[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error 18: Solaris 10 Native LDAP-Client

To: Ralf Haferkamp <rhafer@suse.de>
Subject: Re: Error 18: Solaris 10 Native LDAP-Client
From: Benjamin Griese <der.darude@gmail.com>
Date: Wed, 3 Nov 2010 09:52:26 +0100
Cc: James Bagley Jr <james.bagley@state.or.us>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=IhOIy+DlkFRkPW5u/GVOO0rwVIpCzSRxeXVLWV+1q/0=; b=xcg+dBYS0kZ5o1GGKLyBY5Y7A7W66u9DjjMzK+tDpYhjc9vmkQaBb+/P3a0n1MoBvZ UfLxyZEN/63uJTF6t/XcZn4sA3mlyqHKTIX7Hj2chTgFpKB+jr+VBiHm0ChFpCrvo42g EwzufJ78NeArtG7jHlH9XZwac0ruy9WL+vubA=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=myNVBdPmng4rWgKQPzX+BLj23xgCgREGxAnPiUgysTrhm/ivdJ2uGLEc3VfQ0Ws6Jh ZQF2Ub1rk35bpXiLMAEnN9ctPCFzqWN4XSV7DgSiIXXVK47ST1K9gTmEKj1BbTPCl8m7 FFhJlfLLOouiGdOLyjzOI6Ebj7C1U2VdzAIXI=
In-reply-to: <201011021803.56849.rhafer@suse.de>
References: <AANLkTimi9T4e_NG1xsti2g2RGDjr_T3yRkd3Z-4cGZtw@mail.gmail.com> <201011021605.55496.rhafer@suse.de> <AANLkTikWXZ9-6b002LYS__46gO2NWj3iY68wLKozxV-6@mail.gmail.com> <201011021803.56849.rhafer@suse.de>

Hello Ralf,

yes you're right that's the right SR, and yes it's about dynamic
loading of modules.
I pointed Austin right to you and this thread, just for better communication.

In the meantime I set the ACL, but unfortunatly it didn't help solving
the problem, you may take a look at my example:

DN: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=ldapadm,dc=example,dc=de" write by
dn="cn=proxyuser,ou=system,ou=people,dc=example,dc=de" read by
anonymous auth by self write by * none
olcAccess: {1} to dn.base="" attrs=supportedControl
val/objectIdentifierMatch=1.2.840.113556.1.4.473 by * none
olcAccess: {2} to dn.base="" attrs=supportedControl
val/objectIdentifierMatch=2.16.840.1.113730.3.4.9 by * none
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to * by dn="cn=ldapadm,dc=example,dc=de" write by * read

If I remember right {4} is not opening up the access when it is
explicitly denied in the ACLs {1} & {2}, am I right?
But I'm not sure if this is the right place for this kind of ACL,
cn=config instead should be wrong too I guess.

Bye, Benjamin.

On Tue, Nov 2, 2010 at 18:03, Ralf Haferkamp <rhafer@suse.de> wrote:
> Am Dienstag 02 November 2010, 16:57:38 schrieb Benjamin Griese:
>> Hello Ralf,
>>
>> nice to know that someone from Novell is reading here, too.
>>
>> Currently I have opened up a Service Request regarding this topic at
>> Novells Suport Center and pointed that out as a Feature Request but
>> also as problem I and other people have and are lookinf for a
>> workaround.
> The feature request is regarding build the overlays as dynamic modules, I
> guess? Yes that's something we are looking into as well. But for this
> special SSS/VLV issue there is already a fix in CVS which I we will most
> probably include in our packages. Changing from static overlays to
> dynamic overlays is unlikely to happen during the SLES11 timeframe I
> think (but we are getting off topic ...)
>
>> Too bad I am really low experienced in building complex ACLs to filter
>> stuff like this, maybe someone else is able to help us (James and me)
>> to workaround that problem.
> Something like this should work:
>
> access to dn.base="" attrs=supportedControl
>  val/objectIdentifierMatch=1.2.840.113556.1.4.473
>  by * none
> access to dn.base="" attrs=supportedControl
>  val/objectIdentifierMatch=2.16.840.1.113730.3.4.9
>  by * none
>
> I just found out however that there seems to be a bug in the ACL code
> when the above ACL appear as the first ACL in the configuration :(. I am
> still trying to track down that problem. So please make sure to have
> another ACL before them (one that doesn't apply to the "supportedControl"
> Attribute of course).
>
>> I'll give it a shot and let you know if it's working or not. :)
> Good luck.
>
> Ralf
>
> --
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
>



-- 
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
be is to do -- Sartre | Do be do be do -- Sinatra

Follow-Ups:
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Ralf Haferkamp <rhafer@suse.de>

References:
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Ralf Haferkamp <rhafer@suse.de>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Ralf Haferkamp <rhafer@suse.de>

Prev by Date: ACL and SSF
Next by Date: Re: Error 18: Solaris 10 Native LDAP-Client
Index(es):
- Chronological
- Thread