-
-
Save onslauth/d6502df4d395dbdf9b19 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CONFIG DB: | |
---------- | |
# {1}ldif, config | |
dn: olcDatabase={1}ldif,cn=config | |
objectClass: olcLdifConfig | |
olcDatabase: {1}ldif | |
olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za | |
/parts/new/instances/test/openldap-data | |
olcSuffix: dc=example,dc=com | |
olcAccess: {0}to * by self read by set="[cn=10.0.0.92,ou=servers,dc=example,dc=c | |
om]/member* & user" read by * none | |
olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none | |
olcRootDN: cn=Manager,dc=example,dc=com | |
olcRootPW: random | |
LDAP DB: | |
-------- | |
# example.com | |
dn: dc=example,dc=com | |
objectClass: dcObject | |
objectClass: organization | |
description: example.com | |
o: example.com | |
dc: example | |
# access-groups, example.com | |
dn: ou=access-groups,dc=example,dc=com | |
objectClass: organizationalUnit | |
ou: access-groups | |
description: Access control groups | |
# Test Users, access-groups, example.com | |
dn: cn=Test Users,ou=access-groups,dc=example,dc=com | |
objectClass: groupOfNames | |
cn: Test Users | |
description: Test Users | |
member: uid=aaa,ou=people,dc=example,dc=com | |
# groups, example.com | |
dn: ou=groups,dc=example,dc=com | |
objectClass: organizationalUnit | |
ou: groups | |
description: unix login group | |
# aaa, groups, example.com | |
dn: cn=aaa,ou=groups,dc=example,dc=com | |
objectClass: posixGroup | |
gidNumber: 10001 | |
memberUid: aaa | |
cn: aaa | |
# bbb, groups, example.com | |
dn: cn=bbb,ou=groups,dc=example,dc=com | |
objectClass: posixGroup | |
gidNumber: 10002 | |
memberUid: bbb | |
cn: bbb | |
# people, example.com | |
dn: ou=people,dc=example,dc=com | |
objectClass: organizationalUnit | |
ou: people | |
description: people in organization | |
# servers, example.com | |
dn: ou=servers,dc=example,dc=com | |
objectClass: organizationalUnit | |
ou: servers | |
description: All computers in organisation | |
# 10.0.0.92, servers, example.com | |
dn: cn=10.0.0.92,ou=servers,dc=example,dc=com | |
objectClass: groupOfNames | |
cn: 10.0.0.92 | |
description: Allowed access | |
member: cn=Test Users,ou=access-groups,dc=example,dc=com | |
member: uid=bbb,dc=example,dc=com | |
# aaa, example.com | |
dn: uid=aaa,dc=example,dc=com | |
objectClass: inetOrgPerson | |
objectClass: posixAccount | |
objectClass: ldapPublicKey | |
objectClass: shadowAccount | |
cn: Test User A | |
sn: A | |
uid: aaa | |
uidNumber: 10001 | |
gidNumber: 10001 | |
homeDirectory: /home/aaa | |
loginShell: /usr/local/bin/bash | |
mail: a@example.com | |
ou: users | |
userPassword:: xxx | |
# bbb, example.com | |
dn: uid=bbb,dc=example,dc=com | |
objectClass: inetOrgPerson | |
objectClass: posixAccount | |
objectClass: ldapPublicKey | |
objectClass: shadowAccount | |
cn: Test User B | |
sn: B | |
uid: bbb | |
uidNumber: 10002 | |
gidNumber: 10002 | |
homeDirectory: /home/bbb | |
loginShell: /usr/local/bin/bash | |
mail: b@example.com | |
ou: users | |
userPassword:: xxx | |
Command: | |
-------- | |
$ ldapsearch -x -D "uid=bbb,dc=example,dc=com" -W -b dc=example,dc=com | |
Enter LDAP Password: | |
ldap_bind: Invalid credentials (49) | |
Output from log: | |
---------------- | |
56c4857b => access_allowed: result not in cache (userPassword) | |
56c4857b => access_allowed: auth access to "uid=bbb,dc=example,dc=com" "userPassword" requested | |
56c4857b => acl_get: [1] attr userPassword | |
56c4857b => acl_mask: access to entry "uid=bbb,dc=example,dc=com", attr "userPassword" requested | |
56c4857b => acl_mask: to value by "", (=0) | |
56c4857b <= check a_dn_pat: self | |
56c4857b <= check a_set_pat: [cn=10.0.0.92,ou=servers,dc=example,dc=com]/member* & user | |
56c4857b ACL set[0]=cn=test users,ou=access-groups,dc=example,dc=com | |
56c4857b ACL set[1]=uid=bbb,dc=example,dc=com | |
56c4857b ACL set[0]=cn=test users,ou=access-groups,dc=example,dc=com | |
56c4857b ACL set[1]=uid=bbb,dc=example,dc=com | |
56c4857b ACL set[2]=uid=aaa,ou=people,dc=example,dc=com | |
56c4857b <= check a_dn_pat: * | |
56c4857b <= acl_mask: [3] applying none(=0) (stop) | |
56c4857b <= acl_mask: [3] mask: none(=0) | |
56c4857b => slap_access_allowed: auth access denied by none(=0) | |
56c4857b => access_allowed: no more rules |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment