access
by Friedrich Locke
Dear list members,
i would like to use openldap for unix users and group of my local
network. I started studying openldap access mechanism yesterday; and i
am a little confused.
I am writing in order to get some help for a single scenario i would
like to share with you.
My users will be below ou=users,dc=ufv,dc=br.
I would like to write an access rule for the following.
User X had complete access to his/her entry:
cn=X,dc=ufv,dc=br
but only read access for the others entry below dc=ufv,dc=br.
How could this access be implemente? Is it possible?
Thanks a lot for your time and support.
Fried.
11 years, 9 months
LDAP-Proxy: backend inaccessible via ldaps (w/o proxy no errors)
by Jahnke-Zumbusch, Dirk
Hi all,
I would like to use the proxy features (and as soon as this works
for me also some kind of rewriting / mapping) with openldap 2.4.25:
./configure --prefix=/scratch/openldap \
--with-tls=openssl \
--enable-meta \
--enable-ldap \
--enable-rewrite \
--enable-rwm \
--enable-bdb \
--enable-overlays \
--enable-perl \
--enable-shell
make install...
I may access one LDAP backend via ldap: but not the other (Active
Directory)
via ldaps:
What works fine is
1. ldapsearch for LDAP-Tree-1 / Server-1:
=========================================
Direct access to LDAP server:
-----------------------------
ldapsearch -x -H ldap://ldap-server-1 -b 'ou=OU1,o=desy,c=de' '(mail=*)'
| fgrep num
# numResponses: 7
# numEntries: 6
and using the proxy:
-----------------------------
ldapsearch -x -H ldap://ldap-proxy -b 'ou=OU1,o=desy,c=de' '(mail=*)'
| fgrep num
# numResponses: 7
# numEntries: 6
(This tree is rather small.)
what is not working is
2. ldapsearch for Active-Directory / Server-2:
==============================================
Direct Access to AD-Server
-----------------------------
ldapsearch -x -H ldaps://domain-controller \
-D CN=accountname,OU=...,OU=...,OU=...,DC=desy,DC=de \
-W \
-b 'ou=ou1,...,dc=desy,dc=de' \
'(samaccountname=testuser)' | fgrep num
Enter LDAP Password:
# numResponses: 2
# numEntries: 1
Doing the same via the proxy fails:
-----------------------------------
ldapsearch -x -H ldap://ldap-proxy -b 'ou=...,...,dc=desy,dc=de'
# extended LDIF
#
# LDAPv3
# base <ou=...,...,dc=desy,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 48 Inappropriate authentication
# numResponses: 1
I would like to understand why this fails.
slapd.conf is like this
----------
include /scratch/openldap/etc/openldap/schema/core.schema
include /scratch/openldap/etc/openldap/schema/cosine.schema
include
/scratch/openldap/etc/openldap/schema/inetorgperson.schema
idletimeout 120
pidfile /scratch/openldap/var/run/slapd.pid
argsfile /scratch/openldap/var/run/slapd.args
# -- 1st LDAP-backend, the one which works, see 1. above
database ldap
uri ldap://ldap-server-1:portnumber/
suffix "ou=ouA,o=desy,c=de"
# -- 2nd LDAP-/Active-Driectory-backend, that one, which fails
database ldap
suffix "ou=OU1,...,dc=desy,dc=de"
uri ldaps://domain-controller/
acl-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de"
credentials=TopSecret
idassert-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de"
credentials=TopSecret mode=none tls_cacertdir=/etc/pki/tls/certs
tls_reqcert=never tls_crlcheck=none
idle-timeout 1800
rebind-as-user yes
# -- just to make sure for now that I will see everything
access to * by * read
# === END OF SLAPD.CONF ===
When I am strace'ing slapd with "-e trace=file -f" I cannot see that any
file in
tls_cacertdir is read. But I would have expected that.
Any directions what I should looking for, now?
Kind regards,
Dirk
--
Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics Member of the Helmholtz Association
D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg
T: +49-40-899.81760 F: +49-40-899.41760 dirk.jahnke-zumbusch(a)desy.de
11 years, 9 months
ACL caused uidNumber=4294967295 ?
by niko
Hi,I got weird problem with ldap & samba &sssd。
pdbedit -L showed all users having the same uid (4294967295)
ACL :
[root@rhel6 slapd.d]# grep -ir "olcAccess" .
./cn=config/olcDatabase={2}monitor.ldif:olcAccess: {0}to * by
dn.base="cn=manager,dc=my-domain,dc=com" read by * none
./cn=config/olcDatabase={0}config.ldif:olcAccess: {0}to * by * none
./cn=config/olcDatabase={1}bdb.ldif:olcAccess: to * by * read by self write
More specification below:
--------------------------------------------------------------------------------------------------------------------------------------------------------
[root@rhel6 cn=config]# pdbedit -L
testsmb:4294967295:testsmb *<sometimes, the user testsmb has
correct uid 503, I don't know why>
*test2:4294967295:test2
test3:4294967295:test3
[root@rhel6 ~]# getent -s sss passwd
example:*:9999:9999::/home/example:/bin/sh
*<sometimes,we can get user testsmb here>*
[root@rhel6 cn=config]# ldapsearch -x -D
"cn=root,dc=rhel6,dc=ldaptest,dc=com" -W
........
# testsmb, rhel6.ldaptest.com
dn: uid=testsmb,dc=rhel6,dc=ldaptest,dc=com
cn: testsmb
uid: testsmb
uidNumber: 503
loginShell: /bin/bash
homeDirectory: /home/testsmb
gidNumber: 500
userPassword:: e2NyeXB0fUFPblQvYkJsbEJTWFk=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: sambaSamAccount
sambaPwdLastSet: 1308553125
sambaPwdCanChange: 1308553125
sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201
sambaLMPassword: 67E272A0267766A117306D272A9441BB
sambaPrimaryGroupSID: 2001
sambaAcctFlags: [U ]
shadowLastChange: 15145
gecos: testsmb
sn: testsmb
sambaSID: S-1-5-21-423381952-115127825-699677302-1004
# test2, rhel6.ldaptest.com
Dn: uid=test2,dc=rhel6,dc=ldaptest,dc=com
cn: test2
uid: test2
uidNumber: 504
loginShell: /bin/bash
homeDirectory: /home/test2
gidNumber: 500
userPassword:: e2NyeXB0fVhSbXVGQUd2cHMublE=
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: sambaSamAccount
sambaPwdLastSet: 1308557836
sambaPwdCanChange: 1308557836
sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201
sambaLMPassword: 67E272A0267766A117306D272A9441BB
sambaPrimaryGroupSID: 2001
sambaAcctFlags: [U ]
shadowLastChange: 15145
gecos: test2
sn: test2
sambaSID: S-1-5-21-423381952-115127825-699677302-1005
# example, rhel6.ldaptest.com
dn: uid=example,dc=rhel6,dc=ldaptest,dc=com
cn: Example user
sn: Example user
uid: example
uidNumber: 9999
gidNumber: 9999
loginShell: /bin/sh
homeDirectory: /home/example
objectClass: posixAccount
objectClass: person
userPassword:: KkxLKg==
smb.conf
security = user
passdb backend = ldapsam:ldap://rhel6.ldaptest.com
ldap admin dn = "cn=root,dc=rhel6,dc=ldaptest,dc=com"
ldap suffix = dc=rhel6,dc=ldaptest,dc=com
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap ssl = start tls
ldap passwd sync = yes
Debug info show below
slapd debug acl
------------------------------------------------------------------------------------------------------------------------------------
[root@rhel6 ~]# service slapd start
Starting slapd: @(#) $OpenLDAP: slapd 2.4.19 (Jun 30 2010 03:56:07) $
mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.19/openldap-2.4.19/build-servers/servers/slapd
=> access_allowed: search access to "cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn=schema,cn=config" "objectClass"
requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={0}corba,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={1}core,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={2}cosine,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={3}duaconf,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={4}dyngroup,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to
"cn={5}inetorgperson,cn=schema,cn=config" "objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={6}java,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={7}misc,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={8}nis,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={9}openldap,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={10}ppolicy,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={11}collective,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "cn={12}samba,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "olcDatabase={-1}frontend,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
=> access_allowed: search access to "olcDatabase={0}config,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by * none
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the
ACL scope within backend naming context
=> access_allowed: search access to "olcDatabase={1}bdb,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by * read
by self write
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the
ACL scope within backend naming context
=> access_allowed: search access to "olcDatabase={2}monitor,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by dn.base="cn=manager,dc=my-domain,dc=com" read
by * none
/etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the
ACL scope within backend naming context
slapd starting
* *
*debug info for " su - test2"*
sssd debug info
-------------------------------------------------------------------------------------------------------------------------------------------------------------
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_parse_entry] (9):
OriginalDN: [uid=test2,dc=rhel6,dc=ldaptest,dc=com].
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8):
Trace: sh[0x9e08488], connected[1], ops[0x9ea1b10], ldap[0x9e08540]
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_process] (6):
Search for users, returned 1 results.
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8):
Trace: sh[0x9e08488], connected[1], ops[(nil)], ldap[0x9e08540]
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8):
Trace: ldap_result found nothing!
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): start ldb
transaction (nesting: 0)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (9):
Save user
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (2):
User [test2] filtered out! (id out of range)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_users_process]
(2): Failed to store user 0. Ignoring.
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): commit ldb
transaction (nesting: 0)
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_done] (9):
Saving 1 Users - Done
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_remove_timeout] (8): 0x9dcde28
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn:
9DCDF38
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): Dispatching.
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0,
0, Success) from Data Provider
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No
matching domain found for [test2], fail!
(Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No
results for getpwnam call
(Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
slapd debug info
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
=> acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry"
requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "dc=rhel6,dc=ldaptest,dc=com" "entry"
requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry"
requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"uid" requested
=> acl_get: [1] attr uid
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"uid" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"objectClass" requested
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"objectClass" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"entry" requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (cn)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"cn" requested
=> acl_get: [1] attr cn
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"cn" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (uid)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"uid" requested
=> acl_get: [1] attr uid
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"uid" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (uidNumber)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"uidNumber" requested
=> acl_get: [1] attr uidNumber
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"uidNumber" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (loginShell)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"loginShell" requested
=> acl_get: [1] attr loginShell
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"loginShell" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (homeDirectory)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"homeDirectory" requested
=> acl_get: [1] attr homeDirectory
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"homeDirectory" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (gidNumber)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"gidNumber" requested
=> acl_get: [1] attr gidNumber
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"gidNumber" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (userPassword)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (objectClass)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"objectClass" requested
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"objectClass" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result not in cache (shadowLastChange)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"shadowLastChange" requested
=> acl_get: [1] attr shadowLastChange
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"shadowLastChange" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (gecos)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"gecos" requested
=> acl_get: [1] attr gecos
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"gecos" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (modifyTimestamp)
=> access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com"
"modifyTimestamp" requested
=> acl_get: [1] attr modifyTimestamp
=> acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr
"modifyTimestamp" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
11 years, 9 months
ppolicy overlay and pwdreset attribute question
by Cyril GROSJEAN
I use OpenLDAP 2.4.24 with the following default password policy,
because I want my users to change their password at first connection,
or after a password reset by an administrator:
dn: cn=default,ou=policies,dc=company
cn: default
description: Strategie de gestion des mots de passe par defaut
objectClass: top
objectClass: person
objectClass: pwdPolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: policy
When creating a user account (either as administrator or any user with
sufficient rights),
the pwdReset attribute is not set automatically, and thus, the newly created
user can bind
and search without being forced to change his password.
I have to manually set the pwdReset attribute to TRUE in the user entry at
creation time or
after creation to force a password change. Is this normal behaviour ? I
would have expected
to see the pwdReset attribute automatically set (by the ppolicy overlay).
Otherwise, setting pwdMustChange to TRUE in the password policy definition
looks unuseful.
On the contrary, when the user changes his password, the pwdReset attribute
is automatically removed,
which tends to mean the password policy overlay is called and does something
in this case ..
11 years, 9 months
olcDbCacheSize: no equality matching rule
by Gerard Ranke
Dear listmembers,
After upgrading from openldap 2.4.21 to 2.4.25 my olcDbCacheSize entry seems to have gone awoll. I
tried to fix that with the following ldif file:
dn: olcDatabase={1}hdb,cn=config
changetype:modify
add: olcDbCachesize
olcDbCachesize: 10000
but I got this errormessage:
modifying entry "olcDatabase={1}hdb,cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcDbCacheSize: no equality matching rule
Does anybody have any idea what is wrong?
Many thanks in advance,
Gerard Ranke
11 years, 9 months
RE: ppolicy works, then doesn't
by Cyril GROSJEAN
Do you have any clue (from the access log for example), that this user’s
password
has been successfully changed after 20110606211056Z ?
Or is there any chance that the password was changed while the policy
overlay wasn’t loaded,
which could occur if it was changed on a misconfigured replica for example.
11 years, 9 months
N-Way replication
by Darouichi, Aziz
I setup N-Way replication openldap-2.4.23 in RHEL5. Config file is identical on both servers. In one server I get this error message in the log.
send_search_entry: conn 1000 ber write failed.
I run slapdindex, and turned off schemasearch. Error message still being generated.
Thanks,
11 years, 9 months
[SOLVED] olcDbCacheSize: no equality matching rule
by Gerard Ranke
>Dear listmembers,
>After upgrading from openldap 2.4.21 to 2.4.25 my olcDbCacheSize entry seems to have gone awoll. I
>tried to fix that with the following ldif file:
>dn: olcDatabase={1}hdb,cn=config
>changetype:modify
>add: olcDbCachesize
>olcDbCachesize: 10000
>but I got this errormessage:
>modifying entry "olcDatabase={1}hdb,cn=config"
>ldap_modify: Inappropriate matching (18)
> additional info: modify/add: olcDbCacheSize: no equality matching rule
Been staring at this for too long: The olcDbCacheSize was sitting right there... Sorry for the noise.
Best,
gerard
11 years, 9 months