[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS and access for authentication

To: openldap-software@OpenLDAP.org
Subject: TLS and access for authentication
From: Sue Salamacha <salamach@agile.tv>
Date: Thu, 02 May 2002 16:41:32 +1000
Organization: AgileTV Corporation
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311

I have been running with LDAP 2.0.21-1 on RED HAT 7.2 with ACLs that have enabled users to login and change their LDAP password. To add extra security I have enabled TLS but it appears that the acls no longer work the same way.

If the user logins and changes their password from a client that DOESN'T use TLS, everything works. If the client is changed to use TLS the user is unable to change their password.

Here are the active lines from the server slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/rfc822-MailMember.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/redhat/kerberosobject.schema
pidfile /var/run/slapd.pid
argsfile        /var/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
loglevel 128
database        ldbm
suffix          "dc=oz,dc=abc,dc=com"
rootdn          "cn=root,dc=oz,dc=abc,dc=com"
directory       /var/lib/ldap
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
access to dn="uid=*,ou=people,dc=oz,dc=abc,dc=com" attr=userpassword
        by self write
        by dn="cn=root,dc=oz,dc=abc,dc=com" write
        by anonymous auth
        by * read
access to *
         by self write
         by dn="cn=root,dc=oz,dc=abc,dc=com" write
         by * read
-------------------------------------------------------------
The /etc/ldap.conf is:

host ldapserver.oz.abc.com
base dc=oz,dc=abc,dc=com
ldap_version 3
port 389
scope sub
pam_password md5
pam_password exop
ssl start_tls

---------------------------------------------
the client's /etc/ldap.conf is:
host ldapserver.oz.abc.com
base dc=oz,dc=abc,dc=com
port 636
scope sub
ssl start_tls
ssl on
pam_password md5

When the user logs into the client and tries to change the password it gets

passwd: Authentication token manipulation error

I have tried numerous combinations but can't get anything to work. Does anyone have some words of wisdom to get this working?

Regards,
 Sue Salamacha
AgileTv Corporation

Follow-Ups:
- RE: TLS and access for authentication
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: suffix and sub suffix
Next by Date: RE: TLS and access for authentication
Index(es):
- Chronological
- Thread