Re: Problem when trying to authenticate squid with openldap server

Fri, 26 Nov 2010 09:20:24 -0800 

Solved!

I used the tip written in http://www.openldap.org/faq/data/cache/320.html,
as Dieter Kluenter recommended:


access to attr=userpassword
    by self =xw
    by anonymous auth

  access to *
    by self write
    by users read


Now I can go back to squid and DansGuardian tunning. =D


Thanks Dieter and Buchan. ;D


On Fri, Nov 26, 2010 at 10:53 AM, Dieter Kluenter <[email protected]>wrote:

> Bruno Lamps <[email protected]> writes:
>
> > Hi,
> >
> > Thanks Dieter Kluenter and Buchan Milne for answering to this, and
> everyone else that is reading this topic. =D
> >
> >     It seems your ACLs are not sufficient for *any* simple binds to this
> DN.
> >
> >     Please test the following on your LDAP server:
> >
> >     $ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W
> >
> >     Until this command works, please don't bother with anything related
> to squid.
> >
> > Right, this command isn't working for any user, except
> cn=admin,dc=pisolar. I'm struggling with /etc/ldap/slapd.conf, to
> > solve this. I probably tried to make the ACLs a bit too tight, and now
> they're choking me. =p
> >
> >     Did you ever test simple binds to your LDAP server as these users
> except from
> >
> >     squid? It doesn't seem like it ...
> >
> > I use this ldap base to authenticate my GLPI () system. But I think GLPI
> just grab all my base, using the ldap admin
> > password, and transports it to it's mysql database. =/
> >
> > I'm currently testing different ACLs in /etc/ldap/slapd.conf. Right now,
> these are the rules:
> >
> > access to *
> > by dn="cn=admin,dc=pisolar" write
> > #by anonymous none
> > #by self none
> > by * read
> >
> > access to attrs=userPassword,shadowLastChange
> > by dn="cn=admin,dc=pisolar" write
> > by anonymous auth
> > by self write
> > by * none
> >
> > access to dn.base="" by * read
> >
> > What kind of mistake am I doing there? =S
>
> man slapd.access(5)
> http://www.openldap.org/doc/admin24/access-control.html
> http://www.openldap.org/faq/data/cache/189.html
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://dkluenter.de
> GPG Key ID:8EF7B6C6
> 53°37'09,95"N
> 10°08'02,42"E
>

Reply via email to