michael@stroeder.com wrote:
I will check this right now. Anyway find below the tail of the server's log when invoking
ldapwhoami -H ldapi://%2Fhome%2Fmichael%2Ftemp%2Fopenldap-testbed-RE24%2Fslapd1 -Y EXTERNAL
OK, at a first glance, I see two things:
1) your search finds nothing, probably because anonymous cannot read the "entry" pseudo-attribute of "ou=schulung,dc=stroeder,dc=local" (see [1])
2) this causes a sigsegv, which Is Bad (TM).
You should check whether the result of those ACLs is correct, and in the meanwhile provide a core dump, to fix the sigsegv issue.
p.
--------------------------------- snip -------------------------------- ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 SASL Canonicalize [conn=0]: authcid="gidNumber=100+uidNumber=500,cn=peercred,cn=external,cn=auth" slap_sasl_getdn: conn 0 id=gidNumber=100+uidNumber=500,cn=peercred,cn=external,cn=auth [len=59] ==>slap_sasl2dn: converting SASL name gidNumber=100+uidNumber=500,cn=peercred,cn=external,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='gidNumber=100+uidNumber=500,cn=peercred,cn=external,cn=auth' ==> rewrite_rule_apply rule='gidnumber=([0-9]+)+uidnumber=([0-9]+),cn=peercred,cn=external,cn=auth' string='gidNumber=100+uidNumber=500,cn=peercred,cn=external,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=schulung,dc=stroeder,dc=local??sub?(&(objectClass=posixAccount)(uidNumber=500)(gidNumber=100))'} [rw] authid: "gidNumber=100+uidNumber=500,cn=peercred,cn=external,cn=auth" -> "ldap:///ou=schulung,dc=stroeder,dc=local??sub?(&(objectClass=posixAccount)(uidNumber=500)(gidNumber=100))" slap_parseURI: parsing ldap:///ou=schulung,dc=stroeder,dc=local??sub?(&(objectClass=posixAccount)(uidNumber=500)(gidNumber=100)) ldap_url_parse_ext(ldap:///ou=schulung,dc=stroeder,dc=local??sub?(&(objectClass=posixAccount)(uidNumber=500)(gidNumber=100))) put_filter: "(&(objectClass=posixAccount)(uidNumber=500)(gidNumber=100))" put_filter: AND put_filter_list "(objectClass=posixAccount)(uidNumber=500)(gidNumber=100)" put_filter: "(objectClass=posixAccount)" put_filter: simple put_simple_filter: "objectClass=posixAccount" put_filter: "(uidNumber=500)" put_filter: simple put_simple_filter: "uidNumber=500" put_filter: "(gidNumber=100)" put_filter: simple put_simple_filter: "gidNumber=100" ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber:
dnNormalize: <ou=schulung,dc=stroeder,dc=local>
=> ldap_bv2dn(ou=schulung,dc=stroeder,dc=local,0) <= ldap_bv2dn(ou=schulung,dc=stroeder,dc=local)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=schulung,dc=stroeder,dc=local)=0 <<< dnNormalize: <ou=schulung,dc=stroeder,dc=local> slap_sasl2dn: performing internal search (base=ou=schulung,dc=stroeder,dc=local, scope=2) => hdb_search bdb_dn2entry("ou=schulung,dc=stroeder,dc=local") => access_allowed: auth access to "ou=schulung,dc=stroeder,dc=local" "entry" requested => dn: [4] ou=users,ou=schulung,dc=stroeder,dc=local => dn: [5] ou=groups,ou=schulung,dc=stroeder,dc=local => dn: [6] ou=schulung,dc=stroeder,dc=local => acl_get: [6] matched => acl_get: [6] attr entry => acl_mask: access to entry "ou=schulung,dc=stroeder,dc=local", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [2] applying none(=0) (stop) <= acl_mask: [2] mask: none(=0) => slap_access_allowed: auth access denied by none(=0)
[1]
=> access_allowed: no more rules send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=32 matched="" text="" <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=0]: slapAuthcDN="gidNumber=100+uidNumber=500,cn=peercred,cn=external,cn=auth" ./start-slapd1.sh: line 14: 20820 Segmentation fault ${OPENLDAP_PREFIX}/libexec/slapd -d stats,acl,args,trace,sync -h "ldap://0.0.0.0:2071 ldapi://%2Fhome%2Fmichael%2Ftemp%2Fopenldap-testbed-RE24%2Fslapd1" -n slapd-schulung-1 -u michael -f ${LOCALCONFIG}/slapd-1.conf -F ${LOCALCONFIG}/slapd-1.conf.d michael@nb2:~/temp/openldap-testbed-RE24>
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------