[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuration of Single user causes

To: Alexander Hartner <alex@j2anywhere.com>
Subject: Re: Configuration of Single user causes
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 07 Feb 2006 14:20:21 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20765E43-14DF-45DE-84BB-EFB0032B18F8@j2anywhere.com>
References: <20765E43-14DF-45DE-84BB-EFB0032B18F8@j2anywhere.com>

At 11:27 AM 2/7/2006, Alexander Hartner wrote:
>Thanks for all you help so far. I got quite a bit further.
>
>This is my slapd.conf file
>
>include         /etc/openldap/schema/core.schema
>include         /etc/openldap/schema/cosine.schema
>include         /etc/openldap/schema/nis.schema
>include         /etc/openldap/schema/inetorgperson.schema
>include         /etc/openldap/schema/misc.schema
>include         /etc/openldap/schema/samba.schema
>include         /etc/openldap/schema/apple.schema
>include         /etc/openldap/schema/netinfo.schema
>
>access to dn.subtree="o=j2anywhere,c=uk"
>by dn.base="cn=addressbook,o=j2anywhere,c=uk" write
>by * auth
>
>pidfile         /var/run/slapd.pid
>argsfile        /var/run/slapd.args
>allows          bind_v2
>schemacheck     off
>database        bdb
>suffix          "o=j2anywhere,c=uk"
>rootdn          "cn=ldapadmin,o=j2anywhere,c=uk"
>rootpw          {SSHA}IcOR4sPEa52fanHppctqrP2Wiodd2+Df
>directory       /var/db/openldap/addressbook-data
>index           objectClass eq
>
>And I am able to access my directory as follows :
>
>ldapsearch -D "cn=addressbook,o=j2anywhere,c=uk"  -w password -x  -b  
>"ou=people,o=j2anywhere,c=uk" sn=...
>
>However if i change my configuration to
>
>access to dn.subtree="ou=people,o=j2anywhere,c=uk"
>by dn.base="cn=addressbook,o=j2anywhere,c=uk" write
>by * auth
>
>I get an error
>
>ldapsearch -D "cn=addressbook,o=j2anywhere,c=uk"  -w password -x  -b  
>"ou=people,o=j2anywhere,c=uk" sn=Tom
>ldap_bind: Insufficient access (50)

First, I note that I suspect you are using an old version of
slapd(8).  Current versions should report invalid credentials
in this case.

>Now I am getting confused. I am specifying the DN to which I want to  
>give access and it's children with dn.subtree.

Your change removed permission for anonymous to access values
of userPassword in the <cn=addressbook,o=j2anywhere,c=uk> 
entry necessary to complete the authentication request.
Your changed ACL denies all access outside of the subtree
<ou=people,o=j2anywhere,c=uk>.

Adding an additional access statement, such as:
  access to dn.exact="cn=addressbook,o=j2anywhere,c=uk" attr=userPassword
        by anonymous auth

would provide that the necessary authorization for the
bind to complete.  Note that the above statement doesn't
allow any other access to values of userPassword, which
may or may not be appropriate in your situation.

>I had a look at the FAQ,
>http://www.openldap.org/faq/data/cache/55.html and http:// www.openldap.org/faq/data/cache/171.html.
>
>Thanks
>Alex

References:
- Configuration of Single user causes
  - From: Alexander Hartner <alex@j2anywhere.com>

Prev by Date: Configuration of Single user causes
Next by Date: Re: Protecting a slapd Server from Excessive Client Queries
Index(es):
- Chronological
- Thread