Hi Roland,
I have manage to add the PasswordSelfReset schema with the
dn=Manager,dc=go,dc=cd by adding this change in the "vi
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif" file,
--------
olcRootDN: cn=Manager,dc=go,dc=cd
--------
As you can see the schema is now added,
-----
[root@openldap-server openldap]# ldapadd -x -W -H ldaps://ldap.go.cd -D
"cn=Manager,dc=go,dc=cd" -f passwordSelfReset.ldif
Enter LDAP Password:
adding new entry "cn=passwordSelfReset,cn=schema,cn=config"
[root@openldap-server openldap]#
----
I am now trying to set the password reset extension for the user. So I am
logging in as an admin user and trying to add this password reset extension
so that the user can reset the password using self service. Here is the
error that I see,
----------
Was unable to add attributes to DN:
uid=student1,ou=Generalusers,ou=Users,dc=go,dc=cd.
LDAP error, server says: Insufficient access
---------
>From the logs this is what I have,
LAm logs,
2014-04-28 22:02:55: LDAP Account Manager (kui1ucm5i76bmmc68ohumteaj3 -
10.4.3.20) - ERROR: [uid=bhkwan,ou=Admins,ou=Users,dc=go,dc=cd] Unable to
add attributes to DN: uid=student1,ou=Generalusers,ou=Users,dc=go,dc=cd
(Insufficient access).
Ldap logs,
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=0 BIND
dn="uid=bhkwan,ou=Admins,ou=Users,dc=go,dc=cd" mech=SIMPLE ssf=0
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=0 RESULT tag=97
err=0 text=
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=1 SRCH
base="ou=Groups,dc=go,dc=cd" scope=2 deref=0
filter="(&(cn=*)(objectClass=posixGroup))"
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=1 SRCH attr=cn dn
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=2 MOD
dn="uid=student1,ou=Generalusers,ou=Users,dc=go,dc=cd"
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=2 MOD
attr=objectClass passwordSelfResetQuestion passwordSelfResetAnswer
passwordSelfResetBackupMail
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=2 RESULT tag=103
err=50 text=
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 op=3 UNBIND
Apr 28 22:02:55 openldap-server slapd[18610]: conn=1003 fd=13 closed
Inside the server profiles and the password self reset I have specified the
same dn=manager,dc=go,dc=cd for the authentications and also for the
password self reset module settings.
Can you please help me understand why it is still not having sufficient
access?
Thanks,
Junaid
On Tue, Apr 29, 2014 at 8:26 AM, Junaid Shah <[email protected]>wrote:
>
>
> ---------- Forwarded message ----------
> From: Junaid Shah <[email protected]>
> Date: Tue, Apr 29, 2014 at 8:25 AM
> Subject: Re: [Lam-public] Openldap Pro Trouble.
> To: Roland Gruber <[email protected]>
>
>
> Hi Roland,
>
> I am still not able to bypass the Insufficient access error. I have added
> the PasswordSelfReset object class for the user from the General profiles
> under the configuration. I am trying to re-create the schema now.
>
> This is what Im trying,
> ----
> [root@openldap-server openldap]# ldapadd -x -W -H ldaps://ldap.go.cd -D
> "cn=Manager,dc=go,dc=cd" -f passwordSelfReset.ldif
> Enter LDAP Password:
> adding new entry "cn=passwordSelfReset,cn=schema,cn=config"
> ldap_add: Insufficient access (50)
> ----
>
> My rootdn is cn=Manager,dc=go,dc=cd and that's the one I have in the
> slapd.conf file as well.
>
>
> Here is my slapd.conf file for reference,
> --------
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
>
> include /etc/openldap/schema/corba.schema
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/duaconf.schema
> include /etc/openldap/schema/dyngroup.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/java.schema
> include /etc/openldap/schema/misc.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/openldap.schema
> include /etc/openldap/schema/ppolicy.schema
> include /etc/openldap/schema/collective.schema
> include /etc/openldap/schema/passwordSelfReset.schema
>
> # Allow LDAPv2 client connections. This is NOT the default.
> allow bind_v2
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
>
> # Load dynamic backend modules
> # - modulepath is architecture dependent value (32/64-bit system)
> # - back_sql.la overlay requires openldap-server-sql package
> # - dyngroup.la and dynlist.la cannot be used at the same time
>
> # modulepath /usr/lib/openldap
> # modulepath /usr/lib64/openldap
>
> # moduleload accesslog.la
> # moduleload auditlog.la
> # moduleload back_sql.la
> # moduleload chain.la
> # moduleload collect.la
> # moduleload constraint.la
> # moduleload dds.la
> # moduleload deref.la
> # moduleload dyngroup.la
> # moduleload dynlist.la
> # moduleload memberof.la
> # moduleload pbind.la
> # moduleload pcache.la
> # moduleload ppolicy.la
> # moduleload refint.la
> # moduleload retcode.la
> # moduleload rwm.la
> # moduleload seqmod.la
> # moduleload smbk5pwd.la
> # moduleload sssvlv.la
> # moduleload syncprov.la
> # moduleload translucent.la
> # moduleload unique.la
> # moduleload valsort.la
>
> # The next three lines allow use of TLS for encrypting connections using a
> # dummy test certificate which you can generate by running
> # /usr/libexec/openldap/generate-server-cert.sh. Your client software may
> balk
> # at self-signed certificates, however.
> TLSCACertificatePath /etc/openldap/certs
> TLSCertificateFile "\"OpenLDAP Server\""
> TLSCertificateKeyFile /etc/openldap/certs/password
>
> # Sample security restrictions
> # Require integrity protection (prevent hijacking)
> # Require 112-bit (3DES or better) encryption for updates
> # Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> # Root DSE: allow anyone to read it
> # Subschema (sub)entry DSE: allow anyone to read it
> # Other DSEs:
> # Allow self write access
> # Allow authenticated users read access
> # Allow anonymous users to authenticate
> # Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> # by self write
> # by users read
> # by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn. (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
> # enable on-the-fly configuration (cn=config)
> database config
> access to *
> by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
> manage
> by * none
>
> # enable server status monitoring (cn=monitor)
> database monitor
> access to *
> by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
> read
> by dn.exact="cn=Manager,dc=go,dc=cd" read
> by * none
>
> #######################################################################
> # database definitions
> #######################################################################
>
> database bdb
> suffix "dc=go,dc=cd"
> checkpoint 1024 15
> rootdn "cn=Manager,dc=go,dc=cd"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> # rootpw secret
> # rootpw {crypt}ijFYNcSNctBYg
>
> rootpw SECRET
>
> loglevel 1000
> sizelimit unlimited
>
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory /var/lib/ldap
>
> # Indices to maintain for this database
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
>
> # Replicas of this database
> #replogfile /var/lib/ldap/openldap-master-replog
> #replica host=ldap-1.example.com:389 starttls=critical
> # bindmethod=sasl saslmech=GSSAPI
> # authcId=host/[email protected]
> ------------
>
> Using the same cn=Manager,dc=go,dc=cd I was able to add entries etc. I
> dont know what happened. Could you please point me in the right direction
> here?
>
> Thanks,
>
>
>
> On Tue, Apr 29, 2014 at 3:23 AM, Roland Gruber <[email protected]>wrote:
>
>> Hi Junaid,
>>
>> did you add the passwordSelfReset object class to your user and set a
>> security question+answer?
>>
>> You can find more information in LAM's log file. See "LAM configuration"
>> -> "Edit general settings" for the logging options.
>>
>> You can also try with email confirmation + no security question at the
>> beginning. Maybe the user search base is wrong or you need to use a bind
>> user.
>>
>>
>> Best regards
>>
>> Roland
>>
>>
>> On 28.04.2014 15:12, Junaid Shah wrote:
>> > I managed to start the ldap server. I am trying to get the password self
>> > reset to work. I followed the tutorial
>> > https://www.ldap-account-manager.org/static/doc/manual/ch06s03.html and
>> > copied docs/schema password reset file to /etc/openldap/schema and
>> included
>> > that in the slapd.conf file and restarted slapd.
>> >
>> > When I try to reset the password for a user by selecting forgot
>> password. I
>> > get the error "Unable to find user account'.
>> >
>> > Any help with this?
>> >
>> >
>> > On Mon, Apr 28, 2014 at 4:58 PM, Junaid Shah <[email protected]
>> >wrote:
>> >
>> >> Hi All,
>> >>
>> >> I have purchased the Lam Pro version so that the users can reset the
>> >> password. I was trying to setup the ldap schema as mentioned in the
>> >> Openldap-manager documentation.
>> >>
>> >> I couldn't get it to work and now I cant even restart my SLapd.
>> >>
>> >> I am new to Openldap please help me.
>> >>
>> >> Here is the error I am seeing now,
>> >>
>> >> [root@openldap-server cn=schema]# /etc/init.d/slapd restart
>> >> Stopping slapd: [FAILED]
>> >> Checking configuration files for slapd: [FAILED]
>> >> config error processing cn={12}passwordSelfReset,cn=schema,cn=config:
>> >> slaptest: bad configuration file!
>> >>
>> >> Thanks,
>> >> Junaid
>> >>
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> > Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> > unparalleled scalability from the best Selenium testing platform
>> available.
>> > Simple to use. Nothing to install. Get started now for free."
>> > http://p.sf.net/sfu/SauceLabs
>> >
>> >
>> >
>> > _______________________________________________
>> > Lam-public mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/lam-public
>> >
>>
>>
>>
>> ------------------------------------------------------------------------------
>> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
>> Instantly run your Selenium tests across 300+ browser/OS combos. Get
>> unparalleled scalability from the best Selenium testing platform
>> available.
>> Simple to use. Nothing to install. Get started now for free."
>> http://p.sf.net/sfu/SauceLabs
>> _______________________________________________
>> Lam-public mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/lam-public
>>
>>
>
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
