[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SyncRepl Chaining
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: espeake@oreillyauto.com
Cc: openldap-technical@openldap.org
Date: 09/06/2013 11:56 AM
Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 11:52 AM -0500 espeake@oreillyauto.com
wrote:
>
>
>
> From: Quanah Gibson-Mount <quanah@zimbra.com>
> To: espeake@oreillyauto.com
> Cc: openldap-technical@openldap.org
> Date: 09/06/2013 11:45 AM
> Subject: Re: SyncRepl Chaining
>
>
>
> --On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com
> wrote:
>
>> Here is the olcAcces from the slapcat on the database. Rule {0} should
>> what it is using but becaus eof it not authenticating rule {2} is being
>> applied instead.
>
> Did you mean to paste your rules in here and forget? ;)
>
> --Quanah
>
> Yep. had a hungry child calling me while I was trying to get this out.
>
> olcAccess: {0}to *
> by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read
> by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read
> by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
> by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write
> by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
As you have no break clause, this is the only ACL that ever applies. Since
there is no anonymous read access to userPassword, it is impossible to
authenticate as any user. Thus your inability to authenticate any user is
entirely caused by your broken ACLs.
--Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
Here is the ldif I created and used with ldapmodify
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
add: olcAccess
olcAccess: {0}to *
by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read
by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read
by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write
by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
break
olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=System
Administrators,ou=Groups,dc=oreillyauto,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=LDAP
Admin,ou=Groups,dc=oreillyauto,dc=com" write
olcAccess: {2}to attrs=userPassword
by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com"
write
by anonymous read
olcAccess: {3}to attrs=uid
by anonymous read
by users read
olcAccess: {4}to attrs=ou,employeeNumber
by users read
olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com"
by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none
by users read
olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com"
by dnattr=owner write
by dnattr=uniqueMember read
by * none
olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com"
by self read
by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com"
read
by * none
olcAccess: {8}to *
by self read
by users read
I confirmed the changes by looking at the LDIF that the changes were made.
Even though it's not supposed to be needed, I restarted the slapd service.
TO me it looks like it is reading the break and moving to rule {2} but
still no love or authentication.
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: conn=1019 op=0 BIND
dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry:
"cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com"
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not
in cache (userPassword)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: auth access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [1] attr
userPassword
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry
"uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "",
(=0)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat:
uid=syncrepl,ou=system,dc=oreillyauto,dc=com
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat:
uid=readonlyuser,ou=system,dc=oreillyauto,dc=com
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat:
uid=ldapadmin,ou=system,dc=oreillyauto,dc=com
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat:
uid=newuseradmin,ou=system,dc=oreillyauto,dc=com
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat:
uid=passwordadmin,ou=system,dc=oreillyauto,dc=com
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: *
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: [6] applying +0
(break)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: [6] mask: =0
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => dn: [2]
dc=oreillyauto,dc=com
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [2] matched
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [2] attr
userPassword
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry
"uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "",
(=0)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: no more <who>
clauses, returning =0 (stop)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => slap_access_allowed: auth
access denied by =0
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: no more
rules
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 12:12:46 slapd[22140]: last message repeated 3 times
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry:
"cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com"
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: EQUALITY
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 5
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: EQUALITY
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 5
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_access_allowed: granted
to database root
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search
access granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry:
"uid=readonlyuser,ou=system,dc=oreillyauto,dc=com"
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not
in cache (objectClass)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass"
requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result was
in cache (objectClass)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not
in cache (uid)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access
granted by manage(=mwrscxd)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not
in cache (description)
Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access
to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description"
requested
etc...
Thanks,
Eric
--
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
Message id: 03F51600DDF.A307B
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.