[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem

To: Il Neofita <asteriskmail@gmail.com>
Subject: Re: ACL problem
From: Zdenek Styblik <stybla@turnovfree.net>
Date: Thu, 24 Dec 2009 08:56:30 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <7971c2da0912220638m24d77498uad92ebed04408fcc@mail.gmail.com>
Openpgp: url=http://stinkfoot.org:11371/pks/lookup?op=index&search=Styblik
Organization: OS TurnovFree.net
References: <7971c2da0912211626v2611e825hb8a34de1be703587@mail.gmail.com> <4B3076E1.7070703@turnovfree.net> <7971c2da0912220638m24d77498uad92ebed04408fcc@mail.gmail.com>
User-agent: Thunderbird 2.0.0.23 (X11/20090820)

Il Neofita wrote:
> Hi
> I delete everything and I did everything from scratch but I have the
> same problem
> I am using RH 5.4
> 

Hello,

I have no idea what the problem might be. Yet, I've noticed you don't
have HASH type prefix to your passwords, and it should be there.

userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
XXX
userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=

The next thing I can suggest is to strip all ACLs except the basic ones
and build up, build up...
I'd also move attrs=userPassword up in the tree, as ACL ends when the
first match is found. Thus it's possible this ACL is never matched.

Regards,
Zdenek


> I am posting my configuration
> slapd.conf
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/misc.schema
> include         /etc/openldap/schema/openldap.schema
> include         /etc/openldap/schema/redhat/autofs.schema
> include         /etc/openldap/schema/pykota.schema
> 
> allow bind_v2
> loglevel 128
> 
> pidfile         /var/run/openldap/slapd.pid
> argsfile        /var/run/openldap/slapd.args
> 
> access to dn.subtree="ou=PyKota,dc=test,dc=xx" by
> dn="cn=pykotaadmin,dc=test,dc=xx" write
> access to dn.subtree="ou=people,dc=test,dc=xx"
>        by dn="cn=mmm,dc=test,dc=xx" manage
>        by dn="cn=pykotaadmin,dc=test,dc=xx" manage
>        by * read
> access to dn.subtree="ou=Groups,dc=test,dc=xx" by
> dn="cn=pykotaadmin,dc=test,dc=xx" write
> 
> access  to *
>        by self         write
>        by users        read
>        by *            none
> 
> access to attrs=userPassword
>          by self =w
>          by anonymous auth
> 
> database        bdb
> suffix          "dc=test,dc=xx"
> rootdn          "cn=admin,dc=test,dc=xx"
> rootpw          {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF
> 
> directory       /var/lib/ldap
> 
> index objectClass                       eq,pres
> index ou,cn,mail,surname,givenname      eq,pres,sub
> index uidNumber,gidNumber,loginShell    eq,pres
> index uid,memberUid                     eq,pres,sub
> index nisMapName,nisMapEntry            eq,pres,sub
> index pykotaUserName pres,eq,sub
> index pykotaGroupName pres,eq,sub
> index pykotaPrinterName pres,eq,sub
> index pykotaBillingCode pres,eq,sub
> index pykotaLastJobIdent eq
> 
> 
> my ldif
> 
> # extended LDIF
> #
> # LDAPv3
> # base <dc=test,dc=xx> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # test.xx
> dn: dc=test,dc=xx
> objectClass: dcObject
> objectClass: organization
> o: Directory Server
> dc:: dGVzdCA=
> 
> # admin, test.xx
> dn: cn=admin,dc=test,dc=xx
> objectClass: organizationalRole
> objectClass: posixAccount
> cn:: YWRtaW4g
> gidNumber: 500
> homeDirectory: /home/admin
> uid: admin
> uidNumber: 500
> 
> # mmm, test.xx
> dn: cn=mmm,dc=test,dc=xx
> cn:: bW1tIA==
> sn: mmm
> objectClass: person
> objectClass: top
> userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
> 
> # people, test.xx
> dn: ou=people,dc=test,dc=xx
> objectClass: top
> objectClass: organizationalUnit
> ou: people
> description: Fictional example organizational unit
> 
> # bjensen, people, test.xx
> dn: uid=bjensen,ou=people,dc=test,dc=xx
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: Babs Jensen
> sn: Jensen
> givenName: Babs
> uid: bjensen
> ou: people
> description: Fictional example person
> telephoneNumber: 555-5557
> userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 6
> # numEntries: 5
> 
> 
> And this is the log
> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access to
> "cn=mmm,dc=test,dc=xx" "userPassword" requested
> Dec 22 09:42:07 sim slapd[11187]: => dn: [1] ou=pykota,dc=test,dc=xx
> Dec 22 09:42:07 sim slapd[11187]: => dn: [2] ou=people,dc=test,dc=xx
> Dec 22 09:42:07 sim slapd[11187]: => dn: [3] ou=groups,dc=test,dc=xx
> Dec 22 09:42:07 sim slapd[11187]: => acl_get: [4] attr userPassword
> Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state
> (userPassword)
> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: access to entry
> "cn=mmm,dc=test,dc=xx", attr "userPassword" requested
> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: to value by "", (=0)
> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: self
> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: users
> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: *
> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] applying none(=0) (stop)
> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] mask: none(=0)
> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access
> denied by none(=0)
> 
> 
> Thank you
> 
> On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik <stybla@turnovfree.net> wrote:
>> Il Neofita wrote:
>>> Hi
>> Hello,
>>
>>> I am new and probably I am facing a very basic error
>>>
>>> I am tring to create an admin for a subset
>>>
>>> I create this ldif
>>> dn: cn=mmmm,dc=test,dc=xx
>>> cn: mmmm
>>> sn: mmmm
>>> objectClass: person
>>> objectClass: top
>>> userPassword: test
>>>
>> If you added it exactly like this-
>> 1] delete dn: cn=mmmm,dc=test,dc=xx
>> 2] use % slappasswd; to generate password HASH
>> 3] add DN again
>>
>> --- SNIP ---
>> slappasswd -s test
>> {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>> --- SNIP ---
>> --- SNIP ---
>> dn: cn=mmmm,dc=test,dc=xx
>> cn: mmmm
>> sn: mmmm
>> objectClass: person
>> objectClass: top
>> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>> --- SNIP ---
>>
>> Just a morning loto :)
>>
>> Regards,
>> Zdenek
>>
>>> then on sladp.conf
>>>
>>> ...
>>> access to dn.subtree="ou=people,dc=test,dc=xx"
>>>         by dn="cn=mmmm,dc=test,dc=xx" write
>>>         by * read
>>> ...
>>>
>>> Restarted ldap
>>>
>>> ldapsearch -x  -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)'
>>> ldap_bind: Invalid credentials (49)
>>>
>>> What am I do wrong?
>>
>> --
>> Zdenek Styblik
>> Net/Linux admin
>> OS TurnovFree.net
>> email: stybla@turnovfree.net
>> jabber: stybla@jabber.turnovfree.net
>>


-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net

Follow-Ups:
- Re: ACL problem
  - From: Il Neofita <asteriskmail@gmail.com>

References:
- ACL problem
  - From: Il Neofita <asteriskmail@gmail.com>
- Re: ACL problem
  - From: Zdenek Styblik <stybla@turnovfree.net>
- Re: ACL problem
  - From: Il Neofita <asteriskmail@gmail.com>

Prev by Date: Re: Developer's cookbook for adding LDAP support
Next by Date: Re: Is there any accounting software using ldap for customers and suppliers?
Index(es):
- Chronological
- Thread