trouble with acls - openldap-technical

19 Feb 2014


      list,
i am running the below version:
@(#) $OpenLDAP: slapd 2.4.26 (Jun 27 2012 15:27:46) $
mockbuild@x86-16.phx2.fedoraproject.org:/builddir/build/BUILD/openldap-2.4.26/openldap-2.4.26/build-servers/servers/slapd
i have the below acls:
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by * none
olcAccess: {1}to attrs=loginShell by self write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to dn.subtree="dc=bpk2,dc=com" by dn="cn=adm-srv,dc=bpk2,dc=com"
  write by dn="cn=kdc-srv,dc=bpk2,dc=com" read by * none
olcAccess: {4}to dn.subtree="dc=bpk2,dc=com" by set="[cn=ldapAdmins,ou=Groups,
 dc=bpk2,dc=com]/memberUid & user/uid" write by set="[cn=users,ou=Groups,dc=bp
 k2,dc=com]/memberUid & user/uid" read by * none
i issue the below search query:
ldapsearch -h ldap1 -Y GSSAPI -b 'dc=bpk2,dc=com' -s sub '(objectclass=ipHost)'
and get the below output:
SASL/GSSAPI authentication started
SASL username: brendan@BPK2.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=bpk2,dc=com> with scope subtree
# filter: (objectclass=ipHost)
# requesting: ALL
#
# search result
search: 4
result: 32 No such object
# numResponses: 1
the logs for acls show:
2014-02-19T18:41:17.562950-05:00 server slapd[2033]: =>
access_allowed: search access to "dc=bpk2,dc=com" "entry" requested
2014-02-19T18:41:17.562976-05:00 server slapd[2033]: => dn: [3]
2014-02-19T18:41:17.562986-05:00 server slapd[2033]: => dn: [4] dc=bpk2,dc=com
2014-02-19T18:41:17.562996-05:00 server slapd[2033]: => acl_get: [4] matched
2014-02-19T18:41:17.563005-05:00 server slapd[2033]: => acl_get: [4] attr entry
2014-02-19T18:41:17.563014-05:00 server slapd[2033]: => acl_mask:
access to entry "dc=bpk2,dc=com", attr "entry" requested
2014-02-19T18:41:17.563024-05:00 server slapd[2033]: => acl_mask: to
all values by "uid=brendan,ou=users,dc=bpk2,dc=com", (=0)
2014-02-19T18:41:17.563034-05:00 server slapd[2033]: <= check
a_dn_pat: cn=adm-srv,dc=bpk2,dc=com
2014-02-19T18:41:17.563043-05:00 server slapd[2033]: <= check
a_dn_pat: cn=kdc-srv,dc=bpk2,dc=com
2014-02-19T18:41:17.563052-05:00 server slapd[2033]: <= check a_dn_pat: *
2014-02-19T18:41:17.563290-05:00 server slapd[2033]: <= acl_mask: [3]
applying none(=0) (stop)
2014-02-19T18:41:17.563327-05:00 server slapd[2033]: <= acl_mask: [3]
mask: none(=0)
2014-02-19T18:41:17.563336-05:00 server slapd[2033]: =>
slap_access_allowed: search access denied by none(=0)
2014-02-19T18:41:17.563344-05:00 server slapd[2033]: =>
access_allowed: no more rules
i am trying to figure out why i keep getting denied.  i tried slapacl:
sudo slapacl -F /etc/openldap/slapd.d -v -U brendan@BPK2.COM -b
"dc=bpk2,dc=com" "dc/read:bpk2,dc=com"
this shows a weird user dn and an error:
authcDN: "uid=brendan@bpk2.com,ou=users,dc=bpk2,dc=com"
read access to dc=bpk2,dc=com: DENIED
are my olcRegExp statements wrong:
olcAuthzRegexp: {0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth
uid=$1,ou=Users,dc=bpk2,dc=com
olcAuthzRegexp: {1}uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=Users,dc=bpk2,dc=com
where am i not going about this correctly?  any help would be appreciated.
brendan kearney