[prev in list] [next in list] [prev in thread] [next in thread]
List: net-snmp-bugs
Subject: [ net-snmp-Bugs-1437985 ] SNMPv3 : A user can belong to only one group.
From: "SourceForge.net" <noreply () sourceforge ! net>
Date: 2006-02-24 16:48:30
Message-ID: E1FCg7K-0006B6-TT () sc8-sf-web2 ! sourceforge ! net
[Download RAW message or body]
Bugs item #1437985, was opened at 2006-02-24 02:29
Message generated for change (Comment added) made by nobody
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1437985&group_id=12694
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: agent
Group: linux
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: SNMPv3 : A user can belong to only one group.
Initial Comment:
net-snmp version 5.2.1.2
Operating System : Linux (debian).
When using SNMPv3, if a user belongs to more than one
group only the first group is taken in account to grant
access rights. With a configuration of this type :
# sec.name source community
com2sec paranoid localhost public
com2sec readonly localhost public
####
# Second, map the security names into group names:
# sec.model sec.name
group MyROSystem v1 paranoid
group MyROSystem v2c paranoid
group MyROSystem usm usertest
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm usertest
####
# Third, create a view for us to let the groups have
rights to:
# incl/excl subtree mask
#view all included .1 80
view system included .1.3.6.1.2.1.1
view ifaces included .1.3.6.1.2.1.2
####
# Finally, grant the 2 groups access to the 1 view with
different
# write permissions:
# context sec.model sec.level match
read write notif
access MyROSystem "" usm priv exact
system none none
access MyROGroup "" usm priv exact
ifaces none none
with : "createUser usertest MD5 tsttsttst DES tsttsttst"
and the agent launched by : "/usr/sbin/snmpd -Lsd -Lf
/dev/null -p /var/run/snmpd.pid"
You can do :
$ /usr/bin/snmpget -v 3 -n "" -u usertest -l authPriv
-a MD5 -A tsttsttst -x DES -X tsttsttst 127.0.0.1
.1.3.6.1.2.1.1.3.0
SNMPv2-MIB::sysUpTime.0 = Timeticks: (20569) 0:03:25.69
But :
/usr/bin/snmpget -v 3 -n "" -u usertest -l authPriv -a
MD5 -A tsttsttst -x DES -X tsttsttst 127.0.0.1
.1.3.6.1.2.1.2.1.0
IF-MIB::ifNumber.0 = No Such Object available on this
agent at this OID
Whereas "IF-MIB::ifNumber.0" is reachable when you
suppress the group "MyROSystem"
When I look at traces using -D -f options for the
agent, I can see the agentt doesn't search for more
than one group before it sends its answer.
regards,
--
Xavier Plattard
xavier.plattard@evidian.com
----------------------------------------------------------------------
Comment By: Nobody/Anonymous (nobody)
Date: 2006-02-24 08:48
Message:
Logged In: NO
By the way, I noticed the same kind of behaviour with 2
security names created with com2sec that have the same
community. If each one belongs to one group, and each group
is binded to one view, the agent grant access to only the
first view for this community...
--
Xavier Plattard
----------------------------------------------------------------------
Comment By: Nobody/Anonymous (nobody)
Date: 2006-02-24 08:23
Message:
Logged In: NO
By the way, I noticed the same kind of behaviour with 2
security names created with com2sec that have the same
community. If each one belongs to one group, and each group
is binded to one view, the agent grant access to only the
first view for this community...
--
Xavier Plattard
----------------------------------------------------------------------
Comment By: Nobody/Anonymous (nobody)
Date: 2006-02-24 08:01
Message:
Logged In: NO
By the way, I noticed the same kind of behaviour with 2
security names created with com2sec that have the same
community. If each one belongs to one group, and each group
is binded to one view, the agent grant access to only the
first view for this community...
--
Xavier Plattard
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1437985&group_id=12694
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Net-snmp-bugs mailing list
Net-snmp-bugs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic