authentication problems

Jason Cross (jcross01@eng.eds.com)
Sat, 10 Dec 1994 13:33:09 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jason Cross: "authentication problems"
Previous message: Eric Rosenquist: "Re: program"

I'm having a problem with an LDAP client application I'm writing,
and I believe it to be an LDAP issue more so than a quipu issue.
If wrong, please excuse.

It appears that, when I use 'ldap_simple_bind_s' and attempt to bind
as a specific user, I'm still considered to be an anonymous user,
although I should have read access to the attribute according to
the ACL.

I have the following ACL set-up for entries in the directory.
In essence I want everyone to be able to read all entries except
'userPassword' and 'homePhone'. When I use dish and authenticate
as anonymous, I can't read 'userPassword' or 'homePhone'. When
I use dish and authenticate with the proper password as 'Admin'
or the user, I can read 'homePhone', as dictated by the ACL.

acl= group # c=US@o=Acme@cn=Admin # write # entry &\
group # c=US@o=Acme@cn=Admin # write # attributes # userPassword &\
group # c=US@o=Acme@cn=Admin # write # attributes # homePhone &\
group # c=US@o=Acme@cn=Admin # read # attributes # homePhone &\
self # write # entry &\
self # write # default &\
self # write # attributes # userPassword &\
self # write # attributes # homePhone &\
self # read # attributes # homePhone &\
others # read # entry &\
others # read # default &\
others # compare # attributes # userPassword &\
others # none # attributes # homePhone

However in the LDAP application when I authenticate as the 'Admin' or the
user, I *cannot* read the 'homePhone' attribute. The following is the
call:

if ( ldap_simple_bind_s( *conn_addr_ptr, "cn=Admin, o=Acme, c=US", "Admin" ) != LDAP_SUCCESS )
{
ldap_perror( *conn_addr_ptr, "x500connect():ldap_simple_bind_s" );
return( ERR_LDAP_SIMPLE_BIND_S );
}

The following is from quipulog showing the login:

12/10 11:59:24 xtquipu- 09524 (root ) X500 DAP context association (4): Internet=130.175.179.40+34910
12/10 11:59:24 xtquipu- 09524 (root ) Bind (4) (simple): c=US@o=Acme@cn=Admin
12/10 11:59:25 xtquipu- 09524 (root ) Search (4): c=US@o=Acme
12/10 11:59:25 xtquipu- 09524 (root ) Search subtree (sn=smith)
12/10 11:59:25 xtquipu- 09524 (root ) Result sent (4)
12/10 11:59:25 xtquipu- 09524 (root ) Unbind (4) (responder): c=US@o=Acme@cn=Admin

I have noticed when I change the ACL for others:

FROM: others # none # attributes # homePhone
TO: others # read # attributes # homePhone

I can read the 'homePhone' attribute via the application. Any help will
be appreciated. thanks.

BTW -- I have LDAP ported to solaris and it required some changes.
Should I submit those changes, so it can be incorporated in the source
code distribution?

Next message: Jason Cross: "authentication problems"
Previous message: Eric Rosenquist: "Re: program"