[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: using ldapmodify and simple authentication
At 10:03 AM 6/7/00 -0500, Frank Koenen wrote:
>Am I correct in understanding that in using Simple Authentication with
>"ldapmodify" requires I use a "uid=nnn" struct in my DN of those users
>I wish to have the ability to bind with authentication?
No. ldapmodify nor slapd do not place any naming restrictions
upon entries used as bind targets.
>Can I get clarity. I'm using "ldapmodify" as such:
>
>cat <<- !! > /tmp/input.$$
> dn: uid=mr501,ou=Members,o=MedRepublic,c=US
> add: foo
> foo: Hello
> !!
You should leading white space from your LDIF attribute types.
>ldapmodify -v \
> -f /tmp/input.$$ \
> -h develop.medrepublic.com \
> -W \
> -D "uid=mr501,ou=Members,o=MedRepublic,c=US"
>
>
>With the appropriate ACL definition in the /etc/slapd.conf file, this
>works just fine. However, if I store my entities with a DN that does
>not contain a "uid=nnn" pattern, I cannot get this to work. I get:
>
> ldap_modify: Insufficient access
>
>Demonstration of the problem:
>
>1) I created a entry with a DN of: "dn: foo=mr501,ou=Members,o=MedRepublic,c=US",
> This entry is exactly the same as the DN using "uid=mr501" that works above, with
> only the "uid=" changed to "foo=".
>2) I modified the following in my /etc/slapd.conf file and reset the
> slapd daemon:
> access to dn=".*,ou=Members,o=MedRepublic,c=US" by dn="foo=mr501,ou=Members,o=MedRepublic,c=US" write
>3) I execute the "ldapmodify" command as such:
> ldapmodify -v \
> -f /tmp/input.$$ \
> -h develop.medrepublic.com \
> -W \
> -D "foo=mr501,ou=Members,o=MedRepublic,c=US"
>4) Upon entering the password, I get the "ldap_modify: Insufficient access"
> message.
Given that you didn't get an ldap_bind error, you were able to
authenticate as "foo=mr501,ou=Members,o=MedRepublic,c=US". Its
most likely that an earlier matched ACL is deny your access.
>Can anyone identify what I'm overlooking?
See FAQ regarding ACLs... in particular, note that ACL ordering
matters and only the first matched ACL matters.
>Am I misinterpreting the
>intended implementation of the OpenLdap Simple authentication model?
yes.