Tue, 22 Mar 2011 12:20:15 +0100 -n
Gabor HALASZ <halas...@freemail.hu> írta:
[...]
>
> Az acl-ek erdekesek lennenek, foleg a userpassword attributum
> vonatkozasaban, es a debuglevel-hez hozzadni 128-at, majd erosen
> nezni a logot accessviolation utan kutatva.
[...]
> Alighanem a replictor-nak nincs joga olvasni a userpassword
> attributumot. Valami ehhez hasonlot kellene:
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> by anonymous auth
> by dn.exact="cn=replicator,dc=domain,dc=tld" read
> by self write
> by * none
>
>
A master slapd.conf-ban ez van most benne:
access to attrs=userPassword
by anonymous auth
by dn.exact="cn=replicator,dc=valami,dc=hu" read
by self write
by * none
Egy ldapsearch darab a slave-ről (teljes újratelepítés után...):
# Molnar Roland Testuser3, Users, valami.hu
dn: cn=Molnar Roland Testuser3,ou=Users,dc=valami,dc=hu
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Molnar Roland Testuser3
sn: Molnar
uid: laviantest3
gidNumber: 20003
uidNumber: 20003
homeDirectory: /home/laviantest3
Ez a log a master-en, ha a slave-et újraindítom (violation kifejezés
nincs a logban loglevel=128 után). Nekem úgy tűnik, hogy nem ad
vissza értéket (=>acl_mask: to value by "",(=0)), de a log értelmezés
itt még nem az erősségem:
Mar 22 12:46:45 ldapmaster
slapd[2724]: => access_allowed: auth access to
"cn=replicator,dc=valami,dc=hu" "userPassword" requested
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_get: [1] attr
userPassword
Mar 22 12:46:45 ldapmaster slapd[2724]: => slap_access_allowed: result
not in cache (userPassword)
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_mask: access to entry
"cn=replicator,dc=valami,dc=hu", attr "userPassword" requested
Mar 22 12:46:45 ldapmaster slapd[2724]: =>acl_mask: to value by "",
(=0)
Mar 22 12:46:45 ldapmaster slapd[2724]:<= check a_dn_pat:
cn=admin,dc=valami,dc=hu
Mar 22 12:46:45 ldapmasterslapd[2724]: <= check a_dn_pat: anonymous
Mar 22 12:46:45 ldapmaster slapd[2724]: <= acl_mask: [2] applying
auth(=xd) (stop)
Mar 22 12:46:45 ldapmaster slapd[2724]: <= acl_mask: [2] mask:
auth(=xd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => slap_access_allowed: auth
access granted by auth(=xd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => access_allowed: auth access
granted by auth(=xd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => access_allowed: search
access to "dc=valami,dc=hu" "entry" requested
Mar 22 12:46:45 ldapmaster slapd[2724]: => dn: [2]
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_get: [3] attr entry
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_mask: access to entry
"dc=valami,dc=hu", attr "entry" requested
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_mask: to all values by
"cn=replicator,dc=valami,dc=hu", (=0)
Mar 22 12:46:45 ldapmaster slapd[2724]: <= check a_dn_pat:
cn=admin,dc=valami,dc=hu
Mar 22 12:46:45 ldapmaster slapd[2724]: <= check a_dn_pat: *
Mar 22 12:46:45 ldapmaster slapd[2724]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Mar 22 12:46:45 ldapmaster slapd[2724]: <= acl_mask: [2] mask:
read(=rscxd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => slap_access_allowed: search
access granted by read(=rscxd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => access_allowed: search access
granted by read(=rscxd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => access_allowed: search
access to "dc=valami,dc=hu" "objectClass" requested
Mar 22 12:46:45 ldapmaster slapd[2724]: => dn: [2]
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_get: [3] attr
objectClass
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_mask: access to entry
"dc=valami,dc=hu", attr "objectClass" requested
Mar 22 12:46:45 ldapmaster slapd[2724]: => acl_mask: to all values by
"cn=replicator,dc=valami,dc=hu", (=0)
Mar 22 12:46:45 ldapmaster slapd[2724]: <= check
a_dn_pat:cn=admin,dc=valami,dc=hu
Mar 22 12:46:45 ldapmaster slapd[2724]: <= check a_dn_pat: *
Mar 22 12:46:45 ldapmaster slapd[2724]: <= acl_mask: [2] applying
read(=rscxd) (stop)
Mar 22 12:46:45 ldapmaster slapd[2724]: <= acl_mask: [2] mask:
read(=rscxd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => slap_access_allowed: search
access granted by read(=rscxd)
Mar 22 12:46:45 ldapmaster slapd[2724]: => access_allowed: search
access granted by read(=rscxd)
_________________________________________________
linux lista - linux@mlf.linux.rulez.org
http://mlf2.linux.rulez.org/mailman/listinfo/linux
