[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using -W/-w <binddnpasswd>



On  8 May, Cibu C Johny wrote:
> Thanks a lot for the detailed description.
> 
> Still I havent got it working. Following is my slapd.conf:
> -------------------------------------------------------
> include		/usr/local/etc/openldap/slapd.at.conf
> include		/usr/local/etc/openldap/slapd.oc.conf
> schemacheck	on
> 
> database ldbm
> suffix "o=3com, c=us"
> rootdn "o=3com, c=us"
> rootpw password
> 
> access to *
>        by self  write
>        by *     none
> --------------------------------------------------------
> 
> THE COMMAND I TRIED WAS:
> ldappasswd -v -w a  -b "cn=Cibu Johny, o=3com, c=us" -h <ip addr of slapd server> "cn=*"
> 
> IT GAVE FOLLOWING ERROR MESSAGE: ('a' was the password set)
> 
> New password:
> Re-enter new password:
> cn=Cibu Johny, o=3com, c=us
> ldap_modify: Insufficient access
> --------------------------------------------------------
> 
> BUT WITH FOLLOWING ACL CHANGE, ldappasswd CHANGES PASSWORD:
> --------------------------------------------------------
> access to *
>        by self  write
>        by *     write
> --------------------------------------------------------
> 
> But it does not require -w flag. So what I dont understand is how does slapd
> recognizes the 'self'.

OOPS: Just noticed the error in your commandline (after I wrote the
below <sigh>)

You need to use the -D option, not -b to specify the user (DN) you want
to authenticate as.

------------------------------------------------------------------

Ok, here is what I just tested

slapd.conf changes
database        ldbm
suffix          "o=3com,c=us"
directory       /opt/openldap/databases/3com
rootdn          "cn=mgr,o=3com,c=us"
rootpw          {crypt}$1$ehJf7EUF$feIDl/6CLNEuKFKNmVjIv.

access to dn=".*,o=3com,c=us"
  by self write
  by * none


mkdir /opt/openldap/databases/3com
/etc/rc.d/init.d/stop
/etc/rc.d/init.d/start


1.ldif:
dn: o=3com,c=us
objectclass: top
objectclass: organization
o: 3com

dn: cn=Cibu Johny,o=3com,c=us
objectclass: top
objectclass: account
cn: Cibu Johny
userpassword: {crypt}wTr2UCGHFNLHo

NOTE: userpassword is the crypt(3) version of "Testing"

Add the information
/opt/openldap/bin/ldapadd -D "cn=mgr,o=3com,c=us" -W -f 1.ldif

Verify account works
/opt/openldap/bin/ldapsearch -b "o=3com,c=us" -D "cn=Cibu Johny,o=3com,c=us" -w Testing "(objectclass=*)"
o=3com,c=us
objectclass=top
objectclass=organization
o=3com

cn=Cibu Johny,o=3com,c=us
objectclass=top
objectclass=account
cn=Cibu Johny
userpassword={crypt}wTr2UCGHFNLHo

Change the password
/opt/openldap/bin/ldappasswd -D "cn=Cibu Johny,o=3com,c=us" -w Testing -e Hello

Try to search again
/opt/openldap/bin/ldapsearch -b "o=3com,c=us" -D "cn=Cibu Johny,o=3com,c=us" -w Testing "(objectclass=*)"
ldap_bind: Invalid credentials

Try new password

/opt/openldap/bin/ldapsearch -b "o=3com,c=us" -D "cn=Cibu Johny,o=3com,c=us" -w Hello "(objectclass=*)"
o=3com,c=us
objectclass=top
objectclass=organization
o=3com

cn=Cibu Johny,o=3com,c=us
objectclass=top
objectclass=account
cn=Cibu Johny
userpassword={crypt}f0oklX8Kil4.E

-- 
Doug Nazar
Dragon Computer Consultants Inc.
Tel: (416) 708-1578     Fax: (416) 708-8081