First of all I'm stripping the message a bit
On Thu, Jul 17, 2003 at 03:47:56PM -0400, Chris Shenton wrote:
> I'm setting up a qmail-ldap using qmail-ldap-1.03-20030501.patch.gz
> and working out the qmail/ldap interactions. It seems to work fine if
> I have /var/qmail/control/ldaprebind set to 0, but fail if set to 1.
>
<SNIP>
> => acl_mask: access to entry "cn=Chris Shenton-1,ou=Headquarters,o=National
> Aeronautics and Space Administration,c=US", attr "userPassword" requested
> => acl_mask: to all values by "", (=n)
> <= check a_dn_pat: cn=Manager,ou=Headquarters,o=National Aeronautics and Space
> Administration,c=US
> => string_expand: pattern: cn=Manager,ou=Headquarters,o=National Aeronautics and
> Space Administration,c=US
> => string_expand: expanded: cn=Manager,ou=Headquarters,o=National Aeronautics and
> Space Administration,c=US
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> <= check a_dn_pat: cn=qmail,ou=Headquarters,o=National Aeronautics and Space
> Administration,c=US
> => string_expand: pattern: cn=qmail,ou=Headquarters,o=National Aeronautics and
> Space Administration,c=US
> => string_expand: expanded: cn=qmail,ou=Headquarters,o=National Aeronautics and
> Space Administration,c=US
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> <= check a_dn_pat: self
> <= check a_dn_pat: *
> <= acl_mask: [4] applying auth (=x) (stop)
> <= acl_mask: [4] mask: auth (=x)
> => access_allowed: auth access granted by auth (=x)
> send_ldap_result: conn=1 op=2 p=3
> send_ldap_response: msgid=3 tag=97 err=49
> ====> cache_return_entry_r( 8 ): returned (0)
OK, as we see auth access is granted (it is the * entry that matches, the
self is not a match because the user is not yet autheniticated).
Now the response is err=49 ldap error 49 is LDAP_INVALID_CREDENTIALS.
So probably there is a problem with the hash algorithm, can you try some
other digests like md5 or (gack) crypt.
> Here's the DB and ACL portion of my slapd.conf:
>
slapd.conf seems to be OK.
>
> I've checked the OpenLDAP Admin Guide for version 2.0 (I'm running
> 2.0.77 presently) and can't see any obvious syntax problems.
>
The OpenLDAP Admin Guide is a bit unclear about "access to attr" and "...
attrs", the use both versions all over the document but I think that
"attrs" is correct.
> Any pointers or suggestions?
IMHO the acl settings are OK, there is a more fundamental problem
with the {SHA} salt. I just checked it with one of my servers and there it
fails to, will have a look at it.
--
:wq Claudio
