[Pdns-users] pdns/ldap acess denied
Daniel Lopes de Carvalho
dlcarvalho at gmail.com
Thu Oct 11 12:57:21 UTC 2012
Hi,
I'm trying to setup a new pdns server/recursor under Debian Squeeze 64
bits, but I can't get any answer from the server . Using ping command,
I got the following message: ping: unknown host vms01.
Under syslog, I received a message: Not authoritative for
'vms01.example.com', sending servfail to 192.168.0.1.
Investigating the slapd log, I discovered some message about access
denied to the vms01 host record.
Find attached bellow a snippet of slapd log:
Oct 11 09:12:36 dns01 pdns[3910]: Query: 'vms01.example.com|ANY'
Oct 11 09:12:36 dns01 slapd[3548]: daemon: activity on 1 descriptor
Oct 11 09:12:36 dns01 slapd[3548]: daemon: activity on:
Oct 11 09:12:36 dns01 slapd[3548]: 51r
Oct 11 09:12:36 dns01 slapd[3548]:
Oct 11 09:12:36 dns01 slapd[3548]: daemon: read active on 51
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=11
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=12
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: connection_get(51)
Oct 11 09:12:36 dns01 slapd[3548]: connection_get(51): got connid=1145
Oct 11 09:12:36 dns01 slapd[3548]: connection_read(51): checking for
input on id=1145
Oct 11 09:12:36 dns01 slapd[3548]: op tag 0x63, time 1349957556
Oct 11 09:12:36 dns01 slapd[3548]: conn=1145 op=29 do_search
Oct 11 09:12:36 dns01 slapd[3548]: >>> dnPrettyNormal:
<dc=vms01,dc=example,dc=com,ou=dns,ou=Services,dc=example,dc=com>
Oct 11 09:12:36 dns01 slapd[3548]: <<< dnPrettyNormal:
<dc=vms01,dc=example,dc=com,ou=dns,ou=Services,dc=example,dc=com>,
<dc=vms01,dc=example,dc=com,ou=dns,ou=services,dc=example,dc=com>
Oct 11 09:12:36 dns01 slapd[3548]: SRCH
"dc=vms01,dc=example,dc=com,ou=dns,ou=Services,dc=example,dc=com" 0 3
Oct 11 09:12:36 dns01 slapd[3548]: 0 0 0
Oct 11 09:12:36 dns01 slapd[3548]: begin get_filter
Oct 11 09:12:36 dns01 slapd[3548]: EQUALITY
Oct 11 09:12:36 dns01 slapd[3548]: end get_filter 0
Oct 11 09:12:36 dns01 slapd[3548]: filter:
(associatedDomain=vms01.example.com)
Oct 11 09:12:36 dns01 slapd[3548]: attrs:
Oct 11 09:12:36 dns01 slapd[3548]: dNSTTL
Oct 11 09:12:36 dns01 slapd[3548]: aRecord
Oct 11 09:12:36 dns01 slapd[3548]: nSRecord
Oct 11 09:12:36 dns01 slapd[3548]: cNAMERecord
Oct 11 09:12:36 dns01 slapd[3548]: sOARecord
Oct 11 09:12:36 dns01 slapd[3548]: pTRRecord
Oct 11 09:12:36 dns01 slapd[3548]: hInfoRecord
Oct 11 09:12:36 dns01 slapd[3548]: mXRecord
Oct 11 09:12:36 dns01 slapd[3548]: tXTRecord
Oct 11 09:12:36 dns01 slapd[3548]: rPRecord
Oct 11 09:12:36 dns01 slapd[3548]: aFSDBRecord
Oct 11 09:12:36 dns01 slapd[3548]: KeyRecord
Oct 11 09:12:36 dns01 slapd[3548]: aAAARecord
Oct 11 09:12:36 dns01 slapd[3548]: lOCRecord
Oct 11 09:12:36 dns01 slapd[3548]: sRVRecord
Oct 11 09:12:36 dns01 slapd[3548]: nAPTRRecord
Oct 11 09:12:36 dns01 slapd[3548]: kXRecord
Oct 11 09:12:36 dns01 slapd[3548]: certRecord
Oct 11 09:12:36 dns01 slapd[3548]: dSRecord
Oct 11 09:12:36 dns01 slapd[3548]: sSHFPRecord
Oct 11 09:12:36 dns01 slapd[3548]: iPSecKeyRecord
Oct 11 09:12:36 dns01 slapd[3548]: rRSIGRecord
Oct 11 09:12:36 dns01 slapd[3548]: nSECRecord
Oct 11 09:12:36 dns01 slapd[3548]: dNSKeyRecord
Oct 11 09:12:36 dns01 slapd[3548]: dHCIDRecord
Oct 11 09:12:36 dns01 slapd[3548]: sPFRecord
Oct 11 09:12:36 dns01 slapd[3548]: modifyTimestamp
Oct 11 09:12:36 dns01 slapd[3548]:
Oct 11 09:12:36 dns01 slapd[3548]: conn=1145 op=29 SRCH
base="dc=vms01,dc=example,dc=com,ou=dns,ou=Services,dc=example,dc=com"
scope=0 deref=3 filter="(associatedDomain=vms01.example.com)"
Oct 11 09:12:36 dns01 slapd[3548]: conn=1145 op=29 SRCH attr=dNSTTL
aRecord nSRecord cNAMERecord sOARecord pTRRecord hInfoRecord mXRecord
tXTRecord rPRecord aFSDBRecord KeyRecord aAAARecord lOCRecord
sRVRecord nAPTRRecord kXRecord certRecord dSRecord sSHFPRecord
iPSecKeyRecord rRSIGRecord nSECRecord dNSKeyRecord dHCIDRecord
sPFRecord modifyTimestamp
Oct 11 09:12:36 dns01 slapd[3548]: ==> limits_get: conn=1145 op=29
self="[anonymous]"
this="dc=vms01,dc=example,dc=com,ou=dns,ou=services,dc=example,dc=com"
Oct 11 09:12:36 dns01 slapd[3548]: => hdb_search
Oct 11 09:12:36 dns01 slapd[3548]:
bdb_dn2entry("dc=vms01,dc=example,dc=com,ou=dns,ou=services,dc=example,dc=com")
Oct 11 09:12:36 dns01 slapd[3548]: => access_allowed: search access to
"dc=vms01,dc=example,dc=com,ou=dns,ou=Services,dc=example,dc=com"
"entry" requested
Oct 11 09:12:36 dns01 slapd[3548]: => dn: [2]
ou=kerberos,ou=services,dc=example,dc=com
Oct 11 09:12:36 dns01 slapd[3548]: => dn: [4]
Oct 11 09:12:36 dns01 slapd[3548]: => acl_get: [5] attr entry
Oct 11 09:12:36 dns01 slapd[3548]: => acl_mask: access to entry
"dc=vms01,dc=example,dc=com,ou=dns,ou=Services,dc=example,dc=com",
attr "entry" requested
Oct 11 09:12:36 dns01 slapd[3548]: => acl_mask: to all values by "", (=0)
Oct 11 09:12:36 dns01 slapd[3548]: <= check a_dn_pat: users
Oct 11 09:12:36 dns01 slapd[3548]: <= check a_dn_pat: *
Oct 11 09:12:36 dns01 slapd[3548]: <= acl_mask: [2] applying none(=0) (stop)
Oct 11 09:12:36 dns01 slapd[3548]: <= acl_mask: [2] mask: none(=0)
Oct 11 09:12:36 dns01 slapd[3548]: => slap_access_allowed: search
access denied by none(=0)
Oct 11 09:12:36 dns01 slapd[3548]: => access_allowed: no more rules
Oct 11 09:12:36 dns01 slapd[3548]: send_ldap_result: conn=1145 op=29 p=3
Oct 11 09:12:36 dns01 slapd[3548]: send_ldap_result: err=32 matched="" text=""
Oct 11 09:12:36 dns01 slapd[3548]: send_ldap_response: msgid=30 tag=101 err=32
Oct 11 09:12:36 dns01 slapd[3548]: conn=1145 op=29 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Oct 11 09:12:36 dns01 slapd[3548]: daemon: activity on 1 descriptor
Oct 11 09:12:36 dns01 slapd[3548]: daemon: activity on:
Oct 11 09:12:36 dns01 slapd[3548]:
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=11
active_threads=0 tvp=zero
Oct 11 09:12:36 dns01 slapd[3548]: daemon: epoll: listen=12
active_threads=0 tvp=zero
And this is my slapd ACLs configuration:
olcAccess: {0}to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet
by dn.one="ou=consumers,ou=ldap,ou=Services,dc=example,dc=br" read
by anonymous auth
by * none
olcAccess: {1}to dn.subtree="ou=kerberos,ou=Services,dc=example,dc=br"
by dn="cn=krbadm,ou=kerberos,ou=Services,dc=example,dc=br" write
by dn="cn=krbkdc,ou=kerberos,ou=Services,dc=example,dc=br" read
by dn.one="ou=consumers,ou=ldap,ou=Services,dc=example,dc=br" read
by * none
olcAccess: {2}to attrs=loginShell
by self write
by users read
by * none
olcAccess: {3}to dn.base=""
by * read
olcAccess: {4}to *
by users read
by * none
On LDAP database, I have a SOA record and it was working on older pdns
server here.
Can anyone help me?
Thanks.
Daniel
More information about the Pdns-users
mailing list