[Nufw-users] nuauth fetches right acl but takes wrong decision

nufw-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Nufw-users] nuauth fetches right acl but takes wrong decision

From:	Tilman Baumann
Subject:	[Nufw-users] nuauth fetches right acl but takes wrong decision
Date:	Wed, 31 May 2006 13:30:01 +0200
User-agent:	KMail/1.9.1

Hello,

i can not get nuauth running correctly.
I use PAM system) for authentification and LDAP for acl.

I test with a user (tilli) who is in a gruop with gid 500. This user can login 
but his packets get droped. I'm not sure because the concerned section has 
less debug. But it looks like it fetches the right acl but don't get a handle 
on it. Maybe it makes something wrong with the comparision of the gid.

But most likely i got something wrong. :)

The acl looks this way:

# all, acls, example.com
dn: cn=all,ou=acls,dc=example,dc=com
objectClass: top
objectClass: NuAccessControlList
Proto: 6
SrcIPEnd: 2886795263
Decision: 1
cn: all
SrcPortEnd: 65535
DstIPEnd: 4294967295
Group: 500
SrcPortStart: 0
DstPortStart: 0
DstIPStart: 0
DstPortEnd: 65535
SrcIPStart: 2886729728

nuauth logs this:
** Message: Creating new packet
** Message: search&push: need to warn client
** Message: user activity on socket 7
** Message: Pushing packet to user_checker
** Message: entering user_check
** Message: Authreq start
** Message:     got IPv4 field
** Message:     got APP field
** Message: Authreq end
** Message: Starting search and fill
** Message: Complete authreq: Filling user data for tilli
** Message: entering acl_check
** Message: LDAP filter : 
(&(objectClass=NuAccessControlList)(SrcIPStart<=2886730005)
(SrcIPEnd>=2886730005)(DstIPStart<=1045136959)(DstIPEnd>=1045136959)(Proto=6)
(DstPortStart<=22)(DstPortEnd>=22)(|(&(OsName=*)(OsName=Linux))(!(OsName=*)))
(|(&(AppName=*)(AppName=/usr/bin/ssh))(!(AppName=*)))(|(&(OsRelease=*)
(OsRelease=2.6.16.17))(!(OsRelease=*)))(|(&(OsVersion=*)(OsVersion=#1 Mon May 
22 15:01:29 CEST 2006))(!(OsVersion=*)))(!(AppSig=*)))

** Message: Acl found with decision 1

** Message: Starting search and fill
** Message: Trying to take decision on 0x89b0e70
** Message: leaving acl_check
** Message: Sending auth answer 0 for packet 15 on socket 0x89b1680
** Message: [nuauth] Drop [tilli] 1149000375 : SRC=172.16.1.21 
DST=62.75.134.63 PROTO=6 SPT=38027 DPT=22



PS: The documentation mentions the ldap tree dc=acls,dc=example,dc=com. Which 
conflicts with the schema.
It has to be ou=...
BTW. i would appreciate some more LDAP examples. ;)
LDAP ist great with nufw but not so well documentet.

-- 
Tilman Baumann
Software Developer
Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany

p: +49 (0) 89-990157-0
f: +49 (0) 89-990157-11

[Prev in Thread]

Current Thread

[Next in Thread]

[Nufw-users] nuauth fetches right acl but takes wrong decision, Tilman Baumann <=

Prev by Date: [Nufw-users] Problem installing nuauth2
Previous by thread: [Nufw-users] Problem installing nuauth2
Index(es):
- Date
- Thread