[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap authentication problem



Hello,

Since a few days, I am having authentication 
problems with my openldap server, with a recurring
error in the logs:

pam_ldap: error trying to bind as user 
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)

The system: 
SuSE Linux 8.2
openldap 2.1.12
pam_ldap version 159
nss_ldap version 203.7

I am using all default versions coming with the 
distributions. Everything broke a few days ago
and I am currently not able to login any more,
but am always seeing an  "(Insufficient access)"
message in the logs.

I append my slapd.conf file, the ldap.conf
file and the output of the full log (obtained
with loglevel set to -1) from /var/log/messages
of a failed login attempt.

BTW, the system broke after restarting
the ldap server. I was editing slapd.conf
but as far as I am aware of, I left 
everything as it was before (when the
system was running). It is very possible
that I did change something but after
looking for it for a few days I just
can't see what it could be.

Any idea as to what may be wrong?

Thanks!

Vuko

slapd.conf:
===========
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/samba.schema


TLSCipherSuite         HIGH:MEDIUM:+SSLv2

TLSCertificateFile    /etc/ldap-certs/server/server.crt
TLSCertificateKeyFile /etc/ldap-certs/server/server.key
TLSCACertificateFile  /etc/ldap-certs/ca/ca.crt

database        ldbm

suffix          "dc=myCompany,dc=MyDomain"
rootdn          "uid=root,ou=People,dc=myCompany,dc=MyDomain"
directory       /var/lib/ldap/

index   objectClass,uid,uidNumber,gidNumber  eq
index   cn,mail,surname,givenname            eq,subinitial


access to dn=".*,ou=People,dc=myCompany,dc=MyDomain" 
  attr=userPassword
 by ssf=128 self write
 by ssf=128 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write


access to dn=".*,dc=myCompany,dc=MyDomain"
 by ssf=128 self write
 by ssf=128 dn="uid=root,ou=People,dc=myCompany,dc=MyDomain" write
 by  * read


access to dn=".*,dc=myCompany,dc=MyDomain"
 by  * read



/etc/openldap/ldap.conf
=======================

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 
kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

base    dc=myCompany,dc=MyDomain
uri     ldap://myserver.myCompany.MyDomain

nss_base_passwd ou=People,dc=myCompany,dc=MyDomain
nss_base_shadow ou=People,dc=myCompany,dc=MyDomain
nss_base_group  ou=Group,dc=myCompany,dc=MyDomain
host    myserver.myCompany.MyDomain
ldap_version    3
ssl     start_tls
pam_password    crypt

tls_cacert      /etc/openldap/ca/ca.crt


extract from /var/log/messages
==============================

 >>> dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>
 daemon: activity on 1 descriptors
 <<< dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>, 
<uid=aUser,ou=people,dc=myCompany,dc=MyDomain>
 daemon: select: listen=6 active_threads=1 tvp=NULL
 do_bind: version=3 dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain" 
method=128
 conn=4 op=3 BIND dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain" method=128
 ==> ldbm_back_bind: dn: uid=aUser,ou=People,dc=myCompany,dc=MyDomain
 dn2entry_r: dn: "uid=aUser,ou=people,dc=myCompany,dc=MyDomain"
 => dn2id( "uid=aUser,ou=people,dc=myCompany,dc=MyDomain" )
 ====> cache_find_entry_dn2id("uid=aUser,ou=people,dc=myCompany,dc=MyDomain"): 
121 (1 tries)
 <= dn2id 121 (in cache)
 => id2entry_r( 121 )
 ====> cache_find_entry_id( 121 ) 
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (found) (1 tries)
 <= id2entry_r( 121 ) 0x81ca750 (cache)
 => access_allowed: auth access to 
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" "userPassword" requested
 => dnpat: [1] .*,ou=People,dc=myCompany,dc=MyDomain nsub: 0
 => acl_get: [1] matched
 => acl_get: [1] check attr userPassword
 <= acl_get: [1] acl uid=aUser,ou=People,dc=myCompany,dc=MyDomain attr: 
userPassword
 => acl_mask: access to entry "uid=aUser,ou=People,dc=myCompany,dc=MyDomain", 
attr "userPassword" requested
 => acl_mask: to all values by "", (=n)
 <= check a_dn_pat: self
 <= check a_dn_pat: uid=root,ou=People,dc=myCompany,dc=MyDomain
 => string_expand: pattern:  uid=root,ou=People,dc=myCompany,dc=MyDomain
 => string_expand: expanded: uid=root,ou=People,dc=myCompany,dc=MyDomain
 => regex_matches: string:
 => regex_matches: rc: 1 no matches
 <= acl_mask: no more <who> clauses, returning =n (stop)
 => access_allowed: auth access denied by =n
 send_ldap_result: conn=4 op=3 p=3
 send_ldap_result: err=50 matched="" text=""
 send_ldap_response: msgid=4 tag=97 err=50
pam_ldap: error trying to bind as user 
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
 conn=4 op=3 RESULT tag=97 err=50 text=
 ====> cache_return_entry_r( 121 ): returned (0)

-- 
===========================================================|
 Vuko Brigljevic                                           |
 Rudjer Boskovic Institute                                 |
 --------------------------------------------------------- |
 Mail Address: Bijenicka cesta 54, P.O.B. 180              |
               10002 Zagreb Croatia                        |
 Phone       : +385-1- 468 0204                            |
 www         : http://cern.ch/vuko                         |
===========================================================|
One Word to rule them all, One Explorer to find them,
One Windows to bring them all and in the darkness bind them