[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openldap authentication problem
need to change one of your acls .. and add anonymous auth...
access to attr=userPassword
by ssf8 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write
by ssf8 self write
by anonymous auth
by * none
Jonathan Higgins
IT R&D Project Manager
Kennesaw State University
jhiggins@kennesaw.edu
>>> Vuko Brigljevic <Vuko.Brigljevic@cern.ch> 3/11/2005 9:56:05 AM >>>
Hello,
Since a few days, I am having authentication
problems with my openldap server, with a recurring
error in the logs:
pam_ldap: error trying to bind as user
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
The system:
SuSE Linux 8.2
openldap 2.1.12
pam_ldap version 159
nss_ldap version 203.7
I am using all default versions coming with the
distributions. Everything broke a few days ago
and I am currently not able to login any more,
but am always seeing an "(Insufficient access)"
message in the logs.
I append my slapd.conf file, the ldap.conf
file and the output of the full log (obtained
with loglevel set to -1) from /var/log/messages
of a failed login attempt.
BTW, the system broke after restarting
the ldap server. I was editing slapd.conf
but as far as I am aware of, I left
everything as it was before (when the
system was running). It is very possible
that I did change something but after
looking for it for a few days I just
can't see what it could be.
Any idea as to what may be wrong?
Thanks!
Vuko
slapd.conf:
==========include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/samba.schema
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ldap-certs/server/server.crt
TLSCertificateKeyFile /etc/ldap-certs/server/server.key
TLSCACertificateFile /etc/ldap-certs/ca/ca.crt
database ldbm
suffix "dc=myCompany,dc=MyDomain"
rootdn "uid=root,ou=People,dc=myCompany,dc=MyDomain"
directory /var/lib/ldap/
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
access to dn=".*,ou=People,dc=myCompany,dc=MyDomain"
attr=userPassword
by ssf8 self write
by ssf8 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write
access to dn=".*,dc=myCompany,dc=MyDomain"
by ssf8 self write
by ssf8 dn="uid=root,ou=People,dc=myCompany,dc=MyDomain" write
by * read
access to dn=".*,dc=myCompany,dc=MyDomain"
by * read
/etc/openldap/ldap.conf
======================
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
19:57:01
kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
base dc=myCompany,dc=MyDomain
uri ldap://myserver.myCompany.MyDomain
nss_base_passwd ou=People,dc=myCompany,dc=MyDomain
nss_base_shadow ou=People,dc=myCompany,dc=MyDomain
nss_base_group ou=Group,dc=myCompany,dc=MyDomain
host myserver.myCompany.MyDomain
ldap_version 3
ssl start_tls
pam_password crypt
tls_cacert /etc/openldap/ca/ca.crt
extract from /var/log/messages
=============================
>>> dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>
daemon: activity on 1 descriptors
<<< dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>,
<uid=aUser,ou=people,dc=myCompany,dc=MyDomain>
daemon: select: listen=6 active_threads=1 tvp=NULL
do_bind: version=3 dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
method8
conn=4 op=3 BIND dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
method8
==> ldbm_back_bind: dn: uid=aUser,ou=People,dc=myCompany,dc=MyDomain
dn2entry_r: dn: "uid=aUser,ou=people,dc=myCompany,dc=MyDomain"
=> dn2id( "uid=aUser,ou=people,dc=myCompany,dc=MyDomain" )
====>
cache_find_entry_dn2id("uid=aUser,ou=people,dc=myCompany,dc=MyDomain"):
121 (1 tries)
<= dn2id 121 (in cache)
=> id2entry_r( 121 )
====> cache_find_entry_id( 121 )
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (found) (1 tries)
<= id2entry_r( 121 ) 0x81ca750 (cache)
=> access_allowed: auth access to
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" "userPassword"
requested
=> dnpat: [1] .*,ou=People,dc=myCompany,dc=MyDomain nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=aUser,ou=People,dc=myCompany,dc=MyDomain attr:
userPassword
=> acl_mask: access to entry
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain",
attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=root,ou=People,dc=myCompany,dc=MyDomain
=> string_expand: pattern:
uid=root,ou=People,dc=myCompany,dc=MyDomain
=> string_expand: expanded:
uid=root,ou=People,dc=myCompany,dc=MyDomain
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: auth access denied by =n
send_ldap_result: conn=4 op=3 p=3
send_ldap_result: errP matched="" text=""
send_ldap_response: msgid=4 tag? errP
pam_ldap: error trying to bind as user
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
conn=4 op=3 RESULT tag? errP text====> cache_return_entry_r( 121 ): returned (0)
--
===========================================================|
Vuko Brigljevic |
Rudjer Boskovic Institute |
--------------------------------------------------------- |
Mail Address: Bijenicka cesta 54, P.O.B. 180 |
10002 Zagreb Croatia |
Phone : +385-1- 468 0204 |
www : http://cern.ch/vuko |
===========================================================|
One Word to rule them all, One Explorer to find them,
One Windows to bring them all and in the darkness bind them