Hello. I guess this must be a FAQ, but I tried searching for a whole day and didn't came up with any answer.
I've got two FreeBSD servers running openldap 2.3.32 in a master/slave configuration. I'm using slurpd to keep them in sync: I tried this with the rootdn as the slurp binddn and from a network perspective it works. Now, I obviously don't want to use rootdn for this, so I created a new user and I'm using simple authentication (on an SSL layer).
I get problems with access control, however, that prevent it from working.
What I did:
I created this user:
dn: uid=slurpd,ou=users,dc=xxxxxxxx,dc=xx cn: slurpd objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top uid: slurpd uidNumber: 1033 gidNumber: 389 userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX loginShell: /sbin/nologin homeDirectory: /nonexistent
On the slave I edited slapd.conf as follows:
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/local/etc/samba.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
TLSCertificateFile /usr/local/local/etc/openssl/openldap_newcert.pem TLSCertificateKeyFile /usr/local/local/etc/openssl/openldap_newcertkey.pem TLSCACertificateFile /usr/local/local/etc/openssl/netfence_ca.pem
database bdb suffix "dc=xxxxxxxx,dc=xx" rootdn "cn=root,dc=xxxxxxxx,dc=xx" rootpw xxxxxxxx directory /var/db/openldap-data index objectClass eq index uid pres,eq index rid eq index cn eq
updatedn "uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" updateref "ldaps://master.xxxxxxxxx.xx"
The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
What I get is:
slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx' -b 'dc=xxxxxxxxx,dc=xx' -d 255 ldap_create ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: -1 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x00517000 ptr=0x00517000 end=0x00517039 len=57 0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid= 0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d 0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxxx,dc=xx 0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx ber_scanf fmt ({i) ber: ber_dump: buf=0x00517000 ptr=0x00517005 end=0x00517039 len=52 0000: 60 32 02 01 03 04 24 75 69 64 3d 73 6c 75 72 70 `2....$uid=slurp 0010: 2c 6f 75 3d 75 73 65 72 73 2c 64 63 3d XX XX XX ,ou=users,dc=xxx 0020: XX XX XX XX XX 2c 64 63 3d XX XX 80 07 XX XX XX xxxxx,dc=xx..xxx 0030: XX XX XX XX xxxx ber_flush: 57 bytes to sd 3 0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid= 0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d 0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxxx,dc=xx 0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx ldap_write: want=57, written=57 0000: 30 37 02 01 01 60 32 02 01 03 04 24 75 69 64 3d 07...`2....$uid= 0010: 73 6c 75 72 70 2c 6f 75 3d 75 73 65 72 73 2c 64 slurp,ou=users,d 0020: 63 3d XX XX XX XX XX XX XX XX 2c 64 63 3d XX XX c=xxxxxxx,dc=xx 0030: 80 07 XX XX XX XX XX XX XX ..xxxxxxx ldap_result ld 0x515400 msgid 1 ldap_chkResponseList ld 0x515400 msgid 1 all 1 ldap_chkResponseList returns ld 0x515400 NULL wait4msg ld 0x515400 msgid 1 (infinite timeout) wait4msg continue ld 0x515400 msgid 1 all 1 ** ld 0x515400 Connections: * host: localhost port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 19 23:10:47 2007
** ld 0x515400 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x515400 Response Queue: Empty ldap_chkResponseList ld 0x515400 msgid 1 all 1 ldap_chkResponseList returns ld 0x515400 NULL ldap_int_select read1msg: ld 0x515400 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 31 04 00 04 00 .1.... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x00514210 ptr=0x00514210 end=0x0051421c len=12 0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1.... read1msg: ld 0x515400 msgid 1 message type bind ber_scanf fmt ({eaa) ber: ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... read1msg: ld 0x515400 0 new referrals read1msg: mark request completed, ld 0x515400 msgid 1 request done: ld 0x515400 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x00514210 ptr=0x00514213 end=0x0051421c len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... ber_scanf fmt (}) ber: ber_dump: buf=0x00514210 ptr=0x0051421c end=0x0051421c len=0
ldap_msgfree ldap_err2string ldap_bind: Invalid credentials (49)
Obviously the same command works if used with rootdn.
What am I doing wrong?
bye & Thanks av.
--On Friday, January 19, 2007 11:25 PM +0100 Andrea Venturoli ml@netfence.it wrote:
Hello. I guess this must be a FAQ, but I tried searching for a whole day and didn't came up with any answer.
I've got two FreeBSD servers running openldap 2.3.32 in a master/slave configuration. I'm using slurpd to keep them in sync: I tried this with the rootdn as the slurp binddn and from a network perspective it works. Now, I obviously don't want to use rootdn for this, so I created a new user and I'm using simple authentication (on an SSL layer).
I get problems with access control, however, that prevent it from working.
What I did:
I created this user:
dn: uid=slurpd,ou=users,dc=xxxxxxxx,dc=xx
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
What I get is:
slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx' -b What am I doing wrong?
The user you created (uid=slurpd) is not the DN you gave access to (uid=slurp), assuming that isn't a typo and is a direct cut & paste.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
because you have no access for anonymous to auth to uid=slurp.
slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx' -b 'dc=xxxxxxxxx,dc=xx' -d 255
Debugging on the client isn't going to be too informative here. Try "slapd -d acl" perhaps.
On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote:
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
Think what you need here is
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write by * break
access to attrs=userPassword by anonymous auth by self write by * none
access to * by * none
the difference is the first wil give uid=slurp root like access to every think. the by * break, say even thought you have match * if youhave gotten to this line break out of this statement and continue processing.
The second one governs userPassword - give anon user the right to authenticate
and the bottom (last) default one says everything else by everyone else is none
The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
because you have no access for anonymous to auth to uid=slurp.
slave# ldapsearch -w xxxxxxx -D 'uid=slurp,ou=users,dc=xxxxxxxx,dc=xx' -b 'dc=xxxxxxxxx,dc=xx' -d 255
Debugging on the client isn't going to be too informative here. Try "slapd -d acl" perhaps.
Alex Samad wrote:
On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote:
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
Think what you need here is
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write by * break
access to attrs=userPassword by anonymous auth by self write by * none
access to * by * none
Yes, but sloppy. Don't use rules you don't need, and write rules that work with the natural order of processing:
access to attrs=userPassword by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write by self write by anonymous auth
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
I.e., don't throw in gratuitous "break" statements when you don't need to.
On Fri, Jan 19, 2007 at 09:47:10PM -0800, Howard Chu wrote:
Alex Samad wrote:
On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote:
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
Think what you need here is
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write by * break
access to attrs=userPassword by anonymous auth by self write by * none
access to * by * none
Yes, but sloppy. Don't use rules you don't need, and write rules that work with the natural order of processing:
access to attrs=userPassword by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write by self write by anonymous auth
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
I.e., don't throw in gratuitous "break" statements when you don't need to.
agreed for this simple solution, but when you have a whole bundle of different attributes that you want uid=slurp to have root style access one not place it at the top. Otherwise you have to place it in 5-10 or 20-30 different access control blocks.
I suppose what would be nice is if you could define macros to be placed in access control block.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Aaron Richton wrote:
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
because you have no access for anonymous to auth to uid=slurp.
Ok, but I can't seem to get out of this, even after reading the docs again!
Now I tried:
access to * by dn="uid=slurp,ou=users,dc=biolchim,dc=in" write access to * by * auth #access to * by * none
but this won't improve my situation a bit. What should I write here?
Debugging on the client isn't going to be too informative here. Try "slapd -d acl" perhaps.
Tried that too, but I get info on succesful binds and nothing when I try with user slurp.
bye & Thanks av.
On Sun, Jan 21, 2007 at 07:59:40PM +0100, Andrea Venturoli wrote:
Aaron Richton wrote:
I get problems with access control, however, that prevent it from working.
Yes...given
access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write access to * by * none
The problem is I cannot access the slave database with dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx".
because you have no access for anonymous to auth to uid=slurp.
Ok, but I can't seem to get out of this, even after reading the docs again!
Now I tried:
access to * by dn="uid=slurp,ou=users,dc=biolchim,dc=in" write access to * by * auth #access to * by * none
That will not work either. The way the acl works is it starts at the top and works down. When the slave system tries to log in it will try to authenticate against the master server with your provided credentials. it will try to authenticate against the userPassword record.
When it evals it it matches the first line (access to *), but you only have 1 by clause associated with it and that belongs to uid=slurp. It will never eval to the 2nd access line cause it was satisfied with line 1.
add before your first access
access to attrs=userPassword by self write by anonymous auth by * none
but this won't improve my situation a bit. What should I write here?
Debugging on the client isn't going to be too informative here. Try "slapd -d acl" perhaps.
Tried that too, but I get info on succesful binds and nothing when I try with user slurp.
bye & Thanks av.
openldap-software@openldap.org
-
Aaron Richton -
Alex Samad -
Andrea Venturoli -
Howard Chu -
Quanah Gibson-Mount