| |
| |
| |
|
Page: 1 2
Comments:
<0> what does the ACL by users read mean?
<1> means that users can read the data
<0> then why is it when i try to ldapsearch using gssapi/sasl authentication i can't read an attribute?
<0> even though i have as an acl
<0> access to *
<0> by users read
<0> actually
<1> do you use a SASL mapping?
<1> do you have other acl's interfereing?
<0> yeah
<0> Feb 9 16:38:21 rna slapd[22597]: conn=12 op=3 BIND authcid="ruckerz2k@BATEY"
<0> Feb 9 16:38:21 rna slapd[22597]: conn=12 op=3 BIND dn="uid=ruckerz2k,cn=users,dc=od1,dc=colorado,dc=edu" mech=GSSAPI ssf=56
<0> i gues im binding in ok
<1> yup, and mapping to an account, so that's good
<1> I personally don't use by users anything :P
<1> All my users are in a tree, so I give the tree read if necessary
<0> acutlaly one sec
<0> well i get this error
<0> Feb 9 16:45:24 rna slapd[22597]: conn=17 op=73 SRCH base="cn=users,dc=od1,dc=colorado,dc=edu" scope=2 deref=0 filter="(&(objectCl***=inetOrgPerson)(objectCl***=posixAccount)(objectCl***=shadowAccount)(objectCl***=apple-user)(objectCl***=extensibleObject))"
<0> Feb 9 16:45:24 rna slapd[22597]: conn=17 op=73 SRCH attr=uid cn
<0> Feb 9 16:45:24 rna slapd[22597]: conn=17 op=73 SEARCH RESULT tag=101 err=0 nentries=0 text=
<0> but when i do it via command line.. using ldapsearch -H ldap://rna.colorado.edu -b "cn=users,dc=od1,dc=Colorado,dc=EDU" uid cn
<1> sounds like you have 0 people with all of those attributes
<0> i get results
<1> Those aren't the same searches
<0> what's the ldapseearch equivalent for specifying those objectlc***es?
<0> erm objectcl***es
<1> ldapsearch -H ldap://rna.colorado.edu -b "cn=users,dc=od1,dc=Colorado,dc=EDU" "(&(objectCl***=inetOrgPerson)(objectCl***=posixAccount)(objectCl***=shadowAccount)(objectCl***=apple-user)(objectCl***=extensibleObject))" uid cn
<1> sounds like a broken query on the part of Apple, if you ask me ;)
<1> or you need to populate more data
<0> ldapsearch -H ldap://rna.colorado.edu -b "cn=users,dc=od1,dc=Colorado,dc=EDU" "(&(objectCl***=inetOrgPerson)(objectCl***=posixAccount)(objectCl***=shadowAccount)(objectCl***=apple-user)(objectCl***=extensibleObject))" uid cn
<0> that returns the requested data
<0> i mean i do get records
<1> are you sure the first one is authenticated then?
<0> Feb 9 16:49:19 rna slapd[22597]: conn=27 op=2 BIND authcid="machine@BATEY"
<0> Feb 9 16:49:19 rna slapd[22597]: conn=27 op=2 BIND dn="uid=machine,cn=users,dc=od1,dc=colorado,dc=edu" mech=GSSAPI ssf=56
<0> yep
<1> no, that's conn=27
<1> what about conn=17
<1> the one that didn't return data
<0> ok
<0> let me reissue
<0> Feb 9 16:50:33 rna slapd[22597]: conn=27 op=7 SRCH base="cn=users,dc=od1,dc=colorado,dc=edu" scope=2 deref=0 filter="(&(objectCl***=inetOrgPerson)(objectCl***=posixAccount)(objectCl***=shadowAccount)(objectCl***=apple-user)(objectCl***=extensibleObject))"
<0> Feb 9 16:50:33 rna slapd[22597]: conn=27 op=7 SRCH attr=uid cn
<0> Feb 9 16:50:33 rna slapd[22597]: conn=27 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
<0> and let me find the bind for 27
<0> Feb 9 16:49:19 rna slapd[22597]: conn=27 op=0 BIND dn="" method=163
<0> Feb 9 16:49:19 rna slapd[22597]: conn=27 op=1 BIND dn="" method=163
<0> Feb 9 16:49:19 rna slapd[22597]: conn=27 op=2 BIND dn="" method=163
<0> Feb 9 16:49:19 rna slapd[22597]: conn=27 op=2 BIND authcid="machine@BATEY"
<0> Feb 9 16:49:19 rna slapd[22597]: conn=27 op=2 BIND dn="uid=machine,cn=users,dc=od1,dc=colorado,dc=edu" mech=GSSAPI ssf=56
<0> so it's definitely binding
<0> and i have specified users read
<1> you could run slapd -d -1 and drop it to a file and see why its getting no results, if it works for you at the command line
<1> it should tell you what access rule is blocking it
<0> restart the daemon with those params?
<0> or can i just run that
<0> i guess ih ave to rerun it
<1> restartthe daemon with those options, yeah
<1> ***uming its a test server and all :P
<2> I fell in love with mech=EXTERNAL myself
<2> combined with SSL
<0> you mean GSSAPI?
<1> no
<1> SASL/EXTERNAL
<1> is cert auth
<1> may be faster than SASL/GSSAPI
<1> however SASL/GSSAPI often ties in more cleanly with an infrastucture if it already has kerberos
<1> I've used SASL/GSSAPI with OpenLDAP since we deployed it in 2003
<1> we have no cert infrastructure for users
<1> so SASL/EXTERNAL doesn't get me anything
<0> JoBbZ: so im looking for something like search access denied by =n?
<0> where an acl is marked by a =n?
<1> something like that, yeah
<0> => access_allowed: search access denied by =n
<0> => acl_mask: to value by "uid=machine,cn=users,dc=od1,dc=colorado,dc=edu", (=n)
<0> and that's the value that's blocking it
<0> but that's my bind dn
<1> well, that tells you who was blocked
<1> but not what
<0> ok
<1> although if your only acl in the file at all is access to * by users read
<1> that's a little odd :P
<0> => acl_mask: access to entry "uid=ruckerz2k,cn=users,dc=od1,dc=colorado,dc=edu", attr "objectCl***" requested
<0> => acl_mask: to value by "uid=machine,cn=users,dc=od1,dc=colorado,dc=edu", (=n)
<0> <= check a_sockurl_pat: ldapi://%2Fvar%2Frun%2Fldapi
<0> <= check a_dn_pat: uid=ruckerz2k,cn=users,dc=od1,dc=colorado,dc=edu
<0> <= acl_mask: no more <who> clauses, returning =n (stop)
<0> => access_allowed: search access denied by =n
<1> so there's an acl that says only LDAPI or uid=ruckerz2k has access to that entry
<1> makes sense to me
<0> 67 access to *
<0> 68 by sockurl="ldapi://%2Fvar%2Frun%2Fldapi" write
<0> 69 by dn.base="uid=ruckerz2k,cn=users,dc=od1,dc=colorado,dc=edu" write
<0> 71 by dn.base="uid=machine,cn=users,dc=od1,dc=colorado,dc=edu" read
<0> 72 by users read
<0> 73 by anonymous auth
<0> 74
<0> i left line 70 out because it's a comment
<0> that's my acl
<0> by users read tells me i should be able to read it
<0> ahh
<0> there's something wrong with this account
<0> that im trying to use
<0> or it's just not respecing by users read
<0> my gssapi bind is not a 'user'
<0> ?
<0> this is baffling
<0> JoBbZ ?
<1> well hm
<1> did you consider that haven't the comment there breaks the ACL parsing?
<1> and thus, you effectively ended the ACL?
<1> right before your machine ACL?
<1> ;)
<1> s/haven't/having/
<1> (sorry, I was in a meeting)
<1> so I don't see anything wrong in what is occuring here ;)
<1> I put all my comments before an acl
<3> it'd be nice to have comments inside acls, schemastuff, etc
<3> but no, it doesn't work
<4> I suppose we could introduce C-style comments /* */ so that they can be properly delimited
<4> then you could put them anywhere
<4> I always thought it was odd that the C++ guys felt they needed line-level comments, like a scripting language...
<3> well, /**/ isn't needed
<3> just # in the middle of multi-line structures
<3> i.e. # and \n instead of /* and */
<4> no
<4> because there are no multi-line structures
<3> and that's why it doesn't work
<3> but access and the schema stuff Looks multiline to the casual observer
<3> hence the confusion
<4> that's only for readability
<3> so are comments
<4> the docs already say how line continuation works.
<3> well, #style comments could be allowed inside line-continued structures if stripped out earlier, e.g. by a preprocessor
<3> nothing stopping sites from doing that
<3> hell, they could use m4 if they really wanted pain
<4> all of which is moot, since slapd.conf is going to be extinct soon.
<5> in favor of back-config ?
<4> yes
<3> bleh, that's a lotta manpages to update
<5> lol
<3> hmmm, I think back-ldif as-is should handle ldif with comments
<3> it'd get stripped out when the entry is rewritten of course
<4> yep, kinda makes it moot.
<6> hi all
<6> i apt-get slapd
<6> also i installed phpldapadmin
<6> but i dont know hot create users ? or how to use ldap ?
<6> can anybody help me ?
<3> sounds like you need some general books
Return to
#ldap
or
Go to some related
logs:
#math
Error: Missing Dependency: xine-lib(vdr) >= 0.7.6 is needed by package xine
coldplugging pnp devices hang
emulating oss+enemy territory
#css
Xaitment
php static variable refresh page
/bin/sh: cmp: command not found Try setting CONFIG_KALLSYMS_EXTRA_PASS
iptables match incoming interface IP
missing emerge
|
|