[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementing PPolicy

To: Joshua Schaeffer <jschaeffer0922@gmail.com>
Subject: Re: Implementing PPolicy
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Thu, 23 Jan 2014 08:53:10 +0100
Cc: OpenLDAP Technical <openldap-technical@openldap.org>
In-reply-to: <52E06CEE.4070404@gmail.com>
Organization: AVCI
References: <52DC4140.7010600@gmail.com> <20140120085336.11926ef0@violet.avci.de> <52DDE008.3010105@gmail.com> <20140121145424.5da3cb9c@pink.avci.de> <52E06CEE.4070404@gmail.com>

Am Wed, 22 Jan 2014 18:14:22 -0700
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

> Just now getting back to this.  I ran the daemon in debug mode, then
> ran the passwd utility on a different server for my uid (got the same 
> results as before and then terminated the daemon) and it output a lot
> on the acl's.  I attached the full log file. Below is the tail end of
> the log:
> 
> ===================================================
> 52e068f8 <= acl_mask: [3] mask: read(=rscxd)
> 52e068f8 => slap_access_allowed: read access granted by read(=rscxd)
> 52e068f8 => access_allowed: read access granted by read(=rscxd)
> 52e068f8 => access_allowed: result not in cache (userPassword)
> 52e068f8 => access_allowed: read access to 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword"
> requested 52e068f8 => acl_get: [1] attr userPassword
> 52e068f8 => acl_mask: access to entry 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" 
> requested
> 52e068f8 => acl_mask: to value by "", (=0)
> 52e068f8 <= check a_dn_pat: self
> 52e068f8 <= check a_dn_pat: anonymous
> 52e068f8 <= acl_mask: [2] applying auth(=xd) (stop)
> 52e068f8 <= acl_mask: [2] mask: auth(=xd)
> 52e068f8 => slap_access_allowed: read access denied by auth(=xd)
> 52e068f8 => access_allowed: no more rules
> 52e068f8 send_search_entry: conn 1000 access to attribute
> userPassword, value #0 not allowed
> 52e068fb => bdb_entry_get: found entry: 
> "uid=jschaeffer,ou=people,dc=harmonywave,dc=com"
> 52e068fb => bdb_entry_get: found entry: 
> "cn=default,ou=policies,dc=harmonywave,dc=com"
> 52e068fb => access_allowed: result not in cache (userPassword)
> 52e068fb => access_allowed: auth access to 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword"
> requested 52e068fb => acl_get: [1] attr userPassword
> 52e068fb => acl_mask: access to entry 
> "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" 
> requested
> 52e068fb => acl_mask: to value by "", (=0)
> 52e068fb <= check a_dn_pat: self
> 52e068fb <= check a_dn_pat: anonymous
> 52e068fb <= acl_mask: [2] applying auth(=xd) (stop)
> 52e068fb <= acl_mask: [2] mask: auth(=xd)
> 52e068fb => slap_access_allowed: auth access granted by auth(=xd)
[...]

There is an anonymous trying to read a userPassword (and probably
trying to modifying it afterwards). Acording to your access rules only
auth permissions are granted to anonymous.

-Dieter

 


-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E

Follow-Ups:
- Re: Implementing PPolicy
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

References:
- Implementing PPolicy
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: Implementing PPolicy
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Implementing PPolicy
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: Implementing PPolicy
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: problem with accessing secure ldap
Next by Date: Antw: problem with accessing secure ldap
Index(es):
- Chronological
- Thread