On Tuesday 08 August 2006 12:52, cornelius kölbel wrote:
> Hello,
> thanks for your hint.
> indeed it was the anonymous auth access to userPassword.
>
> But I still got problems setting up the adding of addresses...
Please see the man page for slapd.access.
>
> I tried severeal acl's with dn.subtree and dn.base
> --snip--
> access to attr=userPassword
> by self write
> by anonymous auth
> by * none
> access to *
> by self write
> by users read
> by * none
> access to dn="ou=cornelius,ou=adressen,dc=az,dc=local" by
> dn="cn=corny,ou=users,dc=az,dc=local" write
> access to dn="ou=franziska,ou=adressen,dc=az,dc=local" by
> dn="cn=corny,ou=users,dc=az,dc=local" read
With OpenLDAP ACLs, first-match wins, so your "access to *" should be last,
otherwise your specific ACLs will not be hit.
> --snip--
> for the user cn=corny to add addresses like cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local below
> ou=cornelius,ou=adressen,dc=az,dc=local.
>
> I don't like the text "write access denied by read(=rscx)".
> But I do not know how to fix this.
>
> Kind regards
> Cornelius
>
>
> --snip--
>
>
> Aug 8 12:44:00 schnuck slapd[10000]: do_add: dn (cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local)
> Aug 8 12:44:00 schnuck slapd[10000]: conn=1 op=2 ADD dn="cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local"
> Aug 8 12:44:00 schnuck slapd[10000]: bdb_dn2entry("cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local")
> Aug 8 12:44:00 schnuck slapd[10000]: => bdb_dn2id( "cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local" )
> Aug 8 12:44:00 schnuck slapd[10000]: <= bdb_dn2id: get failed:
> DB_NOTFOUND: No matching key/data pair found (-30989)
> Aug 8 12:44:00 schnuck slapd[10000]: bdb_referrals: op=104
> target="cn=test tester,ou=cornelius,ou=adressen,dc=az,dc=local"
> matched="ou=cornelius,ou=adress
> en,dc=az,dc=local"
> Aug 8 12:44:00 schnuck slapd[10000]: ==> bdb_add: cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_required entry (cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local), objectClass
> "inetOrgPerson" Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
> "objectClass" Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
> "cn"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "displayName"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "givenName"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "sn"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "uid"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
> "structuralObjectClass"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "entryUUID"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "creatorsName"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
> "createTimestamp"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "entryCSN"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "modifiersName"
> Aug 8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
> "modifyTimestamp"
> Aug 8 12:44:00 schnuck slapd[10000]: bdb_dn2entry("cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local")
> Aug 8 12:44:00 schnuck slapd[10000]: => bdb_dn2id( "cn=test
> tester,ou=cornelius,ou=adressen,dc=az,dc=local" )
> Aug 8 12:44:00 schnuck slapd[10000]: <= bdb_dn2id: get failed:
> DB_NOTFOUND: No matching key/data pair found (-30989)
> Aug 8 12:44:00 schnuck slapd[10000]: => access_allowed: write access to
> "ou=cornelius,ou=adressen,dc=az,dc=local" "children" requested
> Aug 8 12:44:00 schnuck slapd[10000]: => acl_get: [2] attr children
> Aug 8 12:44:00 schnuck slapd[10000]: => acl_mask: access to entry
> "ou=cornelius,ou=adressen,dc=az,dc=local", attr "children" requested
> Aug 8 12:44:00 schnuck slapd[10000]: => acl_mask: to all values by
> "cn=corny,ou=users,dc=az,dc=local", (=n)
> Aug 8 12:44:00 schnuck slapd[10000]: <= check a_dn_pat: self
> Aug 8 12:44:00 schnuck slapd[10000]: <= check a_dn_pat: users
> Aug 8 12:44:00 schnuck slapd[10000]: <= acl_mask: [2] applying
> read(=rscx) (stop)
> Aug 8 12:44:00 schnuck slapd[10000]: <= acl_mask: [2] mask: read(=rscx)
> Aug 8 12:44:00 schnuck slapd[10000]: => access_allowed: write access
> denied by read(=rscx)
> Aug 8 12:44:00 schnuck slapd[10000]: bdb_add: no write access to parent
> Aug 8 12:44:00 schnuck slapd[10000]: send_ldap_result: conn=1 op=2 p=3
> Aug 8 12:44:00 schnuck slapd[10000]: send_ldap_result: err=50
> matched="" text="no write access to parent"
> Aug 8 12:44:00 schnuck slapd[10000]: send_ldap_response: msgid=3
> tag=105 err=50
> Aug 8 12:44:00 schnuck slapd[10000]: conn=1 op=2 RESULT tag=105 err=50
> text=no write access to parent
> Aug 8 12:44:00 schnuck slapd[10000]: daemon: activity on 1 descriptors
> Aug 8 12:44:00 schnuck slapd[10000]: daemon: activity on:
>
> Buchan Milne schrieb:
> > On Monday 07 August 2006 23:51, Cornelius Koelbel wrote:
> >> Hello,
> >>
> >> i set up openldap 2.2.29 on FC4.
> >> I guess everything is right, I can access and modify everyting with the
> >> manager.
> >> I setup an object
> >> cn=corny,ou=users,dc=az,dc=local
> >>
> >> as follows:
> >>
> >> dn: cn=corny,ou=users,dc=az,dc=local
> >> objectClass: top
> >> objectClass: person
> >> cn: corny
> >> sn: corny
> >>
> >> I want to have this person access to a subtree of the ldap.
> >> access to dn="ou=cornelius,ou=adressen,dc=az,dc=local"
> >> by dn="cn=corny,ou=users,dc=az,dc=local" write
> >> But for now, I configured everything:
> >> access to *
> >> by dn="cn=corny,ou=users,dc=az,dc=local" write
> >
> > Is this your complete ACL set, or a subset ? If it is complete, you are
> > definitely missing an ACL giving anonymous auth access to userPassword
> > (required for simple bind to work).
> >
> >> Now I set a password and try to connect:
> >>
> >> corny@schnuck:[/data/down]> ldappasswd -x -D
> >> "cn=Manager,dc=az,dc=local" -W -S "cn=corny,ou=users,dc=az,dc=local"
> >> New password:
> >> Re-enter new password:
> >> Enter LDAP Password:
> >> Result: Success (0)
> >>
> >> everything seems fine, but now:
> >>
> >> corny@schnuck:[/data/down]> ldapsearch -D
> >> 'cn=corny,ou=users,dc=az,dc=local' -W -x -b 'dc=az,dc=local'
> >> Enter LDAP Password:
> >> ldap_bind: Invalid credentials (49)
> >
> > 1)Test just the authentication bit with ldapwhoami
> > 2)Bump the log level up to include ACL processing (384 might be a
> > reasonable value).
> >
> >> Whats wrong, where can I start to search?
> >
> > Most likely you don't have an ACL allowing anonymous auth access to the
> > userPassword attribute. Logs of the ACL processing will most likely
> > indicate this. If it is not the case, they will help track it down.
> >
> > Regards,
> > Buchan
>
> --
> Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
> und ist - aktuelle Virenscanner vorausgesetzt - sauber.
> MailScanner dankt transtec Computer für die freundliche Unterstützung.
--
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpJmc3ZT0xdX.pgp
Description: PGP signature