[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap access lines for replicator



On Thursday 26 January 2006 09:37, Nolan Rumble wrote:
> Hi,
>
> I've managed to setup slurpd on one of my servers and a slave server on
> another one.  The problem I'm having is that the replicator user
> (cn=replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za) doesn't seem to be
> getting permission to write to the database.
>
> All the data below is for my slave server:
>
> My access lines are as follows:
> In slapd.conf:
> # Define global ACLs to disable default read access and provide default
> # behaviour for samba/pam use
> include         /etc/openldap/slapd.access.conf

Looks like the Mandriva package, which uses regex's so it should work 
out-the-box for any dc-style setup. However, it may be simpler (and 
performance will improve a bit) to replace the regex's with dn.exact or 
dn.subtree ACLs (this is also mentioned in the recent slapd.access.conf's 
from Mandriva packages ...).

BTW, it would help noting which version of OpenLDAP you are running, there are 
some versions these ACLs won't work on (but, they normally come bundled with 
a version that they have been tested on).

>
> # Replicas running syncrepl as non-rootdn need unrestricted size/time
> limits:
> limits dn.exact="cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za"
>  size=unlimited
>  time=unlimited
>
>
> In slapd.access.conf:

BTW, newer packages recommended against editing this file, you should rather 
rename it, and change the include line, as slapd.access.conf is marked as 
%config (not %config(noreplace)) to ensure that people who don't know enough 
don't end up with broken configs due to keeping an old modified 
slapd.access.conf.

> # The root DIT should be accessible to all clients
> access to dn.exact=""
>         by * read
>
> # So should the schema
> access to dn.subtree="cn=Subschema"
>         by * read
>
>
> access to dn.regex="^([^,]*,)?ou=exam,ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>
> attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,
> sambaPwdLastSet
>         by dn.exact,expand="cn=root,$2" write
>         by group.expand="cn=Domain Controllers,ou=Group,$2" write
>         by dn.exact,expand="cn=Replicator,ou=People,$2" write
>         by anonymous auth
>         by * none
>
> access to dn.regex="^([^,]*,)+ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>
> attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,
> sambaPwdLastSet
>         by self write
>         by dn.exact,expand="cn=root,$2" write
>         by group.expand="cn=Domain Controllers,ou=Group,$2" write
>         by dn.exact,expand="cn=Replicator,ou=People,$2" write
>         by anonymous auth
>         by * none


The above ACL seems to be the one that is matching, according to your logs, 
and should work ...

>
> access to dn.regex="([^,]*,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=inetOrgPerson,mail
>         by self write
>         by dn.exact,expand="cn=root,$2" write
>         by group.expand="cn=Domain Controllers,ou=Group,$2" write
>         by dn.exact,expand="cn=Replicator,ou=People,$2" write
>         by users read
>         by anonymous read
>
> # catch-all
> access to dn.regex="([^,]*,)?(dc=[^,]+(,dc=[^,]+)*)$"
>         by dn.exact,expand="cn=root,$2" write
>         by dn.exact,expand="cn=Replicator,ou=People,$2" write
>         by * read
>
>
> ## Finished
>
> My error log is as follows (logging 128):
>
> Jan 26 09:31:40 hubble slapd[32237]: => access_allowed: auth access to
> "cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za" "userPassword"
> requested
> Jan 26 09:31:40 hubble slapd[32237]: => dn: [1]
> Jan 26 09:31:40 hubble slapd[32237]: => dn: [2] cn=subschema
> Jan 26 09:31:40 hubble slapd[32237]: => dnpat: [3]
> ^([^,]*,)?ou=exam,ou=People,(dc=[^,]+(,dc=[^,]+)*)$ nsub: 3
> Jan 26 09:31:40 hubble slapd[32237]: => dnpat: [4]
> ^([^,]*,)+ou=People,(dc=[^,]+(,dc=[^,]+)*)$ nsub: 3
> Jan 26 09:31:40 hubble slapd[32237]: => acl_get: [4] matched
> Jan 26 09:31:40 hubble slapd[32237]: => acl_get: [4] attr userPassword
> Jan 26 09:31:40 hubble slapd[32237]: access_allowed: no res from state
> (userPassword)
> Jan 26 09:31:40 hubble slapd[32237]: => acl_mask: access to entry
> "cn=Replicator,ou=People,dc=ph,dc=sun,dc=ac,dc=za", attr "userPassword"
> requested
> Jan 26 09:31:40 hubble slapd[32237]: => acl_mask: to value by "", (=0)
> Jan 26 09:31:40 hubble slapd[32237]: <= check a_dn_pat: self
> Jan 26 09:31:40 hubble slapd[32237]: <= check a_dn_pat: cn=root,$2
> Jan 26 09:31:40 hubble slapd[32237]: <= acl_mask: no more <who> clauses,
> returning =0 (stop)

Hmm, there should be more who clauses, so maybe try and remove the cn=Domain 
Controllers clause, and see if it changes.

> Jan 26 09:31:40 hubble slapd[32237]: => access_allowed: auth access
> denied by =0
>
> ## end of log
>
>
> Any help would be appreciated :)

If you can IRC, #ldap on irc.freenode.net may hold some people who can help 
you ...

Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgpGoRQGhKTkJ.pgp
Description: PGP signature