does the ldap ptloader have to use authz?
Igor Brezac
igor at ipass.net
Sun Jul 10 23:13:07 EDT 2005
On Sun, 10 Jul 2005, Tarjei Huse wrote:
> Hi, I'm trying to use the ldap ptloader with the following :
>
> ldap_base: dc=naturvern,dc=no
> ldap_member_base: dc=naturvern,dc=no
> ldap_group_base: ou=groups,dc=naturvern,dc=no
> #ldap_member_method: attribute
> #ldap_member_filter: (memberUid: %u)
> #ldap_member_scope: sub
> #ldap_mech: plain login
> # I've alos tried ldap_sasl: 0
> ldap_sasl: no
> ldap_restart: 1
> #ldap_start_tls:0
> ldap_timeout: 4
> ldap_tls_cacert_dir: /etc/ssl/certs
> ldap_tls_check_peer: no
> ldap_uri: ldap://mail.naturvern.no/ ldap://felles.naturvern.no/
>
> Here's what the logs say when ptloader connects to the ldapserver:
> l 10 21:44:59 mail slapd[9431]: daemon: read activity on 20
> Jul 10 21:44:59 mail slapd[9431]: connection_get(20)
> Jul 10 21:44:59 mail slapd[9431]: connection_get(20): got connid=15
> Jul 10 21:44:59 mail slapd[9431]: connection_read(20): checking for
> input on id=15
> Jul 10 21:44:59 mail slapd[9431]: ber_get_next on fd 20 failed errno=11
> (Resource temporarily unavailable)
> Jul 10 21:44:59 mail slapd[9431]: do_extended
> Jul 10 21:44:59 mail slapd[9431]: => get_ctrls
> Jul 10 21:44:59 mail slapd[9431]: => get_ctrls:
> oid="2.16.840.1.113730.3.4.18" (critical)
> Jul 10 21:44:59 mail slapd[9431]: parseProxyAuthz: conn 15
> authzid="u:tarjeih"
> Jul 10 21:44:59 mail slapd[9431]: slap_sasl_getdn: id=u:tarjeih [len=9]
> Jul 10 21:44:59 mail slapd[9431]: slap_sasl_getdn: u:id converted to
> uid=tarjeih,cn=SIMPLE,cn=auth
> Jul 10 21:44:59 mail slapd[9431]: >>> dnNormalize:
> <uid=tarjeih,cn=SIMPLE,cn=auth>
> Jul 10 21:44:59 mail slapd[9431]: <<< dnNormalize:
> <uid=tarjeih,cn=simple,cn=auth>
> Jul 10 21:44:59 mail slapd[9431]: ==>slap_sasl2dn: converting SASL name
> uid=tarjeih,cn=simple,cn=auth to a DN
> Jul 10 21:44:59 mail slapd[9431]: slap_sasl_regexp: converting SASL name
> uid=tarjeih,cn=simple,cn=auth
> Jul 10 21:44:59 mail slapd[9431]: <==slap_sasl2dn: Converted SASL name
> to <nothing>
> Jul 10 21:44:59 mail slapd[9431]: parseProxyAuthz: conn=15
> "uid=tarjeih,cn=simple,cn=auth"
> Jul 10 21:44:59 mail slapd[9431]: ==>slap_sasl_authorized: can (null)
> become uid=tarjeih,cn=simple,cn=auth?
> Jul 10 21:44:59 mail slapd[9431]: <== slap_sasl_authorized: return 48
> Jul 10 21:44:59 mail slapd[9431]: <= get_ctrls: n=1 rc=47 err="not
> authorized to assume identity"
> Jul 10 21:44:59 mail slapd[9431]: send_ldap_result: conn=15 op=10 p=3
> Jul 10 21:44:59 mail slapd[9431]: send_ldap_result: err=47 matched=""
> text="not authorized to assume identity"
> Jul 10 21:44:59 mail slapd[9431]: send_ldap_response: msgid=11 tag=120
> err=47
> Jul 10 21:44:59 mail slapd[9431]: do_extended: get_ctrls failed
>
>
> Now, as far as I understand, this shouldn't happen as ptloader has
> better things to do. I just want it to use a simple anonymous bind. What
> should I do to get that?
>
This was a bug and it is fixed in cvs.
--
Igor
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list