Hi
I try to configure two openldap/kerberos server (provider and consumer), but I'm having some issues about replication. Under LDAP log, I have many entries like this: "slap_access_allowed: search access denied by none(=0)"
These messages are related to consumer access to the Kerberos database on provider and the kerberos database can't be replicated to the consumer. The others data are replicated normaly.
These are the ACL under privider: olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" read by anonymous auth by * none
olcAccess: {1}to dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" by dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" write by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" read by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" read by * none
olcAccess: {2}to attrs=loginShell by self write by users read by * none
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to * by users read by * none
And bellow the ldap log snnipet:
=> access_allowed: search access to "cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" "objectClass" requested Oct 4 12:00:29 dns01 slapd[1163]: => dn: [2] ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] matched Oct 4 12:00:29 dns01 slapd[1163]: => acl_get: [2] attr objectClass Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: access to entry "cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br", attr "objectClass" requested Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br", (=0) Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: cn=krbadm,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: cn=krbkdc,ou=kerberos,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: ou=consumers,ou=ldap,ou=services,dc=unisim,dc=cepetro,dc=unicamp,dc=br Oct 4 12:00:29 dns01 slapd[1163]: <= check a_dn_pat: * Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] applying none(=0) (stop) Oct 4 12:00:29 dns01 slapd[1163]: <= acl_mask: [4] mask: none(=0) Oct 4 12:00:29 dns01 slapd[1163]: => slap_access_allowed: search access denied by none(=0) Oct 4 12:00:29 dns01 slapd[1163]: => access_allowed: no more rules
Can anyone help me?
Regards
Daniel
--On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho dlcarvalho@gmail.com wrote:
Hi
I try to configure two openldap/kerberos server (provider and consumer), but I'm having some issues about replication. Under LDAP log, I have many entries like this: "slap_access_allowed: search access denied by none(=0)"
These messages are related to consumer access to the Kerberos database on provider and the kerberos database can't be replicated to the consumer. The others data are replicated normaly.
These are the ACL under privider: olcAccess: {0}to attrs=userPassword,shadowLastChange by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp, dc=br" read by anonymous auth by * none
olcAccess: {1}to dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br" by dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc= br" write by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc= br" read by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp, dc=br" read by * none
olcAccess: {2}to attrs=loginShell by self write by users read by * none
olcAccess: {3}to dn.base="" by * read
olcAccess: {4}to * by users read by * none
This is the entity asking permission:
Oct 4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by "uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br", (=0)
This does not match
by dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
It looks like you put the host entry in the users tree and not the consumer tree.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Daniel Lopes de Carvalho -
Quanah Gibson-Mount