[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldappasswd hangs (server deadlock) (ITS#2122)
This is a multi-part message in MIME format.
--------------030808000600030109080709
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi
I'm back from holiday now. Please see attached the complete config file
and below the used DNs.
DN to bind: cn=super user,ou=technical users,dc=adnovum,dc=ch
DN to change password: cn=ra server,ou=technical users,dc=adnovum,dc=ch
=> the DN's are members of groups referenced in the ACLs
best regards
Matthias
Howard Chu wrote:
> I am unable to duplicate this error. I also don't have enough information; from
> the logs you sent it's clear that you're using some group-based ACLs.
>
> Please send your complete slapd.conf, minus any secret passwords, including all
> of your ACL config. Also send complete information on the DNs in your example -
> is the DN the database's rootdn? Is it a member of a group referenced in the
> ACL?
>
--------------030808000600030109080709
Content-Type: text/plain;
name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="slapd.conf"
#
include /etc/core.schema
include /etc/cosine.schema
include /etc/inetorgperson.schema
include /etc/nis.schema
include /etc/sunnis.schema
include /etc/corba.schema
include /etc/adnovum.oids
include /etc/isicfg.schema
include /etc/isiins.schema
include /etc/nevis.schema
# AC1: allow only members of group 'directory admins' access to 'technical users' subtree
access to dn.subtree="ou=technical users,dc=adnovum,dc=ch"
by anonymous auth
by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
by * none
# AC2: allow only members of group 'directory admins' access to 'admin groups' subtree
access to dn.subtree="ou=admin groups,dc=adnovum,dc=ch"
by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
by * none
# AC3: allow only members of group 'ca admins' write access to 'certificate authorities' subtree
access to dn.subtree="ou=certificate authorities,dc=adnovum,dc=ch"
by group.exact="cn=ca admins,ou=admin groups,dc=adnovum,dc=ch" write
by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
by * read
# AC4: allow only members of group 'ins admins' write access to 'isiins' subtree
access to dn.subtree="cn=isiins,ou=applications,dc=adnovum,dc=ch"
by group.exact="cn=ins admins,ou=admin groups,dc=adnovum,dc=ch" write
by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
by * read
# AC5: allow only members of group 'isi admins' write access to 'isicfg' subtree
access to dn.subtree="cn=isicfg,ou=applications,dc=adnovum,dc=ch"
by group.exact="cn=isi admins,ou=admin groups,dc=adnovum,dc=ch" write
by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
by * read
access to *
by group.exact="cn=directory admins,ou=admin groups,dc=adnovum,dc=ch" write
by * read
#
pidfile /log/slapd.pid
argsfile /log/slapd.args
# SASL
sasl-realm adnovum.ch
#######################################################################
# bdb database definitions
#######################################################################
database bdb
suffix "dc=adnovum,dc=ch"
directory /db
# Indices to maintain
index objectClass pres,eq
index cn eq,sub
index sn eq,sub
index memberUid pres,eq
index macAddress pres,eq
index uid pres,eq
index uidNumber eq
index gidNumber eq
index ipHostNumber eq
index ipNetworkNumber eq
index ipProtocolNumber pres,eq
index oncRpcNumber eq
index ipServiceProtocol pres,eq
index ipServicePort eq
index nisDomain pres,eq
index nisMapName pres,eq
index mail pres,eq
index membernisnetgroup pres,eq,sub
#index nisnetgrouptriple pres,eq,sub
index isiInsOid eq
index isiCfgAppid pres,eq
index isiCfgVersion pres,eq
index isiCfgInstance pres,eq
index isiCfgPlatform pres,eq
password-hash {CRYPT}
password-crypt-salt-format "%.2s"
--------------030808000600030109080709--