[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldappasswd hangs (server deadlock) (ITS#2122)



This is a multi-part message in MIME format.
--------------030808000600030109080709
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi

I'm back from holiday now. Please see attached the complete config file
and below the used DNs.

DN to bind:            cn=super user,ou=technical users,dc=adnovum,dc=ch
DN to change password: cn=ra server,ou=technical users,dc=adnovum,dc=ch

=> the DN's are members of groups referenced in the ACLs

best regards

Matthias

Howard Chu wrote:

> I am unable to duplicate this error. I also don't have enough information; from
> the logs you sent it's clear that you're using some group-based ACLs.
> 
> Please send your complete slapd.conf, minus any secret passwords, including all
> of your ACL config. Also send complete information on the DNs in your example -
> is the DN the database's rootdn? Is it a member of a group referenced in the
> ACL?
> 


--------------030808000600030109080709
Content-Type: text/plain;
 name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="slapd.conf"

#
include /etc/core.schema
include /etc/cosine.schema
include /etc/inetorgperson.schema
include /etc/nis.schema
include /etc/sunnis.schema
include /etc/corba.schema

include /etc/adnovum.oids
include /etc/isicfg.schema
include /etc/isiins.schema
include /etc/nevis.schema

# AC1: allow only members of group 'directory admins' access to 'technical users' subtree
access to dn.subtree="ou=technical users,dc=adnovum,dc=ch" 
 	by anonymous auth
	by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
	by * none

# AC2: allow only members of group 'directory admins' access to 'admin groups' subtree
access to dn.subtree="ou=admin groups,dc=adnovum,dc=ch" 
	by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
	by * none

# AC3: allow only members of group 'ca admins' write access to 'certificate authorities' subtree
access to dn.subtree="ou=certificate authorities,dc=adnovum,dc=ch" 
	by group.exact="cn=ca admins,ou=admin groups,dc=adnovum,dc=ch" write
	by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
	by * read

# AC4: allow only members of group 'ins admins' write access to 'isiins' subtree
access to dn.subtree="cn=isiins,ou=applications,dc=adnovum,dc=ch" 
	by group.exact="cn=ins admins,ou=admin groups,dc=adnovum,dc=ch" write
	by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
	by * read

# AC5: allow only members of group 'isi admins' write access to 'isicfg' subtree
access to dn.subtree="cn=isicfg,ou=applications,dc=adnovum,dc=ch" 
	by group.exact="cn=isi admins,ou=admin groups,dc=adnovum,dc=ch" write
	by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
	by * read

access to *
	by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
	by * read

#
pidfile  /log/slapd.pid
argsfile /log/slapd.args

# SASL
sasl-realm    adnovum.ch

#######################################################################
# bdb database definitions
#######################################################################

database	bdb
suffix		"dc=adnovum,dc=ch"
directory	/db

# Indices to maintain
index	objectClass	      pres,eq
index	cn                eq,sub
index	sn                eq,sub
index   memberUid         pres,eq
index   macAddress        pres,eq
index   uid               pres,eq
index   uidNumber         eq
index   gidNumber         eq
index   ipHostNumber      eq
index   ipNetworkNumber   eq
index   ipProtocolNumber  pres,eq
index   oncRpcNumber      eq
index   ipServiceProtocol pres,eq
index   ipServicePort     eq
index   nisDomain         pres,eq
index   nisMapName        pres,eq
index   mail              pres,eq
index   membernisnetgroup pres,eq,sub
#index	nisnetgrouptriple pres,eq,sub

index	isiInsOid         eq

index	isiCfgAppid       pres,eq
index	isiCfgVersion     pres,eq
index	isiCfgInstance    pres,eq
index	isiCfgPlatform    pres,eq

password-hash {CRYPT}
password-crypt-salt-format "%.2s"

--------------030808000600030109080709--