[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Configuration of Single user causes
At 11:27 AM 2/7/2006, Alexander Hartner wrote:
>Thanks for all you help so far. I got quite a bit further.
>
>This is my slapd.conf file
>
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/nis.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/misc.schema
>include /etc/openldap/schema/samba.schema
>include /etc/openldap/schema/apple.schema
>include /etc/openldap/schema/netinfo.schema
>
>access to dn.subtree="o=j2anywhere,c=uk"
>by dn.base="cn=addressbook,o=j2anywhere,c=uk" write
>by * auth
>
>pidfile /var/run/slapd.pid
>argsfile /var/run/slapd.args
>allows bind_v2
>schemacheck off
>database bdb
>suffix "o=j2anywhere,c=uk"
>rootdn "cn=ldapadmin,o=j2anywhere,c=uk"
>rootpw {SSHA}IcOR4sPEa52fanHppctqrP2Wiodd2+Df
>directory /var/db/openldap/addressbook-data
>index objectClass eq
>
>And I am able to access my directory as follows :
>
>ldapsearch -D "cn=addressbook,o=j2anywhere,c=uk" -w password -x -b
>"ou=people,o=j2anywhere,c=uk" sn=...
>
>However if i change my configuration to
>
>access to dn.subtree="ou=people,o=j2anywhere,c=uk"
>by dn.base="cn=addressbook,o=j2anywhere,c=uk" write
>by * auth
>
>I get an error
>
>ldapsearch -D "cn=addressbook,o=j2anywhere,c=uk" -w password -x -b
>"ou=people,o=j2anywhere,c=uk" sn=Tom
>ldap_bind: Insufficient access (50)
First, I note that I suspect you are using an old version of
slapd(8). Current versions should report invalid credentials
in this case.
>Now I am getting confused. I am specifying the DN to which I want to
>give access and it's children with dn.subtree.
Your change removed permission for anonymous to access values
of userPassword in the <cn=addressbook,o=j2anywhere,c=uk>
entry necessary to complete the authentication request.
Your changed ACL denies all access outside of the subtree
<ou=people,o=j2anywhere,c=uk>.
Adding an additional access statement, such as:
access to dn.exact="cn=addressbook,o=j2anywhere,c=uk" attr=userPassword
by anonymous auth
would provide that the necessary authorization for the
bind to complete. Note that the above statement doesn't
allow any other access to values of userPassword, which
may or may not be appropriate in your situation.
>I had a look at the FAQ,
>http://www.openldap.org/faq/data/cache/55.html and http:// www.openldap.org/faq/data/cache/171.html.
>
>Thanks
>Alex