[ldap] Re: LDAP Authentication bind uid

[Brian Woods]

Yeah, I am going to do the SSL next. I feel uneasy with it like this. On Aug 14, 2006, at 10:50 AM, Brian Woods wrote: I added it, above the other one. Got the same error. Then I removed the other one and tried it again. Same error. I assure you I am typing in the right password =). access to attrs=userPassword         by * auth #access to * #        by self                 write #        by users                read #        by *                    none On Aug 14, 2006, at 10:23 AM, Francis Swasey wrote: You should put something like: access to attrs=userPassword by * auth ahead of the one you do have (as recommended in the slapd.conf man page).  Of course, you should also require ssl or better security (see the slapd.access man page and reference the use of ssf values) or you're no better than telnet in protecting the passwords. Frank On 8/14/06 11:12 AM, Brian Woods wrote: Yes. That's the only one. What would be the correct ACL to first authenticate? On Aug 14, 2006, at 10:10 AM, Francis Swasey wrote: No need to be sorry... Is that the only ACL you have in the slapd.conf file?  The one that says until you authenticate you can't have access to anything.  The one that would prevent you from ever being able to authenticate as anything other than the rootdn? Frank On 8/14/06 11:03 AM, Brian Woods wrote: Yeah. I did. 1 letter. Sorry. On Aug 14, 2006, at 9:56 AM, Francis Swasey wrote: Brian,   I don't know about you, but I find the userPassword of {c2ypt}418llIS/0PwL. (which is what the base64 string you posted decodes as) to be a little suspect.   I don't know what the c2ypt method is -- or did you obfuscate that password? On 8/14/06 10:45 AM, Brian Woods wrote: Yes, there is. Here is a sample user to look at plus part of the slapd.conf with the ACL. Here is a sample user: --------------------------------------------------- dn: uid=first.last,o=Organization uid: first.last uidNumber: 51216 creatorName: joshua.jackson createTime: 200608041732Z structuralObjectClass: caseRecord entryUUID: 337ce902-b854-102a-8915-ab9b99587a82 creatorsName: cn=admin,o=Organization createTimestamp: 20060804222747Z objectClass: caseUser objectClass: faculty objectClass: posixAccount objectClass: sambaAccount objectClass: BGIUser objectClass: caseRecord userPassword:: e2MyeXB0fTQxOGxsSVMvMFB3TC4= lmPassword: B4942B3EED537F1E1D71060D896B7A46 ntPassword: 6A223CDEE99D3DFC2C0B20D230E4DDAC sn: Last givenName: First gender: M gidNumber: 123456 loginShell: /bin/false email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> homeDirectory: /Volumes/HomeDir cn: First Last rid: 1 entryCSN: 20060804222844Z#000001#00#000000 modifiersName: cn=admin,o=Organization modifyTimestamp: 20060804222844Z ....portion of  slapd.conf ------------------------------------------------------ access to *         by self                 write         by users                read         by *                    none SIZELIMIT       2000 allow bind_v2 database        bdb suffix          "o=Organization" rootdn          "cn=admin,o=Organization" rootpw          xxxxx directory       /var/openldap # Indices to maintain index   objectClass     eq index   uid             sub index   uidNumber       eq index   attrName        eq index   objName         eq index   sessionID       eq On Aug 14, 2006, at 9:27 AM, Adam Tauno Williams wrote: On Mon, 2006-08-14 at 09:16 -0500, Brian Woods wrote: I am trying to authenticate users, I am unable to bind using the uid in the dn... # ldapsearch -x -D "uid=user,o=organization"  -w pass ldap_bind: Invalid credentials (49) Does "uid=user,o=organization" actually exist? I am sure the password is correct. If i use the rootdn, it works. If anyone could help me here. Would be appreciated. --- You are currently subscribed to ldap@umich.edu <mailto:ldap@umich.edu> as: [[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>] To unsubscribe send email to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> with the word UNSUBSCRIBE as the SUBJECT of the message. --- You are currently subscribed to ldap@umich.edu <mailto:ldap@umich.edu> as: [[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>] To unsubscribe send email to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> with the word UNSUBSCRIBE as the SUBJECT of the message. --Frank Swasey                    | http://www.uvm.edu/~fcs Sr Systems Administrator        | Always remember: You are UNIQUE, University of Vermont           |    just like everyone else.   "I am not young enough to know everything." - Oscar Wilde (1854-1900) --- You are currently subscribed to ldap@umich.edu <mailto:ldap@umich.edu> as: [[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>] To unsubscribe send email to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> with the word UNSUBSCRIBE as the SUBJECT of the message. --  Frank Swasey                    | http://www.uvm.edu/~fcs Sr Systems Administrator        | Always remember: You are UNIQUE, University of Vermont           |    just like everyone else.   "I am not young enough to know everything." - Oscar Wilde (1854-1900) --- You are currently subscribed to ldap@umich.edu as: [[EMAIL PROTECTED]] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message. --  Frank Swasey                    | http://www.uvm.edu/~fcs Sr Systems Administrator        | Always remember: You are UNIQUE, University of Vermont           |    just like everyone else.   "I am not young enough to know everything." - Oscar Wilde (1854-1900) --- You are currently subscribed to ldap@umich.edu as: [[EMAIL PROTECTED]] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message. Brian Woods System Administrator The Kinkaid School [EMAIL PROTECTED] --- You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.