[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
trouble with acls
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: trouble with acls
- From: brendan kearney <bpk678@gmail.com>
- Date: Wed, 19 Feb 2014 18:53:08 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=tMXX2LDVBKnnuV8xZbbra9iKSWADuQKCHu8cMYbrDAQ=; b=uViKm//T6Mlin9yoAp8EW+C1WUP3k0BMDAxpNggrU5KH735yIKqdYBnL+gDUI9pq0I /jpr9p8CIRZJ8LuZPy9aqvK4Qpwq2z3nzxNZSFdg7of2rBh2WdK84fPc8X4FI0vrHDHi OuWTW2zupMMxRx5IWD7kGpa5R5VSS1wtV5g/JkuBFSMS5G9r5r4YgstpFS14q3E0WwFI PEygXoliIgkrdGlE1PmnvXPKjdxrCEDacYbyjCjnfo74SHd0zX4P/c6rWeTn15owYMSh 2ynejBa6Ee6bcBgETBgfaI5gBpmE4tvpYYzQXZ7TGmrvktUc3MlpkFnptzNJ7A7fD5LU atTQ==
list,
i am running the below version:
@(#) $OpenLDAP: slapd 2.4.26 (Jun 27 2012 15:27:46) $
mockbuild@x86-16.phx2.fedoraproject.org:/builddir/build/BUILD/openldap-2.4.26/openldap-2.4.26/build-servers/servers/slapd
i have the below acls:
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by * none
olcAccess: {1}to attrs=loginShell by self write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to dn.subtree="dc=bpk2,dc=com" by dn="cn=adm-srv,dc=bpk2,dc=com"
write by dn="cn=kdc-srv,dc=bpk2,dc=com" read by * none
olcAccess: {4}to dn.subtree="dc=bpk2,dc=com" by set="[cn=ldapAdmins,ou=Groups,
dc=bpk2,dc=com]/memberUid & user/uid" write by set="[cn=users,ou=Groups,dc=bp
k2,dc=com]/memberUid & user/uid" read by * none
i issue the below search query:
ldapsearch -h ldap1 -Y GSSAPI -b 'dc=bpk2,dc=com' -s sub '(objectclass=ipHost)'
and get the below output:
SASL/GSSAPI authentication started
SASL username: brendan@BPK2.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=bpk2,dc=com> with scope subtree
# filter: (objectclass=ipHost)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
# numResponses: 1
the logs for acls show:
2014-02-19T18:41:17.562950-05:00 server slapd[2033]: =>
access_allowed: search access to "dc=bpk2,dc=com" "entry" requested
2014-02-19T18:41:17.562976-05:00 server slapd[2033]: => dn: [3]
2014-02-19T18:41:17.562986-05:00 server slapd[2033]: => dn: [4] dc=bpk2,dc=com
2014-02-19T18:41:17.562996-05:00 server slapd[2033]: => acl_get: [4] matched
2014-02-19T18:41:17.563005-05:00 server slapd[2033]: => acl_get: [4] attr entry
2014-02-19T18:41:17.563014-05:00 server slapd[2033]: => acl_mask:
access to entry "dc=bpk2,dc=com", attr "entry" requested
2014-02-19T18:41:17.563024-05:00 server slapd[2033]: => acl_mask: to
all values by "uid=brendan,ou=users,dc=bpk2,dc=com", (=0)
2014-02-19T18:41:17.563034-05:00 server slapd[2033]: <= check
a_dn_pat: cn=adm-srv,dc=bpk2,dc=com
2014-02-19T18:41:17.563043-05:00 server slapd[2033]: <= check
a_dn_pat: cn=kdc-srv,dc=bpk2,dc=com
2014-02-19T18:41:17.563052-05:00 server slapd[2033]: <= check a_dn_pat: *
2014-02-19T18:41:17.563290-05:00 server slapd[2033]: <= acl_mask: [3]
applying none(=0) (stop)
2014-02-19T18:41:17.563327-05:00 server slapd[2033]: <= acl_mask: [3]
mask: none(=0)
2014-02-19T18:41:17.563336-05:00 server slapd[2033]: =>
slap_access_allowed: search access denied by none(=0)
2014-02-19T18:41:17.563344-05:00 server slapd[2033]: =>
access_allowed: no more rules
i am trying to figure out why i keep getting denied. i tried slapacl:
sudo slapacl -F /etc/openldap/slapd.d -v -U brendan@BPK2.COM -b
"dc=bpk2,dc=com" "dc/read:bpk2,dc=com"
this shows a weird user dn and an error:
authcDN: "uid=brendan@bpk2.com,ou=users,dc=bpk2,dc=com"
read access to dc=bpk2,dc=com: DENIED
are my olcRegExp statements wrong:
olcAuthzRegexp: {0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth
uid=$1,ou=Users,dc=bpk2,dc=com
olcAuthzRegexp: {1}uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=Users,dc=bpk2,dc=com
where am i not going about this correctly? any help would be appreciated.
brendan kearney