[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: What's the magic to allowing version 2 binds?

To: <hshaw@xytek.org>
Subject: Re: What's the magic to allowing version 2 binds?
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 25 Nov 2002 08:35:53 +0100 (CET)
Cc: <ando@sys-net.it>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <XFMail.20021124232359.hshaw@xytek.org>
References: <63690.81.72.89.40.1038207661.squirrel@webmail.sys-net.it> <XFMail.20021124232359.hshaw@xytek.org>

> Yes.. thats a cut and paste from my slapd.conf file.
> I'll check on that man page..
>
> Terrelle
>
> On 25-Nov-2002 Pierangelo Masarati wrote:
>>
>>> Ok, I have installed openldap 2.1.8 running on a linux box at kernel
>>> version 2.4.18 (slackware to be precise)
>>> I'm running bdb:
>>>
>>> Nov 24 21:04:59 belgarath slapd[6129]: bdb_open: Sleepycat Software:
>>> Berkeley DB 4.1.24: (September 13, 2002)
>>> Nov 24 21:04:59 belgarath slapd[6129]: bdb_db_init: Initializing BDB
>>> database  Nov 24 21:04:59 belgarath slapd[6129]: slapd starting
>>>
>>> Here is the relavent areas of my slapd.conf file:
>>>
>>> # Sample access control policy:
>>>         allow bind_v2
>>
>> Are you sure you added the above reported line to slapd.conf?

I mean: this is correct, you need this with v2 clients

>>
>>>         Allow read access of root DSE
>>>         Allow self write access
>>>         Allow authenticated users read access
>>>         Allow anonymous users to authenticate
>>
>> Did you really add the above reported lines to slapd.conf?

This is NOT correct (to my knowledge)

>>
>>> # Directives needed to implement policy:
>>> access to dn.base="" by * read
>>> access to *
>>>         by self write
>>>         by users read
>>>         by anonymous auth
>>> #
>>> # if no access controls are present, the default policy is:
>>> #       Allow read by all
>>> #
>>> # rootdn can always write!
>>>
>>> I can connect just fine using GQ and LDAP browswer/editor v2.8.2
>>> using ldap v3. Using the Ldap browser/editor in ldap v2 mode and i
>>> can't connect and get this in the logs (as well as other "ldap aware"
>>> clients that are using ldap v2 protocal):
>>>
>>> Nov 24 21:05:11 belgarath slapd[6129]: daemon: conn=0 fd=10
>>> connection from IP=192.168.0.3:3621 (IP=0.0.0.0:389) accepted.
>>> Nov 24 21:05:11 belgarath slapd[6129]: conn=0 op=0 BIND dn=""
>>> method=128
>>>  Nov 24 21:05:11 belgarath slapd[6129]: conn=0 op=0 RESULT tag=97
>>> err=2
>>> text=requested protocol version not allowed

This LDAP_PROTOCOL_ERROR occurs when you DON't SET "allow bind_v2";
this is why I'm asking ...

>>> Nov 24 21:05:11 belgarath slapd[6129]: conn=0 fd=10 closed
>>
>> Then, if your clients are SO hosed, all you can try is:
>> read slapd.conf(5) )(the one that comes with 2.1.8, not
>> earlier ones) and play with other "allow" directives.

There are other directives allowing empty/non empty DN/cred,
but I don't think this is the case.

Be sure the "allow bind_v2" directive is present (e.g.:

[prompt]$ slapd -d -1 2>&1 | grep allow
line 14 (allow bind_v2)

Pierangelo.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: What's the magic to allowing version 2 binds?
  - From: hshaw@xytek.org

References:
- Re: What's the magic to allowing version 2 binds?
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: What's the magic to allowing version 2 binds?
  - From: hshaw@xytek.org

Prev by Date: Compile error - "cannot find -lpam"
Next by Date: RE: ldap installation
Index(es):
- Chronological
- Thread