Re: Bind using a user other than organizationalRole user

To: Dieter Kluenter <dieter@dkluenter.de>

Subject: Re: Bind using a user other than organizationalRole user

From: Marcelo de Moraes Serpa <celoserpa@gmail.com>

Date: Wed, 7 Apr 2010 02:54:34 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=S5m5mSrWZuDM9QIIGHRCA8z840f3VEqRhA4QaMq13to=; b=J6i+QOH8agySzaUDyU+Dkcj4LIlbQ+1tYz61iCduoJZYJX3StZ/N3jZSxEDZ/mnDwS urd2W7nzyECIZdSWwp7smqRFZTWjwnoqMOkaRoPSrfm6gE5hP0dVySgpuWeW5sR9zwt3 loYlPTbfi2w8HsnPC7qCDGKu9So6zjIjYm8n0=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=WzTI+gzuVryGWNko5hf5ZmoWqn7eOwhW7qXnlfLQhjPVB9x58cAVac9kl7mZcB0Yhq EWUuFArDaiwLkq6E8f3H4E4TQmYdo5XgexaHoX4i7o5TCwNUzG8p4HRk0r1+Cu5tWSlk XP4QqcNJu9yX/mmmss1UJpoyP854WfGONrxPg=

In-reply-to: <20100407090445.675f5532@magenta.l4b.de>

References: <g2i1e5bcefd1004061128t1906e4e1sbc357a1f745558a1@mail.gmail.com> <20100407090445.675f5532@magenta.l4b.de>

On Wed, Apr 7, 2010 at 2:04 AM, Dieter Kluenter <dieter@dkluenter.de> wrote:

Am Tue, 6 Apr 2010 13:28:27 -0500
schrieb Marcelo de Moraes Serpa <celoserpa@gmail.com>:

> Hello list,
>
> I have a local OpenLDAP server with a couple of users. I'm using it
> for development purposes, here's the ldif:
>
> #Top level - the organization
> dn: dc=site, dc=com
> dc: site
> description: OneLogin LLC
> objectClass: dcObject
> objectClass: organization
> o: OneLogin LLC
>
> #Top level - manager
> dn: cn=Manager, dc=site, dc=com
> objectClass: organizationalRole
> cn: Manager
>
> #Second level - organizational units
> dn: ou=people, dc=site, dc=com
> ou: people
> description: All people in the organization
> objectClass: organizationalunit
>
> dn: ou=groups, dc=site, dc=com
> ou: groups
> description: All groups in the organization
> objectClass: organizationalunit
>
> #Third level - people
> dn: uid=celoserpa, ou=people, dc=site, dc=com
> objectclass: pilotPerson
> objectclass: uidObject
> uid: celoserpa
> cn: Marcelo de Moraes Serpa
> sn: de Moraes Serpa
> userPassword: secret_12345
> mail: marcelo@site.com
>
> So far, so good. I can bind with "cn=Manager,dc=site,dc=com" and the
> 12345678 password (the local server password, setup on slapd.conf).
>
> However, I would like to bind with any user in under the people OU.
> In this case, I'd like to bind with:
> dn: uid=celoserpa, ou=people, dc=site, dc=com
> userPassword: secret_12345
>
> But I'm getting a (49) - Invalid Credentials error everytime. I have
> tried through CLI tools (such as ldapadd, ldapwhoami, etc) and also
> ruby/ldap. The bind with these credentials fails with a invalid
> credentials error.
>
> I was suspecting that maybe OpenLDAP doesn't compare against
> userPassword? Or maybe some ACL configuration I am missing that is
> somehow affecting the read access to userPassword for the specific DN.
>
> I'm really lost here, any suggestion appreciated!

You may run slapd in debugging mode, that is slapd(8) -dacl

-Dieter

--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6