[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access denied consumer replication (OpenLDAP+Kerberos)

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Access denied consumer replication (OpenLDAP+Kerberos)
From: Daniel Lopes de Carvalho <dlcarvalho@gmail.com>
Date: Thu, 4 Oct 2012 16:21:09 -0300
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=okQPanOUuQGYw2kI6LYomrWNnWASr/vQjp+iLTdntZU=; b=izxnGlsyup8uIY1dOPBckUfJE4AInNNDU69qr2fcr/b+Kc+SA/kzWeAU4bd5z4RiNF i4fJ/FyTAcq2t1IXOibvmnREf2FC9btfhbsaDiAYD1eNWaCFXlC+vTcss3F6FsZChmdN wZzv4lG5ZnDnFAnS9U+f9xi68M2HdDpRfs5VSCPEApra0XLmmHNi3H+17DrfGaUNufXT 77mmRhQIzhwP7EabS705+Bj+AW8dEhluYc//Pl74FW1BfYIbNqn/FnxYstt6Ai0da8fF JmVoX4oUHZ5tzteXupPeiukHUWLrf9n7hTAo1Ui1mWCRVB82zOYGEa8KOnhk+IEob6eh 9FzQ==
In-reply-to: <17C122FCECB4A74D8C802F12@192.168.1.43>
References: <CA+zXk8Bmj9n8GQpxmRkPx8MkbWDcbK8sRkx==FtHjREWh-VXCA@mail.gmail.com> <17C122FCECB4A74D8C802F12@192.168.1.43>

Hi Quanah. Thanks for your reply!

I was following this link to configure the provider/consumer:
http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php.

Under item "2. Kerberos client install", at the end, I was guided to
create a principal starting with ldap/dns02... But... I created 3
principals: host/dns02... ldap/dns02.. and ldaps/dns02...

And under item "8. Provider modifications" I was instruted to map
uid=ldap/... to ou=consumers

# 1.2.1.
add: olcAuthzRegexp
olcAuthzRegexp: uid=ldap/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
  cn=$1,ou=consumers,dc=example,dc=com

I deleted the principals host/dns02... and ldaps/dns02... and the
replication started to work.

Thanks very mch!

Daniel

--
Daniel Lopes de Carvalho
dlcarvalho@gmail.com
daniellopescarvalho (skype)
19 9357-5618 (claro)
19 8251-6023 (tim)


On Thu, Oct 4, 2012 at 2:57 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> --On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho
> <dlcarvalho@gmail.com> wrote:
>
>> Hi
>>
>> I try to configure two openldap/kerberos server (provider and
>> consumer), but I'm having some issues about replication. Under LDAP
>> log, I have many entries like this: "slap_access_allowed: search
>> access denied by none(=0)"
>>
>> These messages are related to consumer access to the Kerberos database
>> on provider and the kerberos database can't be replicated to the
>> consumer. The others data are replicated normaly.
>>
>> These are the ACL under privider:
>> olcAccess: {0}to attrs=userPassword,shadowLastChange
>>   by
>> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
>> dc=br" read
>>   by anonymous auth by * none
>>
>> olcAccess: {1}to
>> dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
>>   by
>> dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
>> br" write
>>   by
>> dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
>> br" read
>>   by
>> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
>> dc=br" read by * none
>>
>> olcAccess: {2}to attrs=loginShell
>>   by self write
>>   by users read
>>   by * none
>>
>> olcAccess: {3}to dn.base=""
>>   by * read
>>
>> olcAccess: {4}to *
>>   by users read
>>   by * none
>
>
> This is the entity asking permission:
>
>
> Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
> "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
> (=0)
>
> This does not match
>
> by
> dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
>
> It looks like you put the host entry in the users tree and not the consumer
> tree.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration

References:
- Access denied consumer replication (OpenLDAP+Kerberos)
  - From: Daniel Lopes de Carvalho <dlcarvalho@gmail.com>

Prev by Date: Re: Problem converting slapd.conf to cn=config format
Next by Date: LDAP Stopped Authenticating Samba Shares
Index(es):
- Chronological
- Thread