Re: Access denied consumer replication (OpenLDAP+Kerberos) - openldap-technical

4 Oct 2012


      Hi Quanah. Thanks for your reply!
I was following this link to configure the provider/consumer:
http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php.
Under item "2. Kerberos client install", at the end, I was guided to
create a principal starting with ldap/dns02... But... I created 3
principals: host/dns02... ldap/dns02.. and ldaps/dns02...
And under item "8. Provider modifications" I was instruted to map
uid=ldap/... to ou=consumers
# 1.2.1.
add: olcAuthzRegexp
olcAuthzRegexp: uid=ldap/([^/.]+).example.com,cn=example.com,cn=gssapi,cn=auth
  cn=$1,ou=consumers,dc=example,dc=com
I deleted the principals host/dns02... and ldaps/dns02... and the
replication started to work.
Thanks very mch!
Daniel
--
Daniel Lopes de Carvalho
dlcarvalho@gmail.com
daniellopescarvalho (skype)
19 9357-5618 (claro)
19 8251-6023 (tim)
On Thu, Oct 4, 2012 at 2:57 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
...
--On Thursday, October 04, 2012 1:50 PM -0300 Daniel Lopes de Carvalho
dlcarvalho@gmail.com wrote:
...
Hi
I try to configure two openldap/kerberos server (provider and
consumer), but I'm having some issues about replication. Under LDAP
log, I have many entries like this: "slap_access_allowed: search
access denied by none(=0)"
These messages are related to consumer access to the Kerberos database
on provider and the kerberos database can't be replicated to the
consumer. The others data are replicated normaly.
These are the ACL under privider:
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by
dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
dc=br" read
  by anonymous auth by * none
olcAccess: {1}to
dn.subtree="ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
  by
dn="cn=krbadm,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
br" write
  by
dn="cn=krbkdc,ou=kerberos,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=
br" read
  by
dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,
dc=br" read by * none
olcAccess: {2}to attrs=loginShell
  by self write
  by users read
  by * none
olcAccess: {3}to dn.base=""
  by * read
olcAccess: {4}to *
  by users read
  by * none
This is the entity asking permission:
Oct  4 12:00:29 dns01 slapd[1163]: => acl_mask: to all values by
"uid=host/dns02.unisim.cepetro.unicamp.br,ou=users,dc=unisim,dc=cepetro,dc=unicamp,dc=br",
(=0)
This does not match
by
dn.one="ou=consumers,ou=ldap,ou=Services,dc=unisim,dc=cepetro,dc=unicamp,dc=br"
It looks like you put the host entry in the users tree and not the consumer
tree.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.

Zimbra ::  the leader in open source messaging and collaboration