From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org, openldap-technical-bounces@OpenLDAP.org, Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Date: 08/30/2013 12:37 PM Subject: Re: Antw: Re: Object not found
--On Friday, August 30, 2013 10:55 AM -0500 espeake@oreillyauto.com wrote:
Quanah,
I tried this morning to change the password:
ldappasswd -s <password> -Wx -D "uid=admin,dc=<domain>,dc=com" "uid=readOnlyUser,ou=system,dc=<domain>,dc=com"
I confirmed that the hashed password changed. I still get invalid credentials. I am betting that there is some little simple thing that is holding this up.
Ok, so error (49) means one of two things:
a) Password is incorrect b) No such object
No such object means either the entry you are attempting to bind as does not exist in the LDAP DB, or ACLs prevent reading it, so it appears not to exist.
My guess is this ACL is blocking access to the entry:
olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration Wouldn't the following control grant the access first since it is the first in the list.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
I think it may be in how the password is presented. When I do a ldapsearch for the readOnlyUser, the account is found. I decode the password that is presented and the password in the encrypted {SSHA} matches what I see in my ldap browser. I am going to have my developers do some further testing against this ldap instance. -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 63BD3600DF4.A1731
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.