[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuration of Single user causes



At 11:27 AM 2/7/2006, Alexander Hartner wrote:
>Thanks for all you help so far. I got quite a bit further.
>
>This is my slapd.conf file
>
>include         /etc/openldap/schema/core.schema
>include         /etc/openldap/schema/cosine.schema
>include         /etc/openldap/schema/nis.schema
>include         /etc/openldap/schema/inetorgperson.schema
>include         /etc/openldap/schema/misc.schema
>include         /etc/openldap/schema/samba.schema
>include         /etc/openldap/schema/apple.schema
>include         /etc/openldap/schema/netinfo.schema
>
>access to dn.subtree="o=j2anywhere,c=uk"
>by dn.base="cn=addressbook,o=j2anywhere,c=uk" write
>by * auth
>
>pidfile         /var/run/slapd.pid
>argsfile        /var/run/slapd.args
>allows          bind_v2
>schemacheck     off
>database        bdb
>suffix          "o=j2anywhere,c=uk"
>rootdn          "cn=ldapadmin,o=j2anywhere,c=uk"
>rootpw          {SSHA}IcOR4sPEa52fanHppctqrP2Wiodd2+Df
>directory       /var/db/openldap/addressbook-data
>index           objectClass eq
>
>And I am able to access my directory as follows :
>
>ldapsearch -D "cn=addressbook,o=j2anywhere,c=uk"  -w password -x  -b  
>"ou=people,o=j2anywhere,c=uk" sn=...
>
>However if i change my configuration to
>
>access to dn.subtree="ou=people,o=j2anywhere,c=uk"
>by dn.base="cn=addressbook,o=j2anywhere,c=uk" write
>by * auth
>
>I get an error
>
>ldapsearch -D "cn=addressbook,o=j2anywhere,c=uk"  -w password -x  -b  
>"ou=people,o=j2anywhere,c=uk" sn=Tom
>ldap_bind: Insufficient access (50)

First, I note that I suspect you are using an old version of
slapd(8).  Current versions should report invalid credentials
in this case.

>Now I am getting confused. I am specifying the DN to which I want to  
>give access and it's children with dn.subtree.

Your change removed permission for anonymous to access values
of userPassword in the <cn=addressbook,o=j2anywhere,c=uk> 
entry necessary to complete the authentication request.
Your changed ACL denies all access outside of the subtree
<ou=people,o=j2anywhere,c=uk>.

Adding an additional access statement, such as:
  access to dn.exact="cn=addressbook,o=j2anywhere,c=uk" attr=userPassword
        by anonymous auth

would provide that the necessary authorization for the
bind to complete.  Note that the above statement doesn't
allow any other access to values of userPassword, which
may or may not be appropriate in your situation.

>I had a look at the FAQ,
>http://www.openldap.org/faq/data/cache/55.html and http:// www.openldap.org/faq/data/cache/171.html.
>
>Thanks
>Alex