Dave Shield <[EMAIL PROTECTED]> wrote:
On Wed, 2005-06-22 at 22:28, Shufen Zhang wrote:
> how can I configure the agent to allow access for a particular
> community
Using snmpd.conf
> WITHOUT using snmpd.conf
By hardcoding equivalent statements into the agent.
Something like
vacm_parse_simple("rocommunity", "public");
should do the trick.
Dave
===============================================================
if ((access_ret = check_access(asp->pdu)) != 0) {
if (access_ret == VACM_NOSUCHCONTEXT) {
/*
* rfc2573 section 3.2, step 5 says that we increment the
* counter but don't return a response of any kind
*/
/*
* we currently don't support unavailable contexts, as
* there is no reason to that I currently know of
*/
snmp_increment_statistic(STAT_SNMPUNKNOWNCONTEXTS);
/*
* drop the request
<
SPAN
style="mso-spacerun: yes"> */
netsnmp_remove_and_free_agent_snmp_session(asp);
return 0;
} else {
the execution came in this part,
/*
* access control setup is incorrect
*/
send_easy_trap(SNMP_TRAP_AUTHFAIL, 0);
#if !defined(DISABLE_SNMPV1) || !defined(DISABLE_SNMPV2C)
if (asp->pdu->version != SNMP_VERSION_1
&& asp->pdu->version != SNMP_VERSION_2c) {
asp->pdu->errstat = SNMP_ERR_AUTHORIZATIONERROR;
asp->pdu->command = SNMP_MSG_RESPONSE;
snmp_increment_statistic(STAT_SNMPOUTPKTS);
if (!snmp_send(asp->session, asp->pdu))
snmp_free_pdu(asp->pdu);
asp->pdu = NULL;
netsnmp_remove_and_free_agent_snmp_session(asp);
return 1;
&
nbsp;
} else {
#endif /* support for community based SNMP */
/*
* drop the request
*/
up to here the snmp request was dropped...
netsnmp_remove_and_free_agent_snmp_session(asp);
return 0;
#if !defined(DISABLE_SNMPV1) ||
!defined(DISABLE_SNMPV2C)
}
#endif /* support for community based SNMP */
}
}
------------------------------------------------------------
For this code,
1. what specific configurations it is checking,
2. Hhow and when are those configurations created?
int
check_access(netsnmp_pdu *pdu)
{ /* IN - pdu being checked */
struct view_parameters view_parms;
view_parms.pdu = pdu;
view_parms.name = 0;
view_parms.namelen = 0;
view_parms.errorcode = 0;
view_parms.check_subtree = 0;
if (pdu->flags &
UCD_MSG_FLAG_ALWAYS_IN_VIEW) {
/* Enable bypassing of view-based access control */
return 0;
}
switch (pdu->version) {
#ifndef DISABLE_SNMPV1
case SNMP_VERSION_1:
#endif
#ifndef DISABLE_SNMPV2C
case SNMP_VERSION_2c:
#endif
case SNMP_VERSION_3:
printf("SHUFEN: check_access SNMP_VERSION_3.\n");
snmp_call_callbacks(SNMP_CALLBACK_APPLICATION,
SNMPD_CALLBACK_ACM_CHECK_INITIAL, &view_parms);
view_parms.errorcode);
return view_parms.errorcode;
}
return 1;
}
-----------------------------------------------------------------
Question:
Here in this function, regarding to the checking,
pdu->flags & UCD_MSG_FLAG_ALWAYS_IN_VIEW
When and how the pdu->flags could be set to UCD_MSG_FLAG_ALWAYS_IN_VIEW
=================================================================
I tried forcing the check_access return success, then I got the following:
$snmpwalk -c public -v 2c agentIpaddr .1.3
SNMP-VIEW-BASED-ACM-MIB::vacmViewSpinLock.0=No more variables left in the MIB View(It is past the end of the MIB tree)
What is the default view for snmpv1 and v2c access?
I didn't do anything for it.
I am really lost about this, Please help!!!
My understanding is that the snmpd.conf thing does not work in the case of cross compiled embedded usage, right? If yes, how?
Many thanks!!!
Shufen
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
