Почему slapd запрашивает у бэкэнда загрузку, отличную от указанной?
Может кто-нибудь объяснить, почему slapd запрашивает свой бэкэнд для загрузки данных, соответствующих отличительному имени "cn=kerberoskdc,cn=config,dc=example,dc=com" когда я на самом деле прошу дн = 'cn=user,dc=example,dc=com', 'user'
код:
require 'net/ldap'
con = Net::LDAP.new
con.host = 'localhost'
con.port = 389
con.auth 'cn=user,dc=example,dc=com', 'user'
if con.bind
puts con.get_operation_result
else
puts con.get_operation_result
end
slapd.conf:
include /private/etc/openldap/schema/core.schema
include /private/etc/openldap/schema/cosine.schema
include /private/etc/openldap/schema/nis.schema
include /private/etc/openldap/schema/inetorgperson.schema
pidfile /private/var/db/openldap/run/slapd.pid
argsfile /private/var/db/openldap/run/slapd.args
modulepath /usr/libexec/openldap
moduleload back_bdb.la
access to *
by self write
by * read
by anonymous auth
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}VPu01KnHRk2FZtTi52W6LNFqr4nJazyK
directory /private/var/db/openldap/openldap-data
index objectClass eq
подробное сообщение сервера:
...
5a41d4ae <<< dnPrettyNormal: <cn=user,dc=example,dc=com>, <cn=user,dc=example,dc=com>
5a41d4ae conn=1000 op=0 BIND dn="cn=user,dc=example,dc=com" method=128
5a41d4ae do_bind: version=3 dn="cn=user,dc=example,dc=com" method=128
5a41d4ae ==> bdb_bind: dn: cn=user,dc=example,dc=com
5a41d4ae bdb_dn2entry("cn=user,dc=example,dc=com")
5a41d4ae => bdb_dn2id("dc=example,dc=com")
5a41d4ae <= bdb_dn2id: got id=0x5
5a41d4ae => bdb_dn2id("cn=user,dc=example,dc=com")
5a41d4ae <= bdb_dn2id: got id=0x17
5a41d4ae entry_decode: "cn=user,dc=example,dc=com"
5a41d4ae <= entry_decode(cn=user,dc=example,dc=com)
5a41d4ae => bdb_search
5a41d4ae bdb_dn2entry("cn=kerberoskdc,cn=config,dc=example,dc=com")
5a41d4ae => bdb_dn2id("cn=config,dc=example,dc=com")
5a41d4ae <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
5a41d4ae entry_decode: "dc=example,dc=com"
5a41d4ae <= entry_decode(dc=example,dc=com)
5a41d4ae => access_allowed: disclose access to "dc=example,dc=com" "entry" requested
5a41d4ae => acl_get: [1] attr entry
5a41d4ae => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
5a41d4ae => acl_mask: to all values by "cn=kerberoskdc,cn=config,dc=example,dc=com", (=0)
5a41d4ae <= check a_dn_pat: self
5a41d4ae <= check a_dn_pat: *
5a41d4ae <= acl_mask: [2] applying read(=rscxd) (stop)
5a41d4ae <= acl_mask: [2] mask: read(=rscxd)
5a41d4ae => slap_access_allowed: disclose access granted by read(=rscxd)
5a41d4ae => access_allowed: disclose access granted by read(=rscxd)
5a41d4ae send_ldap_result: conn=-1 op=0 p=0
5a41d4ae send_ldap_result: err=10 matched="dc=example,dc=com" text=""
5a41d4ae Entry *odusers_copy_entry(Operation *): Unable to locate cn=kerberoskdc,cn=config,dc=example,dc=com (32)
5a41d4ae odusers_copy_krbrealm: No entry associated with KerberosKDC cn=kerberoskdc,cn=config,dc=example,dc=com
5a41d4ae odusers_krb_auth: could not retrieve krb realm while authing user
5a41d4ae send_ldap_result: conn=1000 op=0 p=3
5a41d4ae send_ldap_result: err=50 matched="" text=""
5a41d4ae send_ldap_response: msgid=1 tag=97 err=50
....
вывод на терминал:
fail
#<OpenStruct extended_response=nil, code=50, error_message="", matched_dn="", message="Insufficient Access Rights">
1 ответ
Вот обходной путь, который работает для моего сервера OpenLDAP, который я использую в среде разработки Ruby on Rails в OS X El Capitan. Я нашел ответ здесь. Это скорее обходной путь, чем решение.
- Замените "database hdb" на "database ldif" в файле slapd.conf.
- Удалить модуль загрузки back_hdb.la
- slapd не будет работать до тех пор, пока вы не удалите какие-либо дополнительные конфигурации базы данных, такие как индексы.
Вот мой slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write
# NO REFERRALS
# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid
# enable a lot of logging - we might need it
# but generates huge logs
loglevel -1
# MODULELOAD definitions
# not required (comment out) before version 2.3
#moduleload back_hdb.la
# NO TLS-enabled connections
# backend definition not required
#######################################################################
# bdb database definitions
#
# replace example and com below with a suitable domain
#
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################
database ldif
suffix "dc=example, dc=com"
# root or superuser
rootdn "cn=matt, dc=example, dc=com"
rootpw {SSHA}d+/KMakRv0dLLXp4Qu0ezvfcdpHQA4pU
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /var/db/openldap/openldap-data
# Indices to maintain for this directory
# unique id so equality match only
#index uid eq
# allows general searching on commonname, givenname and email
#index cn,gn,mail eq,sub
# allows multiple variants on surname searching
#index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
#index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
#index default eq,sub
# indices missing - uses default eq,sub
#index telephonenumber
## other database parameters
## read more in slapd.conf reference section
#cachesize 10000
#checkpoint 128 15