为什么slapd不授予对bind dn的写访问权限?

时间:2016-05-10 22:35:13

标签: openldap

我已在我的" slapd.conf"

中配置了以下访问权限
access to attrs=uid,userPassword
 by dn.one="cn=Dovecot Server,ou=people,dc=johannesgemeinde-berlin,dc=de" search
 by dn.one="cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de" read
 by self write
 by anonymous auth
 by * none

access to attrs=mail
 by dn.one="cn=Dovecot Server,ou=people,dc=johannesgemeinde-berlin,dc=de" read
 by self write
 by anonymous auth
 by * none

access to dn.subtree="ou=people,o=SOGo Users,dc=johannesgemeinde-berlin,dc=de"
 by dn.one="cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de" write
 by self write
 by anonymous auth
 by * none

access to dn.subtree=dc=johannesgemeinde-berlin,dc=de
 by dn.one="cn=System Administrator-admin,ou=people,dc=johannesgemeinde-berlin,dc=de" manage
 by dn.one="cn=admin,dc=johannesgemeinde-berlin,dc=de" manage
 by self write
 by anonymous auth
 by * none

但是在日志中我没有访问权限     " cn = SOGo Admin,ou = people,dc = johannesgemeinde-berlin,dc = de"

May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: slap_listener_activate(8): 
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 busy
May 10 18:03:03 dgrace slapd[29172]: >>> slap_listener(ldap://127.0.0.1:389/)
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: daemon: listen=8, new connection on 11
May 10 18:03:03 dgrace slapd[29172]: daemon: added 11r (active) listener=(nil)
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: conn=1001 fd=11 ACCEPT from IP=127.0.0.1:57860 (IP=127.0.0.1:389)
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]:  11r
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: read active on 11
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: connection_get(11)
May 10 18:03:03 dgrace slapd[29172]: connection_get(11): got connid=1001
May 10 18:03:03 dgrace slapd[29172]: connection_read(11): checking for input on id=1001
May 10 18:03:03 dgrace slapd[29172]: op tag 0x60, time 1462896183
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=0 do_bind
May 10 18:03:03 dgrace slapd[29172]: >>> dnPrettyNormal: <cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de>
May 10 18:03:03 dgrace slapd[29172]: <<< dnPrettyNormal: <cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de>, <cn=sogo admin,ou=people,dc=johannesgemeinde-berlin,dc=de>
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=0 BIND dn="cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de" method=128
May 10 18:03:03 dgrace slapd[29172]: do_bind: version=3 dn="cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de" method=128
May 10 18:03:03 dgrace slapd[29172]: ==> bdb_bind: dn: cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de
May 10 18:03:03 dgrace slapd[29172]: bdb_dn2entry("cn=sogo admin,ou=people,dc=johannesgemeinde-berlin,dc=de")
May 10 18:03:03 dgrace slapd[29172]: => access_allowed: result not in cache (userPassword)
May 10 18:03:03 dgrace slapd[29172]: => access_allowed: auth access to "cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de" "userPassword" requested
May 10 18:03:03 dgrace slapd[29172]: => acl_get: [1] attr userPassword
May 10 18:03:03 dgrace slapd[29172]: => acl_mask: access to entry "cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de", attr "userPassword" requested
May 10 18:03:03 dgrace slapd[29172]: => acl_mask: to value by "", (=0) 
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: cn=dovecot server,ou=people,dc=johannesgemeinde-berlin,dc=de
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: cn=sogo admin,ou=people,dc=johannesgemeinde-berlin,dc=de
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: self
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: anonymous
May 10 18:03:03 dgrace slapd[29172]: <= acl_mask: [4] applying auth(=xd) (stop)
May 10 18:03:03 dgrace slapd[29172]: <= acl_mask: [4] mask: auth(=xd)
May 10 18:03:03 dgrace slapd[29172]: => slap_access_allowed: auth access granted by auth(=xd)
May 10 18:03:03 dgrace slapd[29172]: => access_allowed: auth access granted by auth(=xd)
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=0 BIND dn="cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de" mech=SIMPLE ssf=0
May 10 18:03:03 dgrace slapd[29172]: do_bind: v3 bind: "cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de" to "cn=SOGo Admin,ou=people,dc=johannesgemeinde-berlin,dc=de"
May 10 18:03:03 dgrace slapd[29172]: send_ldap_result: conn=1001 op=0 p=3
May 10 18:03:03 dgrace slapd[29172]: send_ldap_result: err=0 matched="" text=""
May 10 18:03:03 dgrace slapd[29172]: send_ldap_response: msgid=1 tag=97 err=0
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=0 RESULT tag=97 err=0 text=
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]:  11r
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: read active on 11
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: connection_get(11)
May 10 18:03:03 dgrace slapd[29172]: connection_get(11): got connid=1001
May 10 18:03:03 dgrace slapd[29172]: connection_read(11): checking for input on id=1001
May 10 18:03:03 dgrace slapd[29172]: op tag 0x63, time 1462896183
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=1 do_search
May 10 18:03:03 dgrace slapd[29172]: >>> dnPrettyNormal: <ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de>
May 10 18:03:03 dgrace slapd[29172]: <<< dnPrettyNormal: <ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de>, <ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de>
May 10 18:03:03 dgrace slapd[29172]: SRCH "ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de" 2 0
May 10 18:03:03 dgrace slapd[29172]:     0 0 0
May 10 18:03:03 dgrace slapd[29172]: begin get_filter
May 10 18:03:03 dgrace slapd[29172]: OR
May 10 18:03:03 dgrace slapd[29172]: begin get_filter_list
May 10 18:03:03 dgrace slapd[29172]: begin get_filter
May 10 18:03:03 dgrace slapd[29172]: EQUALITY
May 10 18:03:03 dgrace slapd[29172]: end get_filter 0
May 10 18:03:03 dgrace slapd[29172]: begin get_filter
May 10 18:03:03 dgrace slapd[29172]: EQUALITY
May 10 18:03:03 dgrace slapd[29172]: end get_filter 0
May 10 18:03:03 dgrace slapd[29172]: end get_filter_list
May 10 18:03:03 dgrace slapd[29172]: end get_filter 0
May 10 18:03:03 dgrace slapd[29172]:     filter: (|(uid=caladmin)(mail=caladmin))
May 10 18:03:03 dgrace slapd[29172]:     attrs:
May 10 18:03:03 dgrace slapd[29172]:  dn
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=1 SRCH base="ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de" scope=2 deref=0 filter="(|(uid=caladmin)(mail=caladmin))"
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=1 SRCH attr=dn
May 10 18:03:03 dgrace slapd[29172]: ==> limits_get: conn=1001 op=1 self="cn=sogo admin,ou=people,dc=johannesgemeinde-berlin,dc=de" this="ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de"
May 10 18:03:03 dgrace slapd[29172]: => bdb_search
May 10 18:03:03 dgrace slapd[29172]: bdb_dn2entry("ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de")
May 10 18:03:03 dgrace slapd[29172]: => access_allowed: search access to "ou=people,o=SOGo Users,dc=johannesgemeinde-berlin,dc=de" "entry" requested
May 10 18:03:03 dgrace slapd[29172]: => dn: [3] ou=people,o=sogo users,dc=johannesgemeinde-berlin,dc=de
May 10 18:03:03 dgrace slapd[29172]: => acl_get: [3] matched
May 10 18:03:03 dgrace slapd[29172]: => acl_get: [3] attr entry
May 10 18:03:03 dgrace slapd[29172]: => acl_mask: access to entry "ou=people,o=SOGo Users,dc=johannesgemeinde-berlin,dc=de", attr "entry" requested
May 10 18:03:03 dgrace slapd[29172]: => acl_mask: to all values by "cn=sogo admin,ou=people,dc=johannesgemeinde-berlin,dc=de", (=0) 
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: cn=sogo admin,ou=people,dc=johannesgemeinde-berlin,dc=de
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: self
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: anonymous
May 10 18:03:03 dgrace slapd[29172]: <= check a_dn_pat: *
May 10 18:03:03 dgrace slapd[29172]: <= acl_mask: [4] applying none(=0) (stop)
May 10 18:03:03 dgrace slapd[29172]: <= acl_mask: [4] mask: none(=0)
May 10 18:03:03 dgrace slapd[29172]: => slap_access_allowed: search access denied by none(=0)
May 10 18:03:03 dgrace slapd[29172]: => access_allowed: no more rules
May 10 18:03:03 dgrace slapd[29172]: send_ldap_result: conn=1001 op=1 p=3
May 10 18:03:03 dgrace slapd[29172]: send_ldap_result: err=32 matched="" text=""
May 10 18:03:03 dgrace slapd[29172]: send_ldap_response: msgid=2 tag=101 err=32
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]:  11r
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: read active on 11
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: connection_get(11)
May 10 18:03:03 dgrace slapd[29172]: connection_get(11): got connid=1001
May 10 18:03:03 dgrace slapd[29172]: connection_read(11): checking for input on id=1001
May 10 18:03:03 dgrace slapd[29172]: op tag 0x42, time 1462896183
May 10 18:03:03 dgrace slapd[29172]: ber_get_next on fd 11 failed errno=0 (Success)
May 10 18:03:03 dgrace slapd[29172]: connection_read(11): input error=-2 id=1001, closing.
May 10 18:03:03 dgrace slapd[29172]: connection_closing: readying conn=1001 sd=11 for close
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on 1 descriptor
May 10 18:03:03 dgrace slapd[29172]: daemon: activity on:
May 10 18:03:03 dgrace slapd[29172]: 
May 10 18:03:03 dgrace slapd[29172]: daemon: epoll: listen=8 active_threads=0 tvp=zero
May 10 18:03:03 dgrace slapd[29172]: connection_close: deferring conn=1001 sd=11
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=2 do_unbind
May 10 18:03:03 dgrace slapd[29172]: conn=1001 op=2 UNBIND
May 10 18:03:03 dgrace slapd[29172]: connection_resched: attempting closing conn=1001 sd=11
May 10 18:03:03 dgrace slapd[29172]: connection_close: conn=1001 sd=11
May 10 18:03:03 dgrace slapd[29172]: daemon: removing 11
May 10 18:03:03 dgrace slapd[29172]: conn=1001 fd=11 closed

为什么我没有从第三个访问规则获得写权?

1 个答案:

答案 0 :(得分:1)

让您通过添加 -D“userdn” + -w $ usersecret 来绑定自己的任何用户?