[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Trying to figure out access policies
I think I'm somewhat versed in the basics of OpenLDAP, but the
concept of access policies eludes me because they are far beyond my
current level of comprehension. That being said, I'm doing some
trial by fire to try to make sense of how they work and hopefully
will then be able to relate some of what I read in the manual to what
I've made happen in tests...
I'm trying to get a proxyuser working so I don't have to do
everything as Manager.
I put this entry into my slapd.conf as per some tutorials I read:
access to attrs=userPassword
by dn="cn=Proxyuser,dc=example,dc=ca" read
and likewise, these entries into my ldap.conf:
binddn cn=Proxyuser,dc=example,dc=ca
bindpw ****
rootbinddn cn=Proxyuser,dc=example,dc=ca
and finally, the Proxyuser password in /etc/ldap.secret.
Being unsure if the lookups for ldap.conf and ldap.secret is in /etc
or /usr/local/etc (Using a FreeBSD system here), I symlinked each so
they are available in both locations.
After that was all said and done, I restarted slapd and tried to do a
search using the proxyuser as the binddn:
# ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b
'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
# all.log
Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from
IP=127.0.0.1:54632 (IP=0.0.0.0:389)
Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND
dn="cn=Proxyuser,dc=example,dc=ca" method=128
Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97 err=49
text=
Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed (connection
lost)
It would seem to me that it's not complaining about the password, so
I assume it's complaining about the access entry in slapd.conf. I
removed the access entry from slapd.conf and was able to perform the
same search as above without a problem.
Anyone have any pointers on what I can look at as the source of this
problem?
Also, I'm a little confused about the difference between binddn and
rootbinddn. If I understand correctly, rootbinddn is the DN used to
bind if the user executing the command is root, while binddn is the
DN used to bind if the user executing the command is any user other
than root. Is this correct? I ask because if I run ldapsearch as
root with no additional arguments and check the logs, it seems to
bind anonymously so I'm not sure if my understanding of binddn vs.
rootbinddn is correct:
Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from
IP=127.0.0.1:58244 (IP=0.0.0.0:389)
Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128
Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0
text=
Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base="" scope=2
deref=0 filter="(objectClass=*)"
Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT tag=101
err=32 nentries=0 text=
Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND
Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed
Thanks in advance for any insight on either or both of these points...