Lev Dudko wrote:
Hello Rich, the OS is Fedora 9 (64) with all of the recent updates rpm -qa | grep fedora-ds fedora-ds-1.1.2-1.fc9.x86_64 fedora-ds-dsgw-1.1.1-1.fc9.x86_64 fedora-ds-admin-1.1.6-1.fc9.x86_64 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-console-1.1.2-2.fc9.noarch fedora-ds-base-1.1.3-2.fc9.x86_64Parts of the log files for DSGW authorisation /var/log/dirsrv/admin-serv/access - [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200 4088 - [17/Nov/2008:23:43:46 +0300] "GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231 - [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402 /var/log/dirsrv/admin-serv/error (here is the strange point, the marked port in this log is 443, but in reality it is 9830. I have stop apache and close 443 port at all, but in the log file it is still 443; address and ip here is the same computer which is localhost for all of the operations) [Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received for child 12 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server www-hep.sinp.msu.ru:443, client 213.131...) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received for child 11 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server www-hep.sinp.msu.ru:443, client 213.131....)
Do you have some sort of proxy running? netstat -an | grep 9830 and netstat -an | grep 443
/var/log/dirsrv/slapd-hep/access [17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu, dc=ru" scope=2 filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))" attrs="objectClass title" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101 nentries=1 etime=1 [17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND [17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1 [17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from 127.0.0.1 to 127.0.0.1 [17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1 [17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH base="dc=sinp,dc=msu,dc=ru" scope=2 filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101 nentries=1 etime=2
What access log level are you using? I suggest using the default. [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0This usually means "incorrect password". You can verify yourself by using ldapsearch: ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w yourpassword -s base -b ""
If you get err=49 here, this means your password is not correct.
Agh - my eyes - I think you need to change the errorlog level back to 0 - I don't think the problem is ACI related - err=49 means incorrect password./var/log/dirsrv/slapd-hep/error [17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn="" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:ou=people,dc=sinp,dc=msu,dc=ru: container:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO STARTS *********[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Client DN: [17/Nov/2008:23:43:46 +0300] NSACLPlugin - resource type:256(search target_DN )[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN: uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ATTR: objectClass [17/Nov/2008:23:43:46 +0300] NSACLPlugin - rights:search [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a nonymous: cached allow by aci(2) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru ) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas s) to anonymous: cached allow by aci(2)
It is a feature. You cannot edit local.conf directly. You have to update that information in LDAP. local.conf is a read-only cache of the LDAP information. See - http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmtJust in case, the list of the configuration directories: /etc/dirsrv/admin-serv/ -rw-r--r-- 1 root root 3984 19:02 admserv.conf -rw------- 1 nobody root 16384 23:22 secmod.db -r-------- 1 nobody nobody 50 23:27 password.conf -r-------- 1 nobody nobody 4581 23:27 nss.conf -rw-r--r-- 1 root root 27061 03:39 httpd.conf -rw------- 1 root root 394016 04:52 console.conf -rw------- 1 nobody root 40 04:56 admpw -rw------- 1 nobody root 532 05:32 adm.conf -rw------- 1 nobody root 16384 23:39 key3.db -rw------- 1 nobody root 65536 23:39 cert8.db -rw------- 1 nobody root 10259 00:04 local.conf /etc/dirsrv/dsgw/ -r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf -r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf -r-------- 1 nobody root 8875 Nov 16 22:16 default.conf -rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf -rw-r--r-- 1 root root 3192 Nov 16 23:42 dsgw-httpd.conf One more strange point which is not connected with the main problem. In the /etc/dirsrv/admin-serv/local.conf I use only addresses access filter, not hosts. The last one is blank (looks like * does not work) configuration.nsAdminAccessAddresses: (127.0.0.1|.....) configuration.nsAdminAccessHosts: But with restart of admin server the directive configuration.nsAdminAccessHosts: removed from local.conf and server do not start, need to add manually this directive to start the server. Looks like this is a bug.
Lev On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:Lev Dudko wrote:Dear Directory server experts, could you help me, please, to solve the problem with DSGW authorization.I have successfully setup FDS on Fedora 9 with setup-ds-admin.plsetup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests. I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset thepassword for you.Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization. I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW. Have I missed something during the configuration or forgot to add some special ACL?What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv?Lev-------------------------------------------------------------------------- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
