Maybe this will help as well:
@(#) $OpenLDAP: slapd 2.2.24 (Mar 31 2005 14:58:42) $
and some debug info
=> acl_mask: access to entry "uid=first,o=Organization", attr "userPassword" requested => acl_mask: to all values by "", (=n) <= check a_dn_pat: * <= acl_mask: [1] applying auth(=x) (stop) <= acl_mask: [1] mask: auth(=x) => access_allowed: auth access granted by auth(=x) send_ldap_result: conn=10 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 ber_flush: 14 bytes to sd 10 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... daemon: activity on 1 descriptors daemon: activity on: 10r daemon: read activity on 10 connection_get(10) connection_get(10): got connid=10 connection_read(10): checking for input on id=10 ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 10 failed errno=0 (Success) connection_read(10): input error=-2 id=10, closing. connection_closing: readying conn=10 sd=10 for close connection_close: conn=10 sd=10
On Aug 14, 2006, at 10:52 AM, Brian Woods wrote: Yeah, I am going to do the SSL next. I feel uneasy with it like this.On Aug 14, 2006, at 10:50 AM, Brian Woods wrote: I added it, above the other one. Got the same error. Then I removed the other one and tried it again. Same error. I assure you I am typing in the right password =).
access to attrs=userPassword by * auth
#access to * # by self write # by users read # by * none
On Aug 14, 2006, at 10:23 AM, Francis Swasey wrote: You should put something like:
access to attrs=userPassword by * auth
ahead of the one you do have (as recommended in the slapd.conf man page). Of course, you should also require ssl or better security (see the slapd.access man page and reference the use of ssf values) or you're no better than telnet in protecting the passwords.
Frank
On 8/14/06 11:12 AM, Brian Woods wrote: Yes. That's the only one. What would be the correct ACL to first authenticate? On Aug 14, 2006, at 10:10 AM, Francis Swasey wrote: No need to be sorry...
Is that the only ACL you have in the slapd.conf file? The one that says until you authenticate you can't have access to anything. The one that would prevent you from ever being able to authenticate as anything other than the rootdn?
Frank
On 8/14/06 11:03 AM, Brian Woods wrote: Yeah. I did. 1 letter. Sorry. On Aug 14, 2006, at 9:56 AM, Francis Swasey wrote: Brian, I don't know about you, but I find the userPassword of {c2ypt}418llIS/0PwL. (which is what the base64 string you posted decodes as) to be a little suspect.
I don't know what the c2ypt method is -- or did you obfuscate that password?
On 8/14/06 10:45 AM, Brian Woods wrote: Yes, there is. Here is a sample user to look at plus part of the slapd.conf with the ACL. Here is a sample user: --------------------------------------------------- dn: uid=first.last,o=Organization uid: first.last uidNumber: 51216 creatorName: joshua.jackson createTime: 200608041732Z structuralObjectClass: caseRecord entryUUID: 337ce902-b854-102a-8915-ab9b99587a82 creatorsName: cn=admin,o=Organization createTimestamp: 20060804222747Z objectClass: caseUser objectClass: faculty objectClass: posixAccount objectClass: sambaAccount objectClass: BGIUser objectClass: caseRecord userPassword:: e2MyeXB0fTQxOGxsSVMvMFB3TC4= lmPassword: B4942B3EED537F1E1D71060D896B7A46 ntPassword: 6A223CDEE99D3DFC2C0B20D230E4DDAC sn: Last givenName: First gender: M gidNumber: 123456 loginShell: /bin/false homeDirectory: /Volumes/HomeDir cn: First Last rid: 1 entryCSN: 20060804222844Z#000001#00#000000 modifiersName: cn=admin,o=Organization modifyTimestamp: 20060804222844Z ....portion of slapd.conf ------------------------------------------------------ access to * by self write by users read by * none SIZELIMIT 2000 allow bind_v2 database bdb suffix "o=Organization" rootdn "cn=admin,o=Organization" rootpw xxxxx directory /var/openldap # Indices to maintain index objectClass eq index uid sub index uidNumber eq index attrName eq index objName eq index sessionID eq On Aug 14, 2006, at 9:27 AM, Adam Tauno Williams wrote: On Mon, 2006-08-14 at 09:16 -0500, Brian Woods wrote: I am trying to authenticate users, I am unable to bind using the uid in the dn... # ldapsearch -x -D "uid=user,o=organization" -w pass ldap_bind: Invalid credentials (49)
Does "uid=user,o=organization" actually exist?
I am sure the password is correct. If i use the rootdn, it works. If anyone could help me here. Would be appreciated.
---
---
Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)
---
-- Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)
--- To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
-- Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)
You are currently subscribed to ldap@umich.edu as: [[EMAIL PROTECTED]]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message. Brian Woods System Administrator The Kinkaid School
You are currently subscribed to ldap@umich.edu as: [[EMAIL PROTECTED]]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
Brian Woods System Administrator The Kinkaid School
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
|
