Dieter Kluenter wrote:
Dear Dieter KluenterJittinan Suwanrueangsri <jittinan2@gmail.com> writes:Dieter Kluenter wrote: Jittinan Suwanrueangsri <jittinan2@gmail.com> writes:[...]There is nothing special to do. ldapsearch -Y DIGEST-MD5 -U foo -w secret -H ldap://myhost -b dc=example,dc=com ... All you have to do is to set the userPassword value as plaintext, otherwise the challenge cannot be created. If you want to parse the sasl authentication string to a DN, than you have to define a authz-regexp in in slapd.conf(5) and the user has to have a uid attribute.[...]I still can not authenticate by using password from userPassword attribute .I also attach 2 configuration files with this email. Are there any missing configuration?Could you provide some logs? [...]# slapd.conf - Configuration file for LDAP SLAPD ########## authz-regexp uid=([^,]+).*,cn=auth uid=$1,ou=Users,dc=example,dc=com authz-regexp email=([^,]+),cn=([^,]+).*,c=TH$ uid=$2,ou=Users,dc=example,dc=com sasl-realm example.com sasl-secprops noneIs there any particular reason to define the second authz-regexp rule?access to attrs=userPassword by self write by anonymous auth by * none access to dn.subtree="ou=System,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write by users readaccess to * by self write by users read by * none[...] run slapd -d acl and post the relevant parts. -Dieter 1. I have defined the second authz-regexp rule for map sasl external authentication from certificate to ldap 's dn. It's just testing. 2. I test SASL by execute command "ldapsearch -U matt -Y DIGEST-MD5" 3. I also attach output files from option "-d trace" in file debug_trace.log and "-d acl" in file debug_acl.log Jitttinan Suwanrueangsri |
@(#) $OpenLDAP: slapd 2.4.16 (Sep 3 2009 09:51:42) $ root@ldap.example.com:/home/jittinans/openldap-2.4.16/servers/slapd ldap_pvt_gethostbyname_a: host=ldap.example.com, r=0 daemon_init: listen on ldap:/// daemon_init: 1 listeners to open... ldap_url_parse_ext(ldap:///) daemon: listener initialized ldap:/// daemon_init: 2 listeners opened ldap_create slapd init: initiated server. slap_sasl_init: initialized! hdb_back_initialize: initialize HDB backend hdb_back_initialize: Berkeley DB 4.7.25: (May 15, 2008) hdb_db_init: Initializing HDB database >>> dnPrettyNormal: <dc=example,dc=com> <<< dnPrettyNormal: <dc=example,dc=com>, <dc=example,dc=com> >>> dnPrettyNormal: <cn=admin,dc=example,dc=com> <<< dnPrettyNormal: <cn=admin,dc=example,dc=com>, <cn=admin,dc=example,dc=com> >>> dnNormalize: <ou=System,dc=example,dc=com> <<< dnNormalize: <ou=system,dc=example,dc=com> >>> dnNormalize: <cn=Ldap Admins,ou=Groups,dc=example,dc=com> <<< dnNormalize: <cn=ldap admins,ou=groups,dc=example,dc=com> oc_check_allowed type "uniqueMember" hdb_db_init: Initializing HDB database >>> dnPrettyNormal: <dc=demo,dc=net> <<< dnPrettyNormal: <dc=demo,dc=net>, <dc=demo,dc=net> >>> dnPrettyNormal: <cn=admin,dc=demo,dc=net> <<< dnPrettyNormal: <cn=admin,dc=demo,dc=net>, <cn=admin,dc=demo,dc=net> >>> dnNormalize: <dc=demo,dc=net> <<< dnNormalize: <dc=demo,dc=net> >>> dnNormalize: <dc=demo,dc=net> <<< dnNormalize: <dc=demo,dc=net> >>> dnNormalize: <cn=Subschema> <<< dnNormalize: <cn=subschema> matching_rule_use_init 1.2.840.113556.1.4.804 (integerBitOrMatch): matchingRuleUse: ( 1.2.840.113556.1.4.804 NAME 'integerBitOrMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) ) 1.2.840.113556.1.4.803 (integerBitAndMatch): matchingRuleUse: ( 1.2.840.113556.1.4.803 NAME 'integerBitAndMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) ) 1.3.6.1.4.1.1466.109.114.2 (caseIgnoreIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.2 NAME 'caseIgnoreIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) ) 1.3.6.1.4.1.1466.109.114.1 (caseExactIA5Match): matchingRuleUse: ( 1.3.6.1.4.1.1466.109.114.1 NAME 'caseExactIA5Match' APPLIES ( altServer $ olcDbConfig $ c $ mail $ dc $ associatedDomain $ email $ aRecord $ mDRecord $ mXRecord $ nSRecord $ sOARecord $ cNAMERecord $ janetMailbox ) ) 2.5.13.39 (certificateListMatch): 2.5.13.38 (certificateListExactMatch): matchingRuleUse: ( 2.5.13.38 NAME 'certificateListExactMatch' APPLIES ( authorityRevocationList $ certificateRevocationList $ deltaRevocationList ) ) 2.5.13.35 (certificateMatch): 2.5.13.34 (certificateExactMatch): matchingRuleUse: ( 2.5.13.34 NAME 'certificateExactMatch' APPLIES ( userCertificate $ cACertificate ) ) 2.5.13.30 (objectIdentifierFirstComponentMatch): matchingRuleUse: ( 2.5.13.30 NAME 'objectIdentifierFirstComponentMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ ldapSyntaxes $ supportedApplicationContext ) ) 2.5.13.29 (integerFirstComponentMatch): matchingRuleUse: ( 2.5.13.29 NAME 'integerFirstComponentMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) ) 2.5.13.27 (generalizedTimeMatch): matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES ( createTimestamp $ modifyTimestamp $ pwdChangedTime $ pwdAccountLockedTime $ pwdFailureTime $ pwdGraceUseTime ) ) 2.5.13.24 (protocolInformationMatch): matchingRuleUse: ( 2.5.13.24 NAME 'protocolInformationMatch' APPLIES protocolInformation ) 2.5.13.23 (uniqueMemberMatch): matchingRuleUse: ( 2.5.13.23 NAME 'uniqueMemberMatch' APPLIES uniqueMember ) 2.5.13.22 (presentationAddressMatch): matchingRuleUse: ( 2.5.13.22 NAME 'presentationAddressMatch' APPLIES presentationAddress ) 2.5.13.20 (telephoneNumberMatch): matchingRuleUse: ( 2.5.13.20 NAME 'telephoneNumberMatch' APPLIES ( telephoneNumber $ homePhone $ mobile $ pager ) ) 2.5.13.17 (octetStringMatch): matchingRuleUse: ( 2.5.13.17 NAME 'octetStringMatch' APPLIES ( userPassword $ olcDbCryptKey $ pwdHistory ) ) 2.5.13.16 (bitStringMatch): matchingRuleUse: ( 2.5.13.16 NAME 'bitStringMatch' APPLIES x500UniqueIdentifier ) 2.5.13.14 (integerMatch): matchingRuleUse: ( 2.5.13.14 NAME 'integerMatch' APPLIES ( supportedLDAPVersion $ entryTtl $ uidNumber $ gidNumber $ olcConcurrency $ olcConnMaxPending $ olcConnMaxPendingAuth $ olcIdleTimeout $ olcIndexSubstrIfMinLen $ olcIndexSubstrIfMaxLen $ olcIndexSubstrAnyLen $ olcIndexSubstrAnyStep $ olcIndexIntLen $ olcLocalSSF $ olcMaxDerefDepth $ olcReplicationInterval $ olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ olcThreads $ olcToolThreads $ olcDbCacheFree $ olcDbCacheSize $ olcDbDNcacheSize $ olcDbIDLcacheSize $ olcDbSearchStack $ olcDbShmKey $ mailPreferenceOption ) ) 2.5.13.13 (booleanMatch): matchingRuleUse: ( 2.5.13.13 NAME 'booleanMatch' APPLIES ( hasSubordinates $ olcAddContentAcl $ olcGentleHUP $ olcHidden $ olcLastMod $ olcMirrorMode $ olcMonitoring $ olcReadOnly $ olcReverseLookup $ olcDbChecksum $ olcDbNoSync $ olcDbDirtyRead $ olcDbLinearIndex $ pwdReset $ olcPPolicyHashCleartext $ olcPPolicyUseLockout ) ) 2.5.13.11 (caseIgnoreListMatch): matchingRuleUse: ( 2.5.13.11 NAME 'caseIgnoreListMatch' APPLIES ( postalAddress $ registeredAddress $ homePostalAddress ) ) 2.5.13.8 (numericStringMatch): matchingRuleUse: ( 2.5.13.8 NAME 'numericStringMatch' APPLIES ( x121Address $ internationaliSDNNumber ) ) 2.5.13.7 (caseExactSubstringsMatch): matchingRuleUse: ( 2.5.13.7 NAME 'caseExactSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.6 (caseExactOrderingMatch): matchingRuleUse: ( 2.5.13.6 NAME 'caseExactOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.5 (caseExactMatch): matchingRuleUse: ( 2.5.13.5 NAME 'caseExactMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) ) 2.5.13.4 (caseIgnoreSubstringsMatch): matchingRuleUse: ( 2.5.13.4 NAME 'caseIgnoreSubstringsMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.3 (caseIgnoreOrderingMatch): matchingRuleUse: ( 2.5.13.3 NAME 'caseIgnoreOrderingMatch' APPLIES ( serialNumber $ destinationIndicator $ dnQualifier ) ) 2.5.13.2 (caseIgnoreMatch): matchingRuleUse: ( 2.5.13.2 NAME 'caseIgnoreMatch' APPLIES ( supportedSASLMechanisms $ vendorName $ vendorVersion $ ref $ name $ cn $ uid $ labeledURI $ description $ olcConfigFile $ olcConfigDir $ olcAccess $ olcAllows $ olcArgsFile $ olcAttributeOptions $ olcAttributeTypes $ olcAuthIDRewrite $ olcAuthzPolicy $ olcAuthzRegexp $ olcBackend $ olcDatabase $ olcDisallows $ olcDitContentRules $ olcInclude $ olcLdapSyntaxes $ olcLimits $ olcLogFile $ olcLogLevel $ olcModuleLoad $ olcModulePath $ olcObjectClasses $ olcObjectIdentifier $ olcOverlay $ olcPasswordCryptSaltFormat $ olcPasswordHash $ olcPidFile $ olcPlugin $ olcPluginLogFile $ olcReferral $ olcReplica $ olcReplicaArgsFile $ olcReplicaPidFile $ olcReplogFile $ olcRequires $ olcRestrict $ olcRootDSE $ olcRootPW $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ olcSecurity $ olcServerID $ olcSizeLimit $ olcSortVals $ olcSubordinate $ olcSyncrepl $ olcTimeLimit $ olcTLSCACertificateFile $ olcTLSCACertificatePath $ olcTLSCertificateFile $ olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ olcTLSCRLFile $ olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSProtocolMin $ olcUpdateRef $ olcDbDirectory $ olcDbCheckpoint $ olcDbCryptFile $ olcDbPageSize $ olcDbIndex $ olcDbLockDetect $ olcDbMode $ knowledgeInformation $ sn $ serialNumber $ c $ l $ st $ street $ o $ ou $ title $ businessCategory $ postalCode $ postOfficeBox $ physicalDeliveryOfficeName $ destinationIndicator $ givenName $ initials $ generationQualifier $ dnQualifier $ houseIdentifier $ dmdName $ pseudonym $ textEncodedORAddress $ info $ drink $ roomNumber $ userClass $ host $ documentIdentifier $ documentTitle $ documentVersion $ documentLocation $ personalTitle $ co $ uniqueIdentifier $ organizationalStatus $ buildingName $ documentPublisher $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ preferredLanguage ) ) 1.2.36.79672281.1.13.3 (rdnMatch): 2.5.13.1 (distinguishedNameMatch): matchingRuleUse: ( 2.5.13.1 NAME 'distinguishedNameMatch' APPLIES ( creatorsName $ modifiersName $ subschemaSubentry $ entryDN $ namingContexts $ aliasedObjectName $ dynamicSubtrees $ distinguishedName $ seeAlso $ olcDefaultSearchBase $ olcRootDN $ olcSchemaDN $ olcSuffix $ olcUpdateDN $ olcRelay $ pwdPolicySubentry $ olcPPolicyDefault $ member $ owner $ roleOccupant $ manager $ documentAuthor $ secretary $ associatedName $ dITRedirect ) ) 2.5.13.0 (objectIdentifierMatch): matchingRuleUse: ( 2.5.13.0 NAME 'objectIdentifierMatch' APPLIES ( supportedControl $ supportedExtension $ supportedFeatures $ supportedApplicationContext ) ) slapd startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open config_build_entry: "cn=config" config_build_entry: "cn=module{0}" config_build_entry: "cn=schema" config_build_entry: "cn={0}core" config_build_entry: "cn={1}cosine" config_build_entry: "cn={2}inetorgperson" config_build_entry: "olcDatabase={-1}frontend" config_build_entry: "olcDatabase={0}config" config_build_entry: "olcDatabase={1}hdb" config_build_entry: "olcDatabase={2}hdb" backend_startup_one: starting "dc=example,dc=com" hdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap/example.com). backend_startup_one: starting "dc=demo,dc=net" hdb_db_open: database "dc=demo,dc=net": dbenv_open(/var/lib/ldap/demo.net). slapd starting slap_listener_activate(8): >>> slap_listener(ldap:///) connection_get(16): got connid=0 connection_read(16): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 24 contents: ber_get_next conn=0 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber: >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=189 send_ldap_response: msgid=1 tag=97 err=14 ber_flush2: 236 bytes to sd 16 <== slap_sasl_bind: rc=14 connection_get(16): got connid=0 connection_read(16): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 309 contents: ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber: >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=matt,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=matt,cn=DIGEST-MD5,cn=auth> <<< dnNormalize: <uid=matt,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=matt,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=matt,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+).*,cn=auth' string='uid=matt,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=matt,ou=Users,dc=example,dc=com'} slap_parseURI: parsing uid=matt,ou=Users,dc=example,dc=com ldap_url_parse_ext(uid=matt,ou=Users,dc=example,dc=com) >>> dnNormalize: <uid=matt,ou=Users,dc=example,dc=com> <<< dnNormalize: <uid=matt,ou=users,dc=example,dc=com> <==slap_sasl2dn: Converted SASL name to uid=matt,ou=users,dc=example,dc=com slap_sasl_getdn: dn:id converted to uid=matt,ou=users,dc=example,dc=com => hdb_search bdb_dn2entry("uid=matt,ou=users,dc=example,dc=com") => hdb_dn2id("dc=example,dc=com") <= hdb_dn2id: got id=0x1 => hdb_dn2id("ou=users,dc=example,dc=com") <= hdb_dn2id: got id=0x2 => hdb_dn2id("uid=matt,ou=users,dc=example,dc=com") <= hdb_dn2id: got id=0x5 entry_decode: "" <= entry_decode() send_ldap_result: conn=0 op=1 p=3 SASL [conn=0] Failure: no secret in database send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 62 bytes to sd 16 <== slap_sasl_bind: rc=49 connection_get(16): got connid=0 connection_read(16): checking for input on id=0 ber_get_next ber_get_next on fd 16 failed errno=0 (Success) connection_close: conn=0 sd=16 daemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd shutdown: initiated ====> bdb_cache_release_all ====> bdb_cache_release_all slapd destroy: freeing system resources. slapd stopped.
@(#) $OpenLDAP: slapd 2.4.16 (Sep 3 2009 09:51:42) $ root@ldap.example.com:/home/jittinans/openldap-2.4.16/servers/slapd Backend ACL: access to attrs=userPassword by self write by anonymous auth by * none /usr/local/etc/openldap/slapd.conf: line 50: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.subtree="ou=system,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember.exact="cn=ldap admins,ou=groups,dc=example,dc=com" write by users read Backend ACL: access to * by self write by users search by * none /usr/local/etc/openldap/slapd.conf: line 57: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to attrs=userPassword by anonymous auth by self write /usr/local/etc/openldap/slapd.conf: line 72: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.subtree="dc=demo,dc=net" by dn.subtree="dc=demo,dc=net" read Backend ACL: access to * by * none config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting => access_allowed: auth access to "uid=matt,ou=Users,dc=example,dc=com" "entry" requested => dn: [2] ou=system,dc=example,dc=com => acl_get: [3] attr entry => slap_access_allowed: result not in cache (entry) => acl_mask: access to entry "uid=matt,ou=Users,dc=example,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: self <= check a_dn_pat: users <= check a_dn_pat: * <= acl_mask: [3] applying none(=0) (stop) <= acl_mask: [3] mask: none(=0) => slap_access_allowed: auth access denied by none(=0) => access_allowed: no more rules SASL [conn=0] Failure: no secret in database daemon: shutdown requested and initiated. slapd shutdown: waiting for 0 operations/tasks to finish slapd stopped.
#This is the root of the directory tree dn: dc=example,dc=com description: Example.com, your trusted non-existent corporation. dc: example o: Example.com objectClass: top objectClass: dcObject objectClass: organization #Subtree for users dn: ou=Users,dc=example,dc=com ou: Users description: Example.com Users objectClass: organizationalUnit #Subtree of Groups dn: ou=Groups,dc=example,dc=com ou: Groups description: Example.com Groups objectClass: organizationalUnit #Subtree of System account dn: ou=System,dc=example,dc=com ou: System description: Special accounts used by software applications. objectClass: organizationalUnit # #USERS # #Matt Butcher dn: uid=matt,ou=Users,dc=example,dc=com ou: Users #Name info: uid: matt cn: Matt Butcher sn: Butcher givenName: Matt givenName: Matthew displayName: Matt Butcher #Work info: title: System Integrator description: System Integration and IT for Example.com employeeType: Employee departmentNumber: 001 employeeNumber: 001-08-98 mail: mbutcher@example.com mail: matt@example.com roomNumber: 301 telephoneNumber: +1 555 555 4321 mobile: +1 555 555 6789 st: Illinois l: Chicago street: 1234 Cicero Ave. #Home info: homePhone: +1 555 555 9876 homePostalAddress: 1234 home street $ Chicago,IL $ 60699-1234 #Misc: userPassword: secret preferredLanguage: en-us:en-gb #Object Classes: objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson #Barbara Jensen: dn: uid=barbara,ou=Users,dc=example,dc=com ou: Users uid: barbara sn: Jensen cn: Barbara Jensen givenName: Barbara displayName: Barbara Jensen mail: barbara@example.com userPassword: 12345 objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson #LDAP Admin Group: dn: cn=Ldap Admins,ou=Groups,dc=example,dc=com cn: Ldap Admins ou: Groups description: Users who are LDAP Administrators uniqueMember: uid=barbara,dc=example,dc=com uniqueMember: uid=matt,dc=example,dc=com objectClass: groupOfUniqueNames #Special Account for Authentication: dn: uid=authenticate,ou=System,dc=example,dc=com uid: authenticate ou: System description: Special account for authenticating users userPassword: secret objectClass: account objectClass: simpleSecurityObject
# slapd.conf - Configuration file for LDAP SLAPD ########## # Basics # ########## include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel stats modulepath /usr/local/libexec/openldap moduleload back_hdb moduleload ppolicy ########### # SSL/TLS # ########### #TLSCACertificateFile /CA/cacert.pem TLSCACertificatePath /CA/ TLSCertificateFile /usr/local/etc/openldap/cert/ldap.example.com.cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/cert/ldap.example.com.key.pem TLSVerifyClient try ########### # SASL ########### authz-regexp uid=([^,]+).*,cn=auth uid=$1,ou=Users,dc=example,dc=com authz-regexp email=([^,]+),cn=([^,]+).*,c=TH$ uid=$2,ou=Users,dc=example,dc=com sasl-realm example.com sasl-secprops none ########################## # Database Configuration # ########################## database hdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw secret directory /var/lib/ldap/example.com index objectClass eq index cn sub,eq ######## # ACLs # ######## #access to attrs=uid # by anonymous read # by users read access to attrs=userPassword by self write by anonymous auth by * none access to dn.subtree="ou=System,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=Ldap Admins,ou=Groups,dc=example,dc=com" write by users read access to * by self write by users read by * none database hdb suffix "dc=demo,dc=net" rootdn "cn=admin,dc=demo,dc=net" rootpw secret directory /var/lib/ldap/demo.net index objectClass eq index cn eq,sub,pres,approx index uid eq,sub,pres access to attrs=userPassword by anonymous auth by self write access to dn.sub="dc=demo,dc=net" by dn.sub="dc=demo,dc=net" read