[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL problem
Il Neofita wrote:
> Hi
> I delete everything and I did everything from scratch but I have the
> same problem
> I am using RH 5.4
>
Hello,
I have no idea what the problem might be. Yet, I've noticed you don't
have HASH type prefix to your passwords, and it should be there.
userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
XXX
userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
The next thing I can suggest is to strip all ACLs except the basic ones
and build up, build up...
I'd also move attrs=userPassword up in the tree, as ACL ends when the
first match is found. Thus it's possible this ACL is never matched.
Regards,
Zdenek
> I am posting my configuration
> slapd.conf
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/misc.schema
> include /etc/openldap/schema/openldap.schema
> include /etc/openldap/schema/redhat/autofs.schema
> include /etc/openldap/schema/pykota.schema
>
> allow bind_v2
> loglevel 128
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> access to dn.subtree="ou=PyKota,dc=test,dc=xx" by
> dn="cn=pykotaadmin,dc=test,dc=xx" write
> access to dn.subtree="ou=people,dc=test,dc=xx"
> by dn="cn=mmm,dc=test,dc=xx" manage
> by dn="cn=pykotaadmin,dc=test,dc=xx" manage
> by * read
> access to dn.subtree="ou=Groups,dc=test,dc=xx" by
> dn="cn=pykotaadmin,dc=test,dc=xx" write
>
> access to *
> by self write
> by users read
> by * none
>
> access to attrs=userPassword
> by self =w
> by anonymous auth
>
> database bdb
> suffix "dc=test,dc=xx"
> rootdn "cn=admin,dc=test,dc=xx"
> rootpw {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF
>
> directory /var/lib/ldap
>
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
> index pykotaUserName pres,eq,sub
> index pykotaGroupName pres,eq,sub
> index pykotaPrinterName pres,eq,sub
> index pykotaBillingCode pres,eq,sub
> index pykotaLastJobIdent eq
>
>
> my ldif
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=test,dc=xx> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # test.xx
> dn: dc=test,dc=xx
> objectClass: dcObject
> objectClass: organization
> o: Directory Server
> dc:: dGVzdCA=
>
> # admin, test.xx
> dn: cn=admin,dc=test,dc=xx
> objectClass: organizationalRole
> objectClass: posixAccount
> cn:: YWRtaW4g
> gidNumber: 500
> homeDirectory: /home/admin
> uid: admin
> uidNumber: 500
>
> # mmm, test.xx
> dn: cn=mmm,dc=test,dc=xx
> cn:: bW1tIA==
> sn: mmm
> objectClass: person
> objectClass: top
> userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
>
> # people, test.xx
> dn: ou=people,dc=test,dc=xx
> objectClass: top
> objectClass: organizationalUnit
> ou: people
> description: Fictional example organizational unit
>
> # bjensen, people, test.xx
> dn: uid=bjensen,ou=people,dc=test,dc=xx
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> cn: Babs Jensen
> sn: Jensen
> givenName: Babs
> uid: bjensen
> ou: people
> description: Fictional example person
> telephoneNumber: 555-5557
> userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 6
> # numEntries: 5
>
>
> And this is the log
> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access to
> "cn=mmm,dc=test,dc=xx" "userPassword" requested
> Dec 22 09:42:07 sim slapd[11187]: => dn: [1] ou=pykota,dc=test,dc=xx
> Dec 22 09:42:07 sim slapd[11187]: => dn: [2] ou=people,dc=test,dc=xx
> Dec 22 09:42:07 sim slapd[11187]: => dn: [3] ou=groups,dc=test,dc=xx
> Dec 22 09:42:07 sim slapd[11187]: => acl_get: [4] attr userPassword
> Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state
> (userPassword)
> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: access to entry
> "cn=mmm,dc=test,dc=xx", attr "userPassword" requested
> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: to value by "", (=0)
> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: self
> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: users
> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: *
> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] applying none(=0) (stop)
> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] mask: none(=0)
> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access
> denied by none(=0)
>
>
> Thank you
>
> On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik <stybla@turnovfree.net> wrote:
>> Il Neofita wrote:
>>> Hi
>> Hello,
>>
>>> I am new and probably I am facing a very basic error
>>>
>>> I am tring to create an admin for a subset
>>>
>>> I create this ldif
>>> dn: cn=mmmm,dc=test,dc=xx
>>> cn: mmmm
>>> sn: mmmm
>>> objectClass: person
>>> objectClass: top
>>> userPassword: test
>>>
>> If you added it exactly like this-
>> 1] delete dn: cn=mmmm,dc=test,dc=xx
>> 2] use % slappasswd; to generate password HASH
>> 3] add DN again
>>
>> --- SNIP ---
>> slappasswd -s test
>> {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>> --- SNIP ---
>> --- SNIP ---
>> dn: cn=mmmm,dc=test,dc=xx
>> cn: mmmm
>> sn: mmmm
>> objectClass: person
>> objectClass: top
>> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>> --- SNIP ---
>>
>> Just a morning loto :)
>>
>> Regards,
>> Zdenek
>>
>>> then on sladp.conf
>>>
>>> ...
>>> access to dn.subtree="ou=people,dc=test,dc=xx"
>>> by dn="cn=mmmm,dc=test,dc=xx" write
>>> by * read
>>> ...
>>>
>>> Restarted ldap
>>>
>>> ldapsearch -x -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)'
>>> ldap_bind: Invalid credentials (49)
>>>
>>> What am I do wrong?
>>
>> --
>> Zdenek Styblik
>> Net/Linux admin
>> OS TurnovFree.net
>> email: stybla@turnovfree.net
>> jabber: stybla@jabber.turnovfree.net
>>
--
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net