[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL problem
- To: openldap-technical@openldap.org
- Subject: Re: ACL problem
- From: Il Neofita <asteriskmail@gmail.com>
- Date: Tue, 22 Dec 2009 09:38:08 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=alFyt83FRXrfQpuSP+no5CDxwKhwgW2ul5ZSHVBsxFA=; b=J2kK+CY+qQjxxHluOR7E9W3jBKn0py6m5oqbxkjrZmoHVCSyDLdoAwijuepnNi3wg5 hu51sNg1kxKE2v038vYa//MNsquNh4jEsWUXN34XVpZmePfDs/vDmX+wRXb/U4rivTPp LopANTUNOgm4TVxeyhX+xmMDhqsZb1mGk7Id0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=muqyx+HfH7x707GnePWox2+jEDg5SC33MwSSswVvao9o98+DsLszmsNkkPIa16SpJ0 BLl37qYgDnWqwngmMu6uUzygBsIJs45igevmfjJJN4jOSZ6P7+ReP5y94GX4VpqHwEF1 kJycblza1lpRsQYZ9Q4nDu8sRLwRUP3mbYMlc=
- In-reply-to: <4B3076E1.7070703@turnovfree.net>
- References: <7971c2da0912211626v2611e825hb8a34de1be703587@mail.gmail.com> <4B3076E1.7070703@turnovfree.net>
Hi
I delete everything and I did everything from scratch but I have the
same problem
I am using RH 5.4
I am posting my configuration
slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/pykota.schema
allow bind_v2
loglevel 128
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
access to dn.subtree="ou=PyKota,dc=test,dc=xx" by
dn="cn=pykotaadmin,dc=test,dc=xx" write
access to dn.subtree="ou=people,dc=test,dc=xx"
by dn="cn=mmm,dc=test,dc=xx" manage
by dn="cn=pykotaadmin,dc=test,dc=xx" manage
by * read
access to dn.subtree="ou=Groups,dc=test,dc=xx" by
dn="cn=pykotaadmin,dc=test,dc=xx" write
access to *
by self write
by users read
by * none
access to attrs=userPassword
by self =w
by anonymous auth
database bdb
suffix "dc=test,dc=xx"
rootdn "cn=admin,dc=test,dc=xx"
rootpw {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index pykotaUserName pres,eq,sub
index pykotaGroupName pres,eq,sub
index pykotaPrinterName pres,eq,sub
index pykotaBillingCode pres,eq,sub
index pykotaLastJobIdent eq
my ldif
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=xx> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# test.xx
dn: dc=test,dc=xx
objectClass: dcObject
objectClass: organization
o: Directory Server
dc:: dGVzdCA=
# admin, test.xx
dn: cn=admin,dc=test,dc=xx
objectClass: organizationalRole
objectClass: posixAccount
cn:: YWRtaW4g
gidNumber: 500
homeDirectory: /home/admin
uid: admin
uidNumber: 500
# mmm, test.xx
dn: cn=mmm,dc=test,dc=xx
cn:: bW1tIA==
sn: mmm
objectClass: person
objectClass: top
userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
# people, test.xx
dn: ou=people,dc=test,dc=xx
objectClass: top
objectClass: organizationalUnit
ou: people
description: Fictional example organizational unit
# bjensen, people, test.xx
dn: uid=bjensen,ou=people,dc=test,dc=xx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Babs Jensen
sn: Jensen
givenName: Babs
uid: bjensen
ou: people
description: Fictional example person
telephoneNumber: 555-5557
userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
And this is the log
Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access to
"cn=mmm,dc=test,dc=xx" "userPassword" requested
Dec 22 09:42:07 sim slapd[11187]: => dn: [1] ou=pykota,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: => dn: [2] ou=people,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: => dn: [3] ou=groups,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: => acl_get: [4] attr userPassword
Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state
(userPassword)
Dec 22 09:42:07 sim slapd[11187]: => acl_mask: access to entry
"cn=mmm,dc=test,dc=xx", attr "userPassword" requested
Dec 22 09:42:07 sim slapd[11187]: => acl_mask: to value by "", (=0)
Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: self
Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: users
Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: *
Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] applying none(=0) (stop)
Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] mask: none(=0)
Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access
denied by none(=0)
Thank you
On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik <stybla@turnovfree.net> wrote:
> Il Neofita wrote:
>> Hi
>
> Hello,
>
>> I am new and probably I am facing a very basic error
>>
>> I am tring to create an admin for a subset
>>
>> I create this ldif
>> dn: cn=mmmm,dc=test,dc=xx
>> cn: mmmm
>> sn: mmmm
>> objectClass: person
>> objectClass: top
>> userPassword: test
>>
>
> If you added it exactly like this-
> 1] delete dn: cn=mmmm,dc=test,dc=xx
> 2] use % slappasswd; to generate password HASH
> 3] add DN again
>
> --- SNIP ---
> slappasswd -s test
> {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
> --- SNIP ---
> --- SNIP ---
> dn: cn=mmmm,dc=test,dc=xx
> cn: mmmm
> sn: mmmm
> objectClass: person
> objectClass: top
> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
> --- SNIP ---
>
> Just a morning loto :)
>
> Regards,
> Zdenek
>
>> then on sladp.conf
>>
>> ...
>> access to dn.subtree="ou=people,dc=test,dc=xx"
>> by dn="cn=mmmm,dc=test,dc=xx" write
>> by * read
>> ...
>>
>> Restarted ldap
>>
>> ldapsearch -x -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)'
>> ldap_bind: Invalid credentials (49)
>>
>> What am I do wrong?
>
>
> --
> Zdenek Styblik
> Net/Linux admin
> OS TurnovFree.net
> email: stybla@turnovfree.net
> jabber: stybla@jabber.turnovfree.net
>