I'm running slapd 2.4.12 on fedora10.
I can't figure out where to continue looking after trying for 3 days. When no ACL are inserted into slapd.conf in Test 1 Simple Bind with SASL succeeds. When I inserted ACL into slapd.conf in Test 2 Simple Bind with SASL fails. Simple Bind without SASL succeeds in Test 1 and Test 2.
I have two test setups. Difference, test 1 has NO ACL and test 2 has ACL
Test No. 1 1.1. bare-bones slapd.conf 1.2. SASL 1.3.1 #ldapsearch -x -D "cn=Jose Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL 1.3.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL
1.3.1 successcul 1.3.2 successful
Test No. 2 2.1.bare-bones slapd.conf 2.2. SASL 2.3. ACL 2.4.1 #ldapsearch -x -D "cn=Jose Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL 2.4.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL
Test 2.4.1 successful Test 2.4.2 Not successful
with the following message SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49)
Test 1 slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem password-hash {CLEARTEXT} # authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" # database bdb suffix "dc=example,dc=com,dc=au" rootdn "cn=Manager,dc=example,dc=com,dc=au" rootpw secret directory /var/lib/ldap database monitor #
Test 2 slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # TLSCACertificateFile /etc/CA/cacert.pem TLSCertificateFile /etc/pki/tls/newcert.pem TLSCertificateKeyFile /etc/pki/tls/newkey.pem password-hash {CLEARTEXT} # # ACL1 access to attrs=userpassword by self write by anonymous auth by group.exact="cn=admingroup,ou=groups,dc=example,dc=com,dc=au" write by * none # ACL2 access to attrs=carlicense,homepostaladdress,homephone by self write by group.exact="cn=salesgroup,ou=groups,dc=example,dc=com,dc=au" write by * none # ACL3 access to * by self write by group.exact="cn=itgroup,ou=groups,dc=example,dc=com,dc=au" write by users read by * none # authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth" "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)" # database bdb suffix "dc=example,dc=com,dc=au" rootdn "cn=Manager,dc=example,dc=com,dc=au" rootpw secret directory /var/lib/ldap database monitor
Here's my ldif
dn: dc=example,dc=com,dc=au dc: example description: Example, Pty Ltd. objectClass: dcObject objectClass: organization o: Example, Inc.
dn: ou=people,dc=example,dc=com,dc=au ou: people description: All people in organisation objectClass: organizationalUnit
dn: cn=John Short,ou=people,dc=example,dc=com,dc=au objectClass: inetOrgPerson cn: John Short cn: John R Short cn: Johnny Short sn: short uid: jshort userPassword:: anNoMHJ0 carLicense: BCW-25F homePhone: 029686822 mail: j.short@example.com.au mail: jshort@example.com.au mail: johnny.short@example.com.au description:: TWFuYWdlciA= ou: admingroup
dn: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au objectClass: inetOrgPerson cn: Jose Gonzales cn: Jose G Gonzales sn: Gonzales uid: jgonzales userPassword:: amcwbnpv carLicense: SGO 124 homePhone: 555-111-2223 mail: j.gonzales@example.com.au mail: jgonzales@example.com.au mail: jose.gonzales@example.com.au ou: salesgroup
dn: cn=Shanana Gonzales,ou=people,dc=example,dc=com,dc=au objectClass: inetOrgPerson cn: Shanana Gonzales sn: gonzales uid: sgonzales userPassword:: c2cwbnpv carLicense: SGO 125 homePhone: 555-111-2225 mail: s.gonzales@example.com.au mail: sgonzales@example.com.au mail: shanana.gonzales@example.com.au ou: itgroup
dn: ou=groups,dc=example,dc=com,dc=au objectClass: organizationalUnit ou: groups description:: Z3JvdXBzIA==
dn: cn=admingroup,ou=groups,dc=example,dc=com,dc=au objectClass: groupOfNames cn: admingroup description: Administration member: cn=John Short,ou=people,dc=example,dc=com,dc=au
dn: cn=salesgroup,ou=groups,dc=example,dc=com,dc=au objectClass: groupOfNames cn: salesgroup description: Sales group member: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au
openldap-software@openldap.org