[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: using -W/-w <binddnpasswd>
On 8 May, Cibu C Johny wrote:
> Thanks a lot for the detailed description.
>
> Still I havent got it working. Following is my slapd.conf:
> -------------------------------------------------------
> include /usr/local/etc/openldap/slapd.at.conf
> include /usr/local/etc/openldap/slapd.oc.conf
> schemacheck on
>
> database ldbm
> suffix "o=3com, c=us"
> rootdn "o=3com, c=us"
> rootpw password
>
> access to *
> by self write
> by * none
> --------------------------------------------------------
>
> THE COMMAND I TRIED WAS:
> ldappasswd -v -w a -b "cn=Cibu Johny, o=3com, c=us" -h <ip addr of slapd server> "cn=*"
>
> IT GAVE FOLLOWING ERROR MESSAGE: ('a' was the password set)
>
> New password:
> Re-enter new password:
> cn=Cibu Johny, o=3com, c=us
> ldap_modify: Insufficient access
> --------------------------------------------------------
>
> BUT WITH FOLLOWING ACL CHANGE, ldappasswd CHANGES PASSWORD:
> --------------------------------------------------------
> access to *
> by self write
> by * write
> --------------------------------------------------------
>
> But it does not require -w flag. So what I dont understand is how does slapd
> recognizes the 'self'.
OOPS: Just noticed the error in your commandline (after I wrote the
below <sigh>)
You need to use the -D option, not -b to specify the user (DN) you want
to authenticate as.
------------------------------------------------------------------
Ok, here is what I just tested
slapd.conf changes
database ldbm
suffix "o=3com,c=us"
directory /opt/openldap/databases/3com
rootdn "cn=mgr,o=3com,c=us"
rootpw {crypt}$1$ehJf7EUF$feIDl/6CLNEuKFKNmVjIv.
access to dn=".*,o=3com,c=us"
by self write
by * none
mkdir /opt/openldap/databases/3com
/etc/rc.d/init.d/stop
/etc/rc.d/init.d/start
1.ldif:
dn: o=3com,c=us
objectclass: top
objectclass: organization
o: 3com
dn: cn=Cibu Johny,o=3com,c=us
objectclass: top
objectclass: account
cn: Cibu Johny
userpassword: {crypt}wTr2UCGHFNLHo
NOTE: userpassword is the crypt(3) version of "Testing"
Add the information
/opt/openldap/bin/ldapadd -D "cn=mgr,o=3com,c=us" -W -f 1.ldif
Verify account works
/opt/openldap/bin/ldapsearch -b "o=3com,c=us" -D "cn=Cibu Johny,o=3com,c=us" -w Testing "(objectclass=*)"
o=3com,c=us
objectclass=top
objectclass=organization
o=3com
cn=Cibu Johny,o=3com,c=us
objectclass=top
objectclass=account
cn=Cibu Johny
userpassword={crypt}wTr2UCGHFNLHo
Change the password
/opt/openldap/bin/ldappasswd -D "cn=Cibu Johny,o=3com,c=us" -w Testing -e Hello
Try to search again
/opt/openldap/bin/ldapsearch -b "o=3com,c=us" -D "cn=Cibu Johny,o=3com,c=us" -w Testing "(objectclass=*)"
ldap_bind: Invalid credentials
Try new password
/opt/openldap/bin/ldapsearch -b "o=3com,c=us" -D "cn=Cibu Johny,o=3com,c=us" -w Hello "(objectclass=*)"
o=3com,c=us
objectclass=top
objectclass=organization
o=3com
cn=Cibu Johny,o=3com,c=us
objectclass=top
objectclass=account
cn=Cibu Johny
userpassword={crypt}f0oklX8Kil4.E
--
Doug Nazar
Dragon Computer Consultants Inc.
Tel: (416) 708-1578 Fax: (416) 708-8081