Openldap-slap_access_allowed:=0 拒绝身份验证访问-无法对用户进行身份验证

Openldap-slap_access_allowed:=0 拒绝身份验证访问-无法对用户进行身份验证

最近我配置了我的 openldap 服务器以使用证书。但在此过程中也弄乱了不安全的端口。现在,身份验证对任何用户都不起作用。我正在使用 python-ldap 客户端来创建连接。

import ldap
import os
l = ldap.initialize('ldap://<ip>:1389')
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.simple_bind_s('uid=myuser,ou=People,ou=myorg,dc=my,dc=com', 'mypasspw')

我正在获取ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}所有用户的请求。

我以调试模式启动了 ldap 服务器,以下是日志。

6021594b connection_read(12): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
  0000:  30 46 02 01 01 60 41 02                            0F...`A.
ldap_read: want=64, got=64
  0000:  01 03 04 32 75 69 64 3d  73 62 61 74 72 61 2c 6f   ...2uid=myuser,o
  0010:  75 3d 50 65 6f 70 6c 65  2c 6f 75 3d 62 6c 75 65   u=People,ou=myo
  0020:  70 6c 61 6e 65 74 2c 64  63 3d 63 69 65 6e 61 2c   rg,dc=my,
  0030:  64 63 3d 63 6f 6d 80 08  73 62 61 74 72 61 70 77   dc=com..mypasspw
ber_get_next: tag 0x30 len 70 contents:
ber_dump: buf=0x7f5f1c2fe390 ptr=0x7f5f1c2fe390 end=0x7f5f1c2fe3d6 len=70
  0000:  02 01 01 60 41 02 01 03  04 32 75 69 64 3d 73 62   ...`A....2uid=my
  0010:  61 74 72 61 2c 6f 75 3d  50 65 6f 70 6c 65 2c 6f   user,ou=People,o
  0020:  75 3d 62 6c 75 65 70 6c  61 6e 65 74 2c 64 63 3d   u=myorg,dc=
  0030:  63 69 65 6e 61 2c 64 63  3d 63 6f 6d 80 08 73 62   my,dc=com..my
  0040:  61 74 72 61 70 77                                  passpw
6021594b op tag 0x60, time 1612798283
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
6021594b conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f5f1c2fe390 ptr=0x7f5f1c2fe393 end=0x7f5f1c2fe3d6 len=67
  0000:  60 41 02 01 03 04 32 75  69 64 3d 73 62 61 74 72   `A....2uid=myuse
6021594b daemon: activity on 1 descriptor
6021594b daemon: activity on:
6021594b daemon: epoll: listen=7 active_threads=0 tvp=zero
6021594b daemon: epoll: listen=8 active_threads=0 tvp=zero
  0010:  61 2c 6f 75 3d 50 65 6f  70 6c 65 2c 6f 75 3d 62   a,ou=People,ou=
  0020:  6c 75 65 70 6c 61 6e 65  74 2c 64 63 3d 63 69 65   myorg,dc=my
  0030:  6e 61 2c 64 63 3d 63 6f  6d 80 08 73 62 61 74 72   ,dc=com..mypas
  0040:  61 70 77                                           spw
ber_scanf fmt (m}) ber:
ber_dump: buf=0x7f5f1c2fe390 ptr=0x7f5f1c2fe3cc end=0x7f5f1c2fe3d6 len=10
  0000:  00 08 73 62 61 74 72 61  70 77                     ..mypasspw
6021594b >>> dnPrettyNormal: <uid=myuser,ou=People,ou=myorg,dc=my,dc=com>
=> ldap_bv2dn(uid=myuser,ou=People,ou=myorg,dc=my,dc=com,0)
<= ldap_bv2dn(uid=myuser,ou=People,ou=myorg,dc=my,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=myuser,ou=People,ou=myorg,dc=my,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=myuser,ou=people,ou=myorg,dc=my,dc=com)=0
6021594b <<< dnPrettyNormal: <uid=myuser,ou=People,ou=myorg,dc=my,dc=com>, <uid=myuser,ou=people,ou=myorg,dc=my,dc=com>
6021594b do_bind: version=3 dn="uid=myuser,ou=People,ou=myorg,dc=my,dc=com" method=128
6021594b ==> mdb_bind: dn: uid=myuser,ou=People,ou=myorg,dc=my,dc=com
6021594b mdb_dn2entry("uid=myuser,ou=people,ou=myorg,dc=my,dc=com")
6021594b => mdb_dn2id("uid=myuser,ou=people,ou=myorg,dc=my,dc=com")
6021594b <= mdb_dn2id: got id=0xb
6021594b => mdb_entry_decode:
6021594b <= mdb_entry_decode
6021594b => access_allowed: result not in cache (userPassword)
6021594b => access_allowed: auth access to "uid=myuser,ou=People,ou=myorg,dc=my,dc=com" "userPassword" requested
6021594b => dn: [1]
6021594b => dn: [2] cn=subschema
6021594b => acl_get: [3] attr userPassword
6021594b => acl_mask: access to entry "uid=myuser,ou=People,ou=myorg,dc=my,dc=com", attr "userPassword" requested
6021594b => acl_mask: to value by "", (=0)
6021594b <= check a_dn_pat: cn=webadm,dc=webadm
6021594b <= acl_mask: no more <who> clauses, returning =0 (stop)
6021594b => slap_access_allowed: auth access denied by =0
6021594b => access_allowed: no more rules
6021594b send_ldap_result: conn=1000 op=0 p=3
6021594b send_ldap_result: err=49 matched="" text=""
6021594b send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 12
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
ldap_write: want=14, written=14
  0000:  30 0c 02 01 01 61 07 0a  01 31 04 00 04 00         0....a...1....
^C6021594f daemon: shutdown requested and initiated.
6021594f daemon: closing 7
6021594f daemon: closing 8
6021594f connection_closing: readying conn=1000 sd=12 for close
6021594f connection_close: conn=1000 sd=12
6021594f daemon: removing 12
6021594f slapd shutdown: waiting for 0 operations/tasks to finish
6021594f slapd shutdown: initiated
6021594f slapd destroy: freeing system resources.
6021594f syncinfo_free: rid=011
6021594f slapd stopped.

我怀疑是某些东西不允许访问 userPassword,但我不知道是什么。我没有触碰 olcAccess 配置,它们是:

olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * by dn="cn=webadm,dc=webADM" write
olcAccess: to * by self write by users read by anonymous auth

我可以在哪里进一步了解?现在有点不知所措。

答案1

首先,看起来你正在以明文形式通过网络发送密码。不要这样做。要么启动某种 TLSstarttls 或 LDAPS

此外,dn.base=""dn.base="cn=Subschema"通常由与您将应用 ACL 的后端不同的后端控制,因此您可能需要检查是否甚至需要放置它们的那些行。

对于您的实际问题: OpenLDAP ACL 是先匹配即获胜的情况。此外,所有行都以隐含的 结尾by * none。因此,olcAccess: to * by dn="cn=webadm,dc=webADM" write实际上是olcAccess: to * by dn="cn=webadm,dc=webADM" write by * none,这意味着您的下一行永远不会被解析,因为您已经有一个匹配。(流控制可以改变情况,但您可能还不需要它。)

标准:

olcAccess: to *
  by dn="cn=webadm,dc=webADM" write
  by self write
  by users read
  by anonymous auth

流量控制:

olcAccess: to *
  by group.exact="cn=ldap-admins,ou=groups,dc=example,dc=com" write
  by group.exact="cn=ldap-servers,ou=groups,dc=example,dc=com" read
  by dn.exact="cn=webadm,ou=users,dc=example,dc=com" write
  by * break
olcAccess: to attr=userPassword
  by self write
  by * auth
olcAccess: to attrs=member
  by set="this/owner & this/owner/member* & user" write
  by users read
olcAccess: to *
  by self write
  by users read
  by anonymous auth

(是的,您可以将 webadm 作为 ldap-admins 的一部分,但实际上我对您正在做的事情或系统的范围有很多不了解的地方。我还以集合的最佳常用用法为例,以防万一。)

相关内容