl_get:
done.
=> access_allowed: no more rules
=> access_allowed: search
access denied by =n
ber_flush: 14 bytes to sd 7
ber_flush: 14 bytes to sd
7
=> access_allowed: search access to "" "objectClass" requested
=>
dnpat: [1] .*,dc=eastportanalytics,dc=com nsub: 0
=> dnpat: [2]
.*,dc=eastportanalytics,dc=com nsub: 0
<= acl_get: done.
=>
access_allowed: no more rules
=> access_allowed: search access denied by
=n
ber_flush: 14 bytes to sd 7
ber_flush: 14 bytes to sd
7
----------------------------------------------------
Demetrios Sapounas
Solutions Architect
Eastport Analytics
Phone: 703.351.5273
Email: ds@eastportanalytics.com
----------------------------------------------------