Thks Dan, it worked.
Now hopefully last query from my side (sorry to bother you so much)
>> As i gave:
access to dn.subtree="ou=System,o=xyz"
by dn="uid=sasluser21,ou=System,o=xyz" read
by anonymous auth
*So, will giving anonymous privilege any issue? *
I read following:
Next is by anonymous auth. This phrase grants an anonymous user (one who
has not yet authenticated) permission to authenticate using a password.
More accurately, it indicates that when a user submits a request for
authentication, the directory server is allowed to perform an
authentication operation (which amounts to comparing the submitted password
with the value in the userPassword attribute for the corresponding user's
entry).
What is its impact, Please put some light on it?
Thanks and Regards,
Gaurav Gugnani
On Wed, Feb 8, 2012 at 10:25 PM, Dan White <[email protected]> wrote:
> On 02/08/12 21:51 +0530, Gaurav Gugnani wrote:
>
>> Hello Dan,
>>
>> Thks for replying. But there is 1 Q's:
>> Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*
>>
>
> Because you were passing '-U uid=sasluser21' to ldapsearch. '\3D' is the
> hex escape value for '='.
>
> I executed ldapwhoami and here are the findings:
>>
>> ldapwhoami -Y digest-md5 -U sasluser21
>> SASL/DIGEST-MD5 authentication started
>> Please enter your password:
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>> additional info: SASL(-13): user not found: no secret in database
>>
>> *Logs:*
>>
>> ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5
>> ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2
>> ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to
>> uid=sasluser21,cn=DIGEST-MD5,**cn=auth
>> ldap-test0 slapd[25625]: >>> dnNormalize:
>> <uid=sasluser21,cn=DIGEST-MD5,**cn=auth>
>> ldap-test0 slapd[25625]: <<< dnNormalize:
>> <uid=sasluser21,cn=digest-md5,**cn=auth>
>> ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name
>> uid=sasluser21,cn=digest-md5,**cn=auth to a DN
>> ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
>> string='uid=sasluser21,cn=**digest-md5,cn=auth'
>> ldap-test0 slapd[25625]: ==> rewrite_rule_apply
>> rule='uid=(.*),cn=DIGEST-MD5,**cn=auth'
>> string='uid=sasluser21,cn=**digest-md5,cn=auth' [1 pass
>>
>> ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
>> res={0,'uid=sasluser21,ou=**System,o=xyz'}
>> ldap-test0 slapd[25625]: slap_parseURI: parsing
>> uid=sasluser21,ou=System,o=xyz
>> ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=**
>> xyz>
>> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=**
>> xyz>
>> ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to
>> uid=sasluser21,ou=system,o=xyz
>> ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to
>> uid=sasluser21,ou=system,o=xyz
>> ldap-test0 slapd[25625]: => bdb_search
>> ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,**ou=system,o=xyz")
>> ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=**system,o=xyz")
>> ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a
>> ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=**xyz"
>> ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,**
>> ou=System,o=xyz)
>> ldap-test0 slapd[25625]: => access_allowed: auth access to
>> "uid=sasluser21,ou=System,o=**xyz" "entry" requested
>> ldap-test0 slapd[25625]: => dn: [2] o=xyz
>> ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz
>> ldap-test0 slapd[25625]: => acl_get: [4] attr entry
>> ldap-test0 slapd[25625]: => acl_mask: access to entry
>> "uid=sasluser21,ou=System,o=**xyz", attr "entry" requested
>> ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0)
>> ldap-test0 slapd[25625]: <= check a_dn_pat: self
>> ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
>> ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
>> ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0
>> (stop)
>> ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0
>> ldap-test0 slapd[25625]: => access_allowed: no more rules
>>
>
> Notice "auth access denied".
>
> On Wed, Feb 8, 2012 at 9:32 PM, Dan White <[email protected]> wrote:
>>
>>> You might need a more permissive (by anonymous auth) ACL here, for
>>> dn.base="ou=System,o=xyz" and "attrs=entry".
>>>
>>> See slapd.access(5).
>>>
>>
> Read through the manpage for slapd.access, and fix your ACL config as
> described above.
>
> --
> Dan White
>
