[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fwd: Trying to figure out access policies

To: OpenLDAP software list <openldap-software@OpenLDAP.org>
Subject: Fwd: Trying to figure out access policies
From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>
Date: Tue, 27 Jun 2006 13:35:13 -0400
References: <2E85DCFF-833A-48B2-940B-9FA23083523A@lixfeld.ca>

Ok, I think I'm making some headway, but I'm still a little confused.

I didn't realize that by putting in an access entry to permit specific stuff, you have to put other entries in for everything else or else it's an implicit deny. That being said, I modified my slapd.conf as follows:

access to attrs=userPassword
        by self         write
        by anonymous    auth
        by *            none
        by dn.exact="cn=proxyuser,dc=example,dc=ca" read

access to *
        by * read

(also, I've tried variations on attrs and attr, as well as dn= and dn.exact=, all to no avail)

and I'm running slapd -d acl.

Now, when I run the ldapsearch call, I get closer; that is, I get the search DN returned to me, but I still don't get the password:

# ldapsearch -D "cn=proxyuser,dc=example,dc=ca" -b 'ou=auth,dc=example,dc=ca' -x -W '(uid=jlixfeld.example.ca)' userPassword Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=auth,dc=example,dc=ca> with scope subtree # filter: (uid=jlixfeld.example.ca) # requesting: userPassword #

# jlixfeld.example.ca, users, auth, example.ca
dn: uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
#

=> access_allowed: auth access to "cn=proxyuser,dc=example,dc=ca" "userPassword" requested => acl_get: [1] attr userPassword access_allowed: no res from state (userPassword) => acl_mask: access to entry "cn=proxyuser,dc=example,dc=ca", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => access_allowed: auth access granted by auth(=xd) => access_allowed: search access to "uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "uid" requested => acl_get: [2] attr uid => acl_mask: access to entry "uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr "uid" requested => acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: read access to "uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "entry" requested => acl_get: [2] attr entry => acl_mask: access to entry "uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr "entry" requested => acl_mask: to all values by "cn=proxyuser,dc=example,dc=ca", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: read access to "uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "userPassword" requested => acl_get: [1] attr userPassword access_allowed: no res from state (userPassword) => acl_mask: access to entry "uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr "userPassword" requested => acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0) <= check a_dn_pat: self <= check a_dn_pat: anonymous <= check a_dn_pat: * <= acl_mask: [3] applying none(=0) (stop) <= acl_mask: [3] mask: none(=0) => access_allowed: read access denied by none(=0) send_search_entry: conn 9 access to attribute userPassword, value #0 not allowed

Correct me if I'm wrong but the "read access denied by none" indicates that the bind isn't happening as proxyuser?

Also, what does "access_allowed: no res from state" mean? It's the only debug part that I can't quite decipher.

Begin forwarded message:

From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>
Date: June 27, 2006 12:38:14 PM EDT (CA)
To: OpenLDAP software list <openldap-software@openldap.org>
Subject: Trying to figure out access policies
I think I'm somewhat versed in the basics of OpenLDAP, but the concept of access policies eludes me because they are far beyond my current level of comprehension. That being said, I'm doing some trial by fire to try to make sense of how they work and hopefully will then be able to relate some of what I read in the manual to what I've made happen in tests...

I'm trying to get a proxyuser working so I don't have to do everything as Manager.
I put this entry into my slapd.conf as per some tutorials I read:
access to attrs=userPassword
       by dn="cn=Proxyuser,dc=example,dc=ca" read
and likewise, these entries into my ldap.conf:
binddn cn=Proxyuser,dc=example,dc=ca
bindpw ****
rootbinddn cn=Proxyuser,dc=example,dc=ca
and finally, the Proxyuser password in /etc/ldap.secret.
Being unsure if the lookups for ldap.conf and ldap.secret is in / etc or /usr/local/etc (Using a FreeBSD system here), I symlinked each so they are available in both locations.

After that was all said and done, I restarted slapd and tried to do a search using the proxyuser as the binddn:

# ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b 'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword Enter LDAP Password: ldap_bind: Invalid credentials (49)

# all.log Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from IP=127.0.0.1:54632 (IP=0.0.0.0:389) Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND dn="cn=Proxyuser,dc=example,dc=ca" method=128 Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97 err=49 text= Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed (connection lost)

It would seem to me that it's not complaining about the password, so I assume it's complaining about the access entry in slapd.conf. I removed the access entry from slapd.conf and was able to perform the same search as above without a problem.

Anyone have any pointers on what I can look at as the source of this problem?

Also, I'm a little confused about the difference between binddn and rootbinddn. If I understand correctly, rootbinddn is the DN used to bind if the user executing the command is root, while binddn is the DN used to bind if the user executing the command is any user other than root. Is this correct? I ask because if I run ldapsearch as root with no additional arguments and check the logs, it seems to bind anonymously so I'm not sure if my understanding of binddn vs. rootbinddn is correct:

Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from IP=127.0.0.1:58244 (IP=0.0.0.0:389) Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128 Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0 text= Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base="" scope=2 deref=0 filter="(objectClass=*)" Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed

Thanks in advance for any insight on either or both of these points...

Follow-Ups:
- Re: Fwd: Trying to figure out access policies
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Trying to figure out access policies
  - From: Jason Lixfeld <jason+lists.openldap@lixfeld.ca>

Prev by Date: Trying to figure out access policies
Next by Date: Re: Trying to figure out access policies
Index(es):
- Chronological
- Thread