Re: SyncRepl Chaining

From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 11:56 AM Subject: Re: SyncRepl Chaining

--On Friday, September 06, 2013 11:52 AM -0500 espeake@oreillyauto.com wrote:

From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 11:45 AM Subject: Re: SyncRepl Chaining

--On Friday, September 06, 2013 11:35 AM -0500 espeake@oreillyauto.com wrote:

...

Here is the olcAcces from the slapcat on the database. Rule {0} should what it is using but becaus eof it not authenticating rule {2} is being applied instead.

Did you mean to paste your rules in here and forget? ;)

--Quanah

Yep. had a hungry child calling me while I was trying to get this out.

olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write

As you have no break clause, this is the only ACL that ever applies. Since

there is no anonymous read access to userPassword, it is impossible to authenticate as any user. Thus your inability to authenticate any user is entirely caused by your broken ACLs.

--Quanah

--

Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration Here is the ldif I created and used with ldapmodify

dn: olcDatabase={1}hdb,cn=config changetype: modify

delete: olcAccess

add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreillyauto,dc=com" write olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous read olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" read by * none olcAccess: {8}to * by self read by users read

I confirmed the changes by looking at the LDIF that the changes were made. Even though it's not supposed to be needed, I restarted the slapd service. TO me it looks like it is reading the break and moving to rule {2} but still no love or authentication.

Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: conn=1019 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (userPassword) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [1] attr userPassword Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "", (=0) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= check a_dn_pat: * Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: [6] applying +0 (break) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: [6] mask: =0 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => dn: [2] dc=oreillyauto,dc=com Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [2] matched Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_get: [2] attr userPassword Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "", (=0) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: no more <who> clauses, returning =0 (stop) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => slap_access_allowed: auth access denied by =0 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: no more rules Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 slapd[22140]: last message repeated 3 times Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: EQUALITY Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 5 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: EQUALITY Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 5 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_access_allowed: granted to database root Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => test_filter Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: PRESENT Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: search access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= test_filter 6 Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (objectClass) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result was in cache (objectClass) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (uid) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: <= root access granted Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access granted by manage(=mwrscxd) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: result not in cache (description) Sep 6 12:12:46 tntest-ldap-1 slapd[22140]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested

etc...

Thanks, Eric -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 03F51600DDF.A307B

This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.