[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openldap authentication problem
Hello,
Sorry for the delayed reaction, I just got to finally
try out your suggestion:
On Friday 11 March 2005 18:34, Jonathan Higgins wrote:
> need to change one of your acls .. and add anonymous auth...
>
> access to attr=userPassword
> by ssf=128 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write
> by ssf=128 self write
> by anonymous auth
> by * none
That did it really, it now works again :) So I assume
I had the "anonymous auth" in before and removed it by
mistake when editing the file.
I am however a bit confused about the meaning of the
"anonymous auth" line, as I am with acess control
meanings altogether to be honest. What does the
"by anonymous auth" line actually allow? In which sense
is the user anonymous? I did check that it doesn't
actually allow anonymous login (which I wouldn't
want anyway) so it's not that.
Also is there a reason you didn't add a ssf factor
in the suggested line? I tried to add it and it
works as well.
If someone could point me to some explanation of
access rights I would be most grateful. I've seen
the one in the openldap admin-guide but I must admit
that it's not really clear to me.
In any case, thanks for the help!
Vuko Brigljevic
===========================================================|
Vuko Brigljevic |
Rudjer Boskovic Institute |
--------------------------------------------------------- |
Mail Address: Bijenicka cesta 54, P.O.B. 180 |
10002 Zagreb Croatia |
Phone : +385-1- 468 0204 |
www : http://cern.ch/vuko |
===========================================================|
One Word to rule them all, One Explorer to find them,
One Windows to bring them all and in the darkness bind them
> >>> Vuko Brigljevic <Vuko.Brigljevic@cern.ch> 3/11/2005 9:56:05 AM >>>
>
> Hello,
>
> Since a few days, I am having authentication
> problems with my openldap server, with a recurring
> error in the logs:
>
> pam_ldap: error trying to bind as user
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
>
> The system:
> SuSE Linux 8.2
> openldap 2.1.12
> pam_ldap version 159
> nss_ldap version 203.7
>
> I am using all default versions coming with the
> distributions. Everything broke a few days ago
> and I am currently not able to login any more,
> but am always seeing an "(Insufficient access)"
> message in the logs.
>
> I append my slapd.conf file, the ldap.conf
> file and the output of the full log (obtained
> with loglevel set to -1) from /var/log/messages
> of a failed login attempt.
>
> BTW, the system broke after restarting
> the ldap server. I was editing slapd.conf
> but as far as I am aware of, I left
> everything as it was before (when the
> system was running). It is very possible
> that I did change something but after
> looking for it for a few days I just
> can't see what it could be.
>
> Any idea as to what may be wrong?
>
> Thanks!
>
> Vuko
>
> slapd.conf:
> ===========
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
>
> include /etc/openldap/schema/misc.schema
> include /etc/openldap/schema/openldap.schema
> include /etc/openldap/schema/samba.schema
>
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>
> TLSCertificateFile /etc/ldap-certs/server/server.crt
> TLSCertificateKeyFile /etc/ldap-certs/server/server.key
> TLSCACertificateFile /etc/ldap-certs/ca/ca.crt
>
> database ldbm
>
> suffix "dc=myCompany,dc=MyDomain"
> rootdn "uid=root,ou=People,dc=myCompany,dc=MyDomain"
> directory /var/lib/ldap/
>
> index objectClass,uid,uidNumber,gidNumber eq
> index cn,mail,surname,givenname eq,subinitial
>
>
> access to dn=".*,ou=People,dc=myCompany,dc=MyDomain"
> attr=userPassword
> by ssf=128 self write
> by ssf=128 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write
>
>
> access to dn=".*,dc=myCompany,dc=MyDomain"
> by ssf=128 self write
> by ssf=128 dn="uid=root,ou=People,dc=myCompany,dc=MyDomain" write
> by * read
>
>
> access to dn=".*,dc=myCompany,dc=MyDomain"
> by * read
>
>
>
> /etc/openldap/ldap.conf
> =======================
>
> # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
> 19:57:01
> kurt Exp $
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> base dc=myCompany,dc=MyDomain
> uri ldap://myserver.myCompany.MyDomain
>
> nss_base_passwd ou=People,dc=myCompany,dc=MyDomain
> nss_base_shadow ou=People,dc=myCompany,dc=MyDomain
> nss_base_group ou=Group,dc=myCompany,dc=MyDomain
> host myserver.myCompany.MyDomain
> ldap_version 3
> ssl start_tls
> pam_password crypt
>
> tls_cacert /etc/openldap/ca/ca.crt
>
>
> extract from /var/log/messages
> ==============================
>
> >>> dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>
>
> daemon: activity on 1 descriptors
> <<< dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>,
> <uid=aUser,ou=people,dc=myCompany,dc=MyDomain>
> daemon: select: listen=6 active_threads=1 tvp=NULL
> do_bind: version=3 dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
> method=128
> conn=4 op=3 BIND dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
> method=128
> ==> ldbm_back_bind: dn: uid=aUser,ou=People,dc=myCompany,dc=MyDomain
> dn2entry_r: dn: "uid=aUser,ou=people,dc=myCompany,dc=MyDomain"
> => dn2id( "uid=aUser,ou=people,dc=myCompany,dc=MyDomain" )
> ====>
> cache_find_entry_dn2id("uid=aUser,ou=people,dc=myCompany,dc=MyDomain"):
>
> 121 (1 tries)
> <= dn2id 121 (in cache)
> => id2entry_r( 121 )
> ====> cache_find_entry_id( 121 )
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (found) (1 tries)
> <= id2entry_r( 121 ) 0x81ca750 (cache)
> => access_allowed: auth access to
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" "userPassword"
> requested
> => dnpat: [1] .*,ou=People,dc=myCompany,dc=MyDomain nsub: 0
> => acl_get: [1] matched
> => acl_get: [1] check attr userPassword
> <= acl_get: [1] acl uid=aUser,ou=People,dc=myCompany,dc=MyDomain attr:
>
> userPassword
> => acl_mask: access to entry
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain",
> attr "userPassword" requested
> => acl_mask: to all values by "", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: uid=root,ou=People,dc=myCompany,dc=MyDomain
> => string_expand: pattern:
> uid=root,ou=People,dc=myCompany,dc=MyDomain
> => string_expand: expanded:
> uid=root,ou=People,dc=myCompany,dc=MyDomain
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: auth access denied by =n
> send_ldap_result: conn=4 op=3 p=3
> send_ldap_result: err=50 matched="" text=""
> send_ldap_response: msgid=4 tag=97 err=50
> pam_ldap: error trying to bind as user
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
> conn=4 op=3 RESULT tag=97 err=50 text=
> ====> cache_return_entry_r( 121 ): returned (0)