[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using ldapmodify and simple authentication

To: fkoenen@virtualmonet.com
Subject: Re: using ldapmodify and simple authentication
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 07 Jun 2000 12:16:28 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200006071510.KAA16857@fw1niles.vonworld.com>

At 10:03 AM 6/7/00 -0500, Frank Koenen wrote:
>Am I correct in understanding that in using Simple Authentication with
>"ldapmodify" requires I use a "uid=nnn" struct in my DN of those users
>I wish to have the ability to bind with authentication? 

No.  ldapmodify nor slapd do not place any naming restrictions
upon entries used as bind targets.

>Can I get clarity. I'm using "ldapmodify" as such:
>
>cat <<- !! > /tmp/input.$$
>        dn: uid=mr501,ou=Members,o=MedRepublic,c=US
>        add: foo
>        foo: Hello
>        !!

You should leading white space from your LDIF attribute types.

>ldapmodify -v \
>     -f /tmp/input.$$ \
>     -h develop.medrepublic.com \
>     -W \
>     -D "uid=mr501,ou=Members,o=MedRepublic,c=US"
>
>
>With the appropriate ACL definition in the /etc/slapd.conf file, this
>works just fine. However, if I store my entities with a DN that does
>not contain a "uid=nnn" pattern, I cannot get this to work. I get:
>
>           ldap_modify: Insufficient access
>
>Demonstration of the problem:
>
>1) I created a entry with a DN of: "dn: foo=mr501,ou=Members,o=MedRepublic,c=US", 
>   This entry is exactly the same as the DN using "uid=mr501" that works above, with
>   only the "uid=" changed to "foo=".
>2) I modified the following in my /etc/slapd.conf file and reset the
>   slapd daemon:
>     access to dn=".*,ou=Members,o=MedRepublic,c=US" by dn="foo=mr501,ou=Members,o=MedRepublic,c=US" write
>3) I execute the "ldapmodify" command as such:
>   ldapmodify -v \
>     -f /tmp/input.$$ \
>     -h develop.medrepublic.com \
>     -W \
>     -D "foo=mr501,ou=Members,o=MedRepublic,c=US"
>4) Upon entering the password, I get the "ldap_modify: Insufficient access"
>   message.

Given that you didn't get an ldap_bind error, you were able to
authenticate as "foo=mr501,ou=Members,o=MedRepublic,c=US".  Its
most likely that an earlier matched ACL is deny your access.

>Can anyone identify what I'm overlooking?

See FAQ regarding ACLs... in particular, note that ACL ordering
matters and only the first matched ACL matters.

>Am I misinterpreting the
>intended implementation of the OpenLdap Simple authentication model?
yes.

References:
- using ldapmodify and simple authentication
  - From: Frank Koenen <fkoenen@virtualmonet.com>

Prev by Date: Re: c sdk & persistent searching
Next by Date: Re: c sdk & persistent searching
Index(es):
- Chronological
- Thread