[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Clients can't authenticate via consumer server
- To: openldap-technical@openldap.org
- Subject: Clients can't authenticate via consumer server
- From: Jaap Winius <jwinius@umrk.nl>
- Date: Wed, 30 Dec 2009 02:38:31 +0100
- Content-disposition: inline
- User-agent: Internet Messaging Program (IMP) H3 (4.1.5)
Hi all,
On my test system, which uses OpenLDAP simple authentication, I'm
unable to get clients to authenticate to a consumer server, although
they can authenticate to its provider server without a problem. Here's
a snippet of the consumer's syslog, for which I've set the slapd.conf
loglevel to "acl":
==================
Dec 30 02:13:28 ldapc2 slapd[3031]: => acl_mask: access to entry
"uid=ccolumbus,ou=People,dc=example,dc=com", attr "userPassword"
requested
Dec 30 02:13:28 ldapc2 slapd[3031]: => acl_mask: to value by "", (=0)
Dec 30 02:13:28 ldapc2 slapd[3031]: <= check a_dn_pat:
cn=admin,dc=example,dc=com
Dec 30 02:13:28 ldapc2 slapd[3031]: <= check a_dn_pat: anonymous
Dec 30 02:13:28 ldapc2 slapd[3031]: <= acl_mask: [2] applying auth(=xd) (stop)
Dec 30 02:13:28 ldapc2 slapd[3031]: <= acl_mask: [2] mask: auth(=xd)
==================
Judging from this, I suspect that I've misconfigured the account on
the consumer server that the client machines must use to access
password values in the database to authenticate clients. Currently,
the consumer's ACLs look like this:
==================
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=example,dc=com" read
by anonymous auth
by * none
access to dn.base="" by * read
access to *
by * read
==================
This is the same admin account that I use on the provider. If I set
the client's libnss-ldap configuration to use this account and its
matching password to authenticate users via the consumer server, it
doesn't work.
Any idea about what I'm doing wrong?
Thanks,
Jaap