[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: invalid credentials (49) for normal user



Try:

access to attrs=userPassword
     by dn="uid=root,ou=People,o=M1,c=GB" write
     by self    write
     by anonymous       auth
     by *               none

access to *
     by self    write
     by users   read
     by anonymous       auth

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter Kluenter
Sent: Thursday, December 30, 2010 7:56 AM
To: openldap-technical@openldap.org
Subject: Re: invalid credentials (49) for normal user

Am Thu, 30 Dec 2010 15:14:34 +0000
schrieb rui <guideveloper@gmail.com>:

> Hi,
>
> This is the output after doing "-d 128"
> http://pastebin.com/6Jb9j7F7
>
> my latest slapd.conf is this:
> ###########################################################################
> # # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable. #
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/dyngroup.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/misc.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/openldap.schema
>
> #######################################################################
> # bdb database definitions
> #######################################################################
> database        bdb
> suffix          "o=M1,c=GB"
> rootdn          "uid=root,ou=People,o=M1,c=GB"
> rootpw          test123
> directory       /var/lib/ldap
>
> # Indices to maintain
> index   objectClass,uid,uidNumber,gidNumber     eq
> index   cn,mail,surname,givenname               eq,subinitial
>
> ## logging.
> #loglevel acl
>
> access to attrs=userPassword
> by self write
> by dn="uid=root,ou=People,o=M1,c=GB" write
> by * auth
>
> access to *
> by self write
> by users read
> by anonymous auth

The warnings in the debugging output (no by clauses specified) should
have raised your attention.
The way access rules are written, is bogus. Access rules have to be put
on a single line, but this line may have continuations. The manual
page slapd.access(5)  and the admin guide
http://www.openldap.org/doc/admin24/access-control.html
give a good idea on how access rules should be written.

-Dieter

--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.