Between Roy and Kurt's replies, I think I have enough information to go forward.
It is now very apparent to me that I went off-topic by including portions of an ldap.conf that had nss configuration directives in it. I apologize for going off-topic -- I did not do so intentionally.
On 27-Jun-06, at 2:32 PM, Roy Ledochowski wrote:
Jason--
I'm not quite certain what you're trying to do, but if it's setup nss_ldap and pam_ldap to use a proxy user for those libraries. nss_ldap & pam_ldap are the client libraries which Linux (dunno about FreeBSD & other PC *nix use) uses for LDAP user authentication & authorization. These libraries use /etc/ldap.conf (on Redhat) and /etc/libnss-ldap.conf & /etc/libpam.conf (on Debian). nss_ldap & pam_ldap use /etc/ldap.secret for rootbinddn's pwd. These files are configured at build time.
That being said, the openLDAP client libraries & binaries such as ldapsearch, ldappasswd, etc, also use ldap.conf, but it's a *different file*. On Redhat it's in /etc/openldap. On Debian it's in /etc/ldap. Point is, you have to configure the right one for the right task. openLDAP does not use /etc/ldap.secret.
Your ACL needs a bit of help: access to attrs=userPassword by dn="cn=Proxyuser,dc=example,dc=ca" read
-->you also need at least "by * auth". There is an implied "by * none" at the end of each access directive.
Rootbinddn is how nss_ldap will bind to do "root" operations. This functions pretty much like passwd & group. Users can read but root (=proxy) can edit. Binddn if I remember right is for proxy users if you do not allow anonymous binds.
For your ldapsearch, I notice that you are trying to bind as your proxy user but did not includ a password or server to bind to it probably failed probably because A) your ldap.conf wasn't configured correctly (no URL or HOST directive. This is the default server to bind to) B) you didn't include a passwd (-w or -W) C) If you are not using SASL (ie only simple binds), you need the - x switch.
Hope that helps, roy
Jason Lixfeld jason+lists.openldap@lixfeld.ca Sent by: owner-openldap-software@OpenLDAP.org 06/27/2006 09:38 AM
To OpenLDAP software list openldap-software@OpenLDAP.org cc Subject Trying to figure out access policies
I think I'm somewhat versed in the basics of OpenLDAP, but the concept of access policies eludes me because they are far beyond my current level of comprehension. That being said, I'm doing some trial by fire to try to make sense of how they work and hopefully will then be able to relate some of what I read in the manual to what I've made happen in tests...
I'm trying to get a proxyuser working so I don't have to do everything as Manager.
I put this entry into my slapd.conf as per some tutorials I read:
access to attrs=userPassword by dn="cn=Proxyuser,dc=example,dc=ca" read
and likewise, these entries into my ldap.conf:
binddn cn=Proxyuser,dc=example,dc=ca bindpw **** rootbinddn cn=Proxyuser,dc=example,dc=ca
and finally, the Proxyuser password in /etc/ldap.secret.
Being unsure if the lookups for ldap.conf and ldap.secret is in /etc or /usr/local/etc (Using a FreeBSD system here), I symlinked each so they are available in both locations.
After that was all said and done, I restarted slapd and tried to do a search using the proxyuser as the binddn:
# ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b 'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword Enter LDAP Password: ldap_bind: Invalid credentials (49)
# all.log Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from IP=127.0.0.1:54632 (IP=0.0.0.0:389) Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND dn="cn=Proxyuser,dc=example,dc=ca" method=128 Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97 err=49 text= Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed (connection lost)
It would seem to me that it's not complaining about the password, so I assume it's complaining about the access entry in slapd.conf. I removed the access entry from slapd.conf and was able to perform the same search as above without a problem.
Anyone have any pointers on what I can look at as the source of this problem?
Also, I'm a little confused about the difference between binddn and rootbinddn. If I understand correctly, rootbinddn is the DN used to bind if the user executing the command is root, while binddn is the DN used to bind if the user executing the command is any user other than root. Is this correct? I ask because if I run ldapsearch as root with no additional arguments and check the logs, it seems to bind anonymously so I'm not sure if my understanding of binddn vs. rootbinddn is correct:
Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from IP=127.0.0.1:58244 (IP=0.0.0.0:389) Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128 Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0 text= Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base="" scope=2 deref=0 filter="(objectClass=*)" Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed
Thanks in advance for any insight on either or both of these points...