At 10:35 AM 6/27/2006, Jason Lixfeld wrote: >Ok, I think I'm making some headway, but I'm still a little confused. > >I didn't realize that by putting in an access entry to permit >specific stuff, you have to put other entries in for everything else >or else it's an implicit deny. That being said, I modified my >slapd.conf as follows: > >access to attrs=userPassword > by self write > by anonymous auth > by * none
The following by clause is not reached as the above "by *" applies. Order matters. > by dn.exact="cn=proxyuser,dc=example,dc=ca" read > >access to * > by * read > >(also, I've tried variations on attrs and attr, as well as dn= and >dn.exact=, all to no avail) > >and I'm running slapd -d acl. > >Now, when I run the ldapsearch call, I get closer; that is, I get the >search DN returned to me, but I still don't get the password: > ># ldapsearch -D "cn=proxyuser,dc=example,dc=ca" -b >'ou=auth,dc=example,dc=ca' -x -W '(uid=jlixfeld.example.ca)' >userPassword >Enter LDAP Password: ># extended LDIF ># ># LDAPv3 ># base <ou=auth,dc=example,dc=ca> with scope subtree ># filter: (uid=jlixfeld.example.ca) ># requesting: userPassword ># > ># jlixfeld.example.ca, users, auth, example.ca >dn: uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca > ># search result >search: 2 >result: 0 Success > ># numResponses: 2 ># numEntries: 1 ># > >=> access_allowed: auth access to "cn=proxyuser,dc=example,dc=ca" >"userPassword" requested >=> acl_get: [1] attr userPassword >access_allowed: no res from state (userPassword) >=> acl_mask: access to entry "cn=proxyuser,dc=example,dc=ca", attr >"userPassword" requested >=> acl_mask: to value by "", (=0) ><= check a_dn_pat: self ><= check a_dn_pat: anonymous ><= acl_mask: [2] applying auth(=xd) (stop) ><= acl_mask: [2] mask: auth(=xd) >=> access_allowed: auth access granted by auth(=xd) >=> access_allowed: search access to >"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "uid" >requested >=> acl_get: [2] attr uid >=> acl_mask: access to entry >"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr >"uid" requested >=> acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0) ><= check a_dn_pat: * ><= acl_mask: [1] applying read(=rscxd) (stop) ><= acl_mask: [1] mask: read(=rscxd) >=> access_allowed: search access granted by read(=rscxd) >=> access_allowed: read access to >"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" "entry" >requested >=> acl_get: [2] attr entry >=> acl_mask: access to entry >"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr >"entry" requested >=> acl_mask: to all values by "cn=proxyuser,dc=example,dc=ca", (=0) ><= check a_dn_pat: * ><= acl_mask: [1] applying read(=rscxd) (stop) ><= acl_mask: [1] mask: read(=rscxd) >=> access_allowed: read access granted by read(=rscxd) >=> access_allowed: read access to >"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca" >"userPassword" requested >=> acl_get: [1] attr userPassword >access_allowed: no res from state (userPassword) >=> acl_mask: access to entry >"uid=jlixfeld.example.ca,ou=users,ou=auth,dc=example,dc=ca", attr >"userPassword" requested >=> acl_mask: to value by "cn=proxyuser,dc=example,dc=ca", (=0) ><= check a_dn_pat: self ><= check a_dn_pat: anonymous ><= check a_dn_pat: * ><= acl_mask: [3] applying none(=0) (stop) ><= acl_mask: [3] mask: none(=0) >=> access_allowed: read access denied by none(=0) >send_search_entry: conn 9 access to attribute userPassword, value #0 >not allowed > >Correct me if I'm wrong but the "read access denied by none" >indicates that the bind isn't happening as proxyuser? > >Also, what does "access_allowed: no res from state" mean? It's the >only debug part that I can't quite decipher. > >Begin forwarded message: > >>From: Jason Lixfeld <[EMAIL PROTECTED]> >>Date: June 27, 2006 12:38:14 PM EDT (CA) >>To: OpenLDAP software list <[email protected]> >>Subject: Trying to figure out access policies >> >>I think I'm somewhat versed in the basics of OpenLDAP, but the >>concept of access policies eludes me because they are far beyond my >>current level of comprehension. That being said, I'm doing some >>trial by fire to try to make sense of how they work and hopefully >>will then be able to relate some of what I read in the manual to >>what I've made happen in tests... >> >>I'm trying to get a proxyuser working so I don't have to do >>everything as Manager. >> >>I put this entry into my slapd.conf as per some tutorials I read: >> >>access to attrs=userPassword >> by dn="cn=Proxyuser,dc=example,dc=ca" read >> >>and likewise, these entries into my ldap.conf: >> >>binddn cn=Proxyuser,dc=example,dc=ca >>bindpw **** >>rootbinddn cn=Proxyuser,dc=example,dc=ca >> >>and finally, the Proxyuser password in /etc/ldap.secret. >> >>Being unsure if the lookups for ldap.conf and ldap.secret is in / etc or >>/usr/local/etc (Using a FreeBSD system here), I symlinked >>each so they are available in both locations. >> >>After that was all said and done, I restarted slapd and tried to do >>a search using the proxyuser as the binddn: >> >># ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b >>'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword >>Enter LDAP Password: >>ldap_bind: Invalid credentials (49) >> >># all.log >>Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from >>IP=127.0.0.1:54632 (IP=0.0.0.0:389) >>Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND >>dn="cn=Proxyuser,dc=example,dc=ca" method=128 >>Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97 >>err=49 text= >>Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed >>(connection lost) >> >>It would seem to me that it's not complaining about the password, >>so I assume it's complaining about the access entry in slapd.conf. >>I removed the access entry from slapd.conf and was able to perform >>the same search as above without a problem. >> >>Anyone have any pointers on what I can look at as the source of >>this problem? >> >>Also, I'm a little confused about the difference between binddn and >>rootbinddn. If I understand correctly, rootbinddn is the DN used >>to bind if the user executing the command is root, while binddn is >>the DN used to bind if the user executing the command is any user >>other than root. Is this correct? I ask because if I run >>ldapsearch as root with no additional arguments and check the logs, >>it seems to bind anonymously so I'm not sure if my understanding of >>binddn vs. rootbinddn is correct: >> >>Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from >>IP=127.0.0.1:58244 (IP=0.0.0.0:389) >>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128 >>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0 >>text= >>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base="" >>scope=2 deref=0 filter="(objectClass=*)" >>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT >>tag=101 err=32 nentries=0 text= >>Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND >>Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed >> >>Thanks in advance for any insight on either or both of these points...
