[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access



I set the loglevel to 128. Here is part of the output when I do a
search from Netscape:

Does this give a clue as to why I am having this trouble?

Jan 21 08:48:54 imap slapd[15342]:  => access_allowed: entry (dc=amsite, dc=com) attr (mail) 
Jan 21 08:48:54 imap slapd[15342]:  => acl_get: entry (dc=amsite, dc=com) attr (mail)
 Jan 21 08:48:54 imap slapd[15342]: <= acl_get: no match
Jan 21 08:48:54 imap slapd[15342]:  => acl_access_allowed: search access to entry "dc=amsite, dc=com"
Jan 21 08:48:54 imap slapd[15342]:  => acl_access_allowed: search access to value "JCHIODI@AMSITE.COM" by ""
Jan 21 08:48:54 imap slapd[15342]: <= acl_access_allowed: granted by default (no matching to)
Jan 21 08:48:54 imap slapd[15342]:  => access_allowed: exit (dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]:  => access_allowed: entry (ou=Employee, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]:  => acl_get: entry (ou=Employee, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: <= acl_get: [3] backend acl ou=Employee, dc=amsite, dc=com attr: mail
Jan 21 08:48:54 imap slapd[15342]:  => acl_access_allowed: search access to entry "ou=Employee, dc=amsite, dc=com"
Jan 21 08:48:54 imap slapd[15342]:  => acl_access_allowed: search access to value "JCHIODI@AMSITE.COM" by ""
Jan 21 08:48:54 imap slapd[15342]: <= acl_access_allowed: matched by clause #2 access denied
Jan 21 08:48:54 imap slapd[15342]:  => access_allowed: exit (ou=Employee, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]:  => access_allowed: entry (ou=Roaming, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]:  => acl_get: entry (ou=Roaming, dc=amsite, dc=com) attr (mail)
Jan 21 08:48:54 imap slapd[15342]: <= acl_get: [3] backend acl ou=Roaming, dc=amsite, dc=com attr: mail
Jan 21 08:48:54 imap slapd[15342]:  => acl_access_allowed: search access to entry "ou=Roaming, dc=amsite, dc=com"
Jan 21 08:48:54 imap slapd[15342]:  => acl_access_allowed: search access to value "JCHIODI@AMSITE.COM" by ""
Jan 21 08:48:54 imap slapd[15342]: <= acl_access_allowed: matched by clause #2 access denied

> Could someone help me with this?
> 
> I have the following in my slapd.conf  The below part is in regards
> to roaming profiles in Netscape.  It works great.  A user gives
> password and has access to his roaming profile.
> 
> access to dn=".*,ou=Roaming,dc=amsite,dc=com" by dnattr=owner write
> access to attr=userpassword
>         by self write
>         by * none
> 
> The below section is to restrict access to the directory to those in
> the Employee group.  this part doesn't work.  I have read the slapd
> and slurpd admins manual.  
> 
> access to dn=".*,dc=amsite,dc=com"
>         by dn=".*,ou=Employee,dc=amsite,dc=com" read
>         by * none
> 
> I am trying to access the directory via netscape's address book.  i
> can search fine if I have access set to by * read
> 
> What do I have wrong?
> 
> > I am trying password protect my ldap directory.  With no access lines
> > in the slapd.conf, I am able to search fine, anonymously.
> > 
> > I have the following in my slapd.conf
> > 
> > defaultaccess none
> > access to *
> >         by dn=".+, dc=amsite, dc=com" read
> > 
> > I have populated the database with the field userPassword.  
> > I am trying to log in to the database.  I tried 
> > ldapsearch -D "cn=User, dc=mydomain dc=com" -b "dc=mydomain, dc=com" -W
> > I got the following error:
> > 
> > ldap_bind: Inappropriate authentication
> > 
> > also I tried:
> > 
> > ldapsearch -D "cn=User" -b "dc=mydomain, dc=com" -W
> > and the error:
> > 
> > ldap_bind: Invalid credentials
> > 
> > I am trying also to connect to the directory with Netscape.  Netscape
> > wants email address and password.  does the email address have to be
> > part of the dn?
> > 
> > > squeegy+ldap@squeegy.org wrote:
> > > > 
> > > > Hi,
> > > > 
> > > > I have restricted access to my ldap server, now how do authenticate?
> > > > does LDAP hit the /etc/passwd file authentication?  So far i have
> > > 
> > > No. LDAP uses its own authentication to control access. The access is
> > > based upon Access Control Lists.
> > > 
> > > For the simplest possible setup, keep the rootpw in slapd.conf the
> > > default "secret".
> > > 
> > > Then bind to the directory as the manager (whatever you made the rootdn
> > > entry).
> > > 
> > > Then try to modify an entry from ud:
> > > 
> > > * cb o=Williams Communications, c=US
> > > 
> > > * bind Manager
> > >   Authenticating to the directory as "Manager"...
> > >   Enter your LDAP password: *********
> > >   Authentication successful.
> > > 
> > > * vedit David
> > > 
> > > ...
> > > 
> > > It should work for you.
> > > 
> > > As far as making the driectory editable by users try this: (Warning I
> > > don't really know how (in)secure this is in your slapd.conf:
> > > 
> > > defaultaccess read
> > > access to * by self write
> > >             by dn="cn=Manager, ou=SAM, o=Concentric Network, c=US" write
> > > 
> > > These should be the last line in your slapd.conf (or before a second
> > > database definition...
> > > 
> > > If you need more help with ACL's check the documentation (SLAPD/SLURPD
> > > Admin guid) there are some examples in there.
> > > 
> > > Hope that helps...
> > > 
> > > David
> > > 
> > > > seen
> > > > unable to access my ldap server since restricting it.  Thanks for the
> > > > help.
> > > > 
> > > > > squeegy+ldap@squeegy.org schrieb:
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Thanks to the help I have gotten here, I have
> > > > > > built my directory.  I want this directory to be used only by
> > > > > > those inside the company.  How do I password protect the
> > > > directory
> > > > > > and disable anonymous searches?
> > > > 
> > > > ___________________
> > > > 
> > > > Jt "The Squeegy" Chiodi
> > > > 
> > > > http://www.squeegy.org/
> > > > squeegy@squeegy.org
> > > 
> > 
> > 
> > 
> > ___________________
> > 
> > Jt "The Squeegy" Chiodi
> > 
> > http://www.squeegy.org/
> > squeegy@squeegy.org
> > 
> > 
> 
> 
> 
> ___________________
> 
> Jt "The Squeegy" Chiodi
> 
> http://www.squeegy.org/
> squeegy@squeegy.org
> 
> 



___________________

Jt "The Squeegy" Chiodi

http://www.squeegy.org/
squeegy@squeegy.org