Thks Dan, it worked.
Now hopefully last query from my side (sorry to bother you so much)
As i gave:
access to dn.subtree="ou=System,o=xyz" by dn="uid=sasluser21,ou=System,o=xyz" read by anonymous auth
*So, will giving anonymous privilege any issue? * I read following: Next is by anonymous auth. This phrase grants an anonymous user (one who has not yet authenticated) permission to authenticate using a password. More accurately, it indicates that when a user submits a request for authentication, the directory server is allowed to perform an authentication operation (which amounts to comparing the submitted password with the value in the userPassword attribute for the corresponding user's entry).
What is its impact, Please put some light on it?
Thanks and Regards, Gaurav Gugnani
On Wed, Feb 8, 2012 at 10:25 PM, Dan White dwhite@olp.net wrote:
On 02/08/12 21:51 +0530, Gaurav Gugnani wrote:
Hello Dan,
Thks for replying. But there is 1 Q's: Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*
Because you were passing '-U uid=sasluser21' to ldapsearch. '\3D' is the hex escape value for '='.
I executed ldapwhoami and here are the findings:
ldapwhoami -Y digest-md5 -U sasluser21 SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
*Logs:*
ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5 ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2 ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to uid=sasluser21,cn=DIGEST-MD5,**cn=auth ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,cn=DIGEST-MD5,**cn=auth> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,cn=digest-md5,**cn=auth> ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name uid=sasluser21,cn=digest-md5,**cn=auth to a DN ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] string='uid=sasluser21,cn=**digest-md5,cn=auth' ldap-test0 slapd[25625]: ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,**cn=auth' string='uid=sasluser21,cn=**digest-md5,cn=auth' [1 pass
ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] res={0,'uid=sasluser21,ou=**System,o=xyz'} ldap-test0 slapd[25625]: slap_parseURI: parsing uid=sasluser21,ou=System,o=xyz ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=** xyz> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=** xyz> ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: => bdb_search ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,**ou=system,o=xyz") ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=**system,o=xyz") ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=**xyz" ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,** ou=System,o=xyz) ldap-test0 slapd[25625]: => access_allowed: auth access to "uid=sasluser21,ou=System,o=**xyz" "entry" requested ldap-test0 slapd[25625]: => dn: [2] o=xyz ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz ldap-test0 slapd[25625]: => acl_get: [4] attr entry ldap-test0 slapd[25625]: => acl_mask: access to entry "uid=sasluser21,ou=System,o=**xyz", attr "entry" requested ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0) ldap-test0 slapd[25625]: <= check a_dn_pat: self ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0 (stop) ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0 ldap-test0 slapd[25625]: => access_allowed: no more rules
Notice "auth access denied".
On Wed, Feb 8, 2012 at 9:32 PM, Dan White dwhite@olp.net wrote:
You might need a more permissive (by anonymous auth) ACL here, for dn.base="ou=System,o=xyz" and "attrs=entry".
See slapd.access(5).
Read through the manpage for slapd.access, and fix your ACL config as described above.
-- Dan White