[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap auth does not works after openldap upgrade





On Tue, Feb 15, 2011 at 3:20 PM, Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:
On Tue, Feb 15, 2011 at 02:52:19PM -0200, Leonardo Carneiro wrote:

> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database        bdb
>
> # The base of your directory in database #1
> suffix dc=dominio,dc=com,dc=br

OK so far, but this is your complete set of ACLs:

> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> #access to * by anonymous read
> #        by dn="cn=root,dc=dominio,dc=com,dc=br" write
> #        by anonymous auth
> #        by self write
> #        by * none
>
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms.  Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> ######### this last entry was commented. i uncommented to check if would
> change anything, but it haven't.
>
> # The admin dn has full write access, everyone else
> # can read everything.
> #access to *
> #       by dn="cn=admin,dc=nodomain" write
> #        by * read
>
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> #        by dn="cn=admin,dc=nodomain" write
> #        by dnattr=owner write

... so all you have is anon access to the null DN.

The commented-out userPassword clause is getting close, but
does not actually control userPassword...

I suggest you add this after the 'access to dn.base="" by * read' line:

access to attrs="userPassword"
       by self =w
       by * auth

access to * by * read


Andrew
--
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------
(reply to all now) 
Hmm, still did not worked.

If i do a ldapsearch specifying '-D cn=root,dc=dominio,dc=com,dc=br" and the password, the search goes ok. if i do not specify, is asks me for a sasl/md5 authentication and fails, and just asks for a password. if i include a '-x' parameter, also does not work:

chester@reploid:~$ ldapsearch -v -h 192.168.0.2 -b "dc=dominio,dc=com,dc=br" '(objectclass=*)' -LLL -x
ldap_initialize( ldap://192.168.0.2 )
filter: (objectclass=*)
requesting: All userApplication attributes
No such object (32)