[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Useless ldapwhoami behavior?

To: Jaap Winius <jwinius@umrk.nl>
Subject: Re: Useless ldapwhoami behavior?
From: Zdenek Styblik <stybla@turnovfree.net>
Date: Mon, 14 Dec 2009 15:30:26 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <20091214020423.db9isp17sf4kgkko@www.umrk.nl>
Openpgp: url=http://stinkfoot.org:11371/pks/lookup?op=index&search=Styblik
Organization: OS TurnovFree.net
References: <20091214020423.db9isp17sf4kgkko@www.umrk.nl>
User-agent: Thunderbird 2.0.0.23 (X11/20090820)

Jaap Winius wrote:
> Hi all,
> 
> The utility of the "ldapwhoami" tool is a mystery to me. As opposed to
> the usual Unix "whoami" command, which prints the effective userid,
> "ldapwhoami" doesn't seem to print the matching LDAP DN... at least not
> for me.
> 
Hello,

[originally intended reply]
I'll just shoot here, but isn't it because this command works only for
SASL-related stuff [authzid]? Thus some appropriate stuff like rewriting
[?] is needed in slapd.conf etc. etc. ?
I'm not familiar with SASL or this command, but that's what I've got
from man page.
[/originally ...]
None of it is probably true.

> My test setup includes an OpenLDAP server and a separate client. The
> server's slapd.conf includes these ACLs:
> 
>    access to attrs=userPassword,shadowLastChange
>            by dn="cn=admin,dc=umrk,dc=nl" write
>            by anonymous auth
>            by self write
>            by * none
>

### ACL
## Users can change their own passwords. Other users can attempt to
authenticate, but
## can't read the userPassword value.
access to attrs=userPassword
     by ssf=128 self write
     by ssf=64 * auth

>    access to dn.base=""
>            by * read
> 
>    access to *
>            by dn="cn=admin,dc=umrk,dc=nl" write
>            by * read
> 

I have +'by anonymous auth' here.

> My LDAP DIT includes an account for a normal user with a password.
> Without any problem I can use this to login to the client host, but when
> I want to test, or verify, the account's LDAP DN, all I get is this:
> 
>    ~$ ldapwhoami -x
>    anonymous
>    ~$ _
> 

I get same result.

> Even stranger, if I supply the account's DN and password (although this
> would seem a useless thing to do, since it's the very same info I'm
> asking for), I get this error:
> 
>    ~$ ldapwhoami -x -D "cn=testuser,dc=umrk,dc=nl" -w testpass
>    ldap_bind: Invalid credentials (49)
>    ~$ _
> 

However, this works for me and returns the correct DN. We're using
nss-ldap and nscd.
About being -D "useless". No, it's not. LDAP is not all-knowing and it
can't tell if it is "cn=testuser,dc..." or "uid=testuser,dc..." or
"uid=testuser,ou=people,..." and so on so forth.
But it depends on how and with "what" % ldapwhoami; works with. Probably
somebody else will clarify this one (?).

> On the other hand, this does work if I supply the admin DN and password:
> 
>    ~$ ldapwhoami -x -D "cn=admin,dc=umrk,dc=nl" -w adminpass
>    dn:cn=admin,dc=umrk,dc=nl
>    ~$ _
> 
> The "ldapsearch" command is the same: I can get a response when binding
> anonymously ("-x"), as well as when binding as the admin user, but not
> when I use a normal user account, which results in the same error 49 as
> above.
> 

It sounds to me you've mis-configured ACL somewhere. If you have only
these three ACL, how about to start over? Comment them out and add one
by one. I know it's not the straight solution, but-

> This behavior seems rather useless to me. Surely I've made a mistake
> somewhere. Can anyone say what it might be?
> 
> Thanks,
> 
> Jaap

Regards,
Zdenek

-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net

References:
- Useless ldapwhoami behavior?
  - From: Jaap Winius <jwinius@umrk.nl>

Prev by Date: Re: ApacheDS + openLDAP
Next by Date: Re: Useless ldapwhoami behavior?
Index(es):
- Chronological
- Thread