[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access
I set the loglevel to 128. Here is part of the output when I do a
search from Netscape:
Does this give a clue as to why I am having this trouble?
Jan 21 08:48:54 imap slapd[15342]: => access_allowed: entry (dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: => acl_get: entry (dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: <= acl_get: no match
Jan 21 08:48:54 imap slapd[15342]: => acl_access_allowed: search access to entry "dc=amsite, dc=com"
Jan 21 08:48:54 imap slapd[15342]: => acl_access_allowed: search access to value "JCHIODI@AMSITE.COM" by ""
Jan 21 08:48:54 imap slapd[15342]: <= acl_access_allowed: granted by default (no matching to)
Jan 21 08:48:54 imap slapd[15342]: => access_allowed: exit (dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: => access_allowed: entry (ou=Employee, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: => acl_get: entry (ou=Employee, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: <= acl_get: [3] backend acl ou=Employee, dc=amsite, dc=com attr: mail
Jan 21 08:48:54 imap slapd[15342]: => acl_access_allowed: search access to entry "ou=Employee, dc=amsite, dc=com"
Jan 21 08:48:54 imap slapd[15342]: => acl_access_allowed: search access to value "JCHIODI@AMSITE.COM" by ""
Jan 21 08:48:54 imap slapd[15342]: <= acl_access_allowed: matched by clause #2 access denied
Jan 21 08:48:54 imap slapd[15342]: => access_allowed: exit (ou=Employee, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: => access_allowed: entry (ou=Roaming, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: => acl_get: entry (ou=Roaming, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: <= acl_get: [3] backend acl ou=Roaming, dc=amsite, dc=com attr: mail
Jan 21 08:48:54 imap slapd[15342]: => acl_access_allowed: search access to entry "ou=Roaming, dc=amsite, dc=com"
Jan 21 08:48:54 imap slapd[15342]: => acl_access_allowed: search access to value "JCHIODI@AMSITE.COM" by ""
Jan 21 08:48:54 imap slapd[15342]: <= acl_access_allowed: matched by clause #2 access denied
> Could someone help me with this?
>
> I have the following in my slapd.conf The below part is in regards
> to roaming profiles in Netscape. It works great. A user gives
> password and has access to his roaming profile.
>
> access to dn=".*,ou=Roaming,dc=amsite,dc=com" by dnattr=owner write
> access to attr=userpassword
> by self write
> by * none
>
> The below section is to restrict access to the directory to those in
> the Employee group. this part doesn't work. I have read the slapd
> and slurpd admins manual.
>
> access to dn=".*,dc=amsite,dc=com"
> by dn=".*,ou=Employee,dc=amsite,dc=com" read
> by * none
>
> I am trying to access the directory via netscape's address book. i
> can search fine if I have access set to by * read
>
> What do I have wrong?
>
> > I am trying password protect my ldap directory. With no access lines
> > in the slapd.conf, I am able to search fine, anonymously.
> >
> > I have the following in my slapd.conf
> >
> > defaultaccess none
> > access to *
> > by dn=".+, dc=amsite, dc=com" read
> >
> > I have populated the database with the field userPassword.
> > I am trying to log in to the database. I tried
> > ldapsearch -D "cn=User, dc=mydomain dc=com" -b "dc=mydomain, dc=com" -W
> > I got the following error:
> >
> > ldap_bind: Inappropriate authentication
> >
> > also I tried:
> >
> > ldapsearch -D "cn=User" -b "dc=mydomain, dc=com" -W
> > and the error:
> >
> > ldap_bind: Invalid credentials
> >
> > I am trying also to connect to the directory with Netscape. Netscape
> > wants email address and password. does the email address have to be
> > part of the dn?
> >
> > > squeegy+ldap@squeegy.org wrote:
> > > >
> > > > Hi,
> > > >
> > > > I have restricted access to my ldap server, now how do authenticate?
> > > > does LDAP hit the /etc/passwd file authentication? So far i have
> > >
> > > No. LDAP uses its own authentication to control access. The access is
> > > based upon Access Control Lists.
> > >
> > > For the simplest possible setup, keep the rootpw in slapd.conf the
> > > default "secret".
> > >
> > > Then bind to the directory as the manager (whatever you made the rootdn
> > > entry).
> > >
> > > Then try to modify an entry from ud:
> > >
> > > * cb o=Williams Communications, c=US
> > >
> > > * bind Manager
> > > Authenticating to the directory as "Manager"...
> > > Enter your LDAP password: *********
> > > Authentication successful.
> > >
> > > * vedit David
> > >
> > > ...
> > >
> > > It should work for you.
> > >
> > > As far as making the driectory editable by users try this: (Warning I
> > > don't really know how (in)secure this is in your slapd.conf:
> > >
> > > defaultaccess read
> > > access to * by self write
> > > by dn="cn=Manager, ou=SAM, o=Concentric Network, c=US" write
> > >
> > > These should be the last line in your slapd.conf (or before a second
> > > database definition...
> > >
> > > If you need more help with ACL's check the documentation (SLAPD/SLURPD
> > > Admin guid) there are some examples in there.
> > >
> > > Hope that helps...
> > >
> > > David
> > >
> > > > seen
> > > > unable to access my ldap server since restricting it. Thanks for the
> > > > help.
> > > >
> > > > > squeegy+ldap@squeegy.org schrieb:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Thanks to the help I have gotten here, I have
> > > > > > built my directory. I want this directory to be used only by
> > > > > > those inside the company. How do I password protect the
> > > > directory
> > > > > > and disable anonymous searches?
> > > >
> > > > ___________________
> > > >
> > > > Jt "The Squeegy" Chiodi
> > > >
> > > > http://www.squeegy.org/
> > > > squeegy@squeegy.org
> > >
> >
> >
> >
> > ___________________
> >
> > Jt "The Squeegy" Chiodi
> >
> > http://www.squeegy.org/
> > squeegy@squeegy.org
> >
> >
>
>
>
> ___________________
>
> Jt "The Squeegy" Chiodi
>
> http://www.squeegy.org/
> squeegy@squeegy.org
>
>
___________________
Jt "The Squeegy" Chiodi
http://www.squeegy.org/
squeegy@squeegy.org