Jaap Winius wrote:
Hi all,
The utility of the "ldapwhoami" tool is a mystery to me. As opposed to the usual Unix "whoami" command, which prints the effective userid, "ldapwhoami" doesn't seem to print the matching LDAP DN... at least not for me.
Hello,
[originally intended reply] I'll just shoot here, but isn't it because this command works only for SASL-related stuff [authzid]? Thus some appropriate stuff like rewriting [?] is needed in slapd.conf etc. etc. ? I'm not familiar with SASL or this command, but that's what I've got from man page. [/originally ...] None of it is probably true.
My test setup includes an OpenLDAP server and a separate client. The server's slapd.conf includes these ACLs:
access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=umrk,dc=nl" write by anonymous auth by self write by * none
### ACL ## Users can change their own passwords. Other users can attempt to authenticate, but ## can't read the userPassword value. access to attrs=userPassword by ssf=128 self write by ssf=64 * auth
access to dn.base="" by * read
access to * by dn="cn=admin,dc=umrk,dc=nl" write by * read
I have +'by anonymous auth' here.
My LDAP DIT includes an account for a normal user with a password. Without any problem I can use this to login to the client host, but when I want to test, or verify, the account's LDAP DN, all I get is this:
~$ ldapwhoami -x anonymous ~$ _
I get same result.
Even stranger, if I supply the account's DN and password (although this would seem a useless thing to do, since it's the very same info I'm asking for), I get this error:
~$ ldapwhoami -x -D "cn=testuser,dc=umrk,dc=nl" -w testpass ldap_bind: Invalid credentials (49) ~$ _
However, this works for me and returns the correct DN. We're using nss-ldap and nscd. About being -D "useless". No, it's not. LDAP is not all-knowing and it can't tell if it is "cn=testuser,dc..." or "uid=testuser,dc..." or "uid=testuser,ou=people,..." and so on so forth. But it depends on how and with "what" % ldapwhoami; works with. Probably somebody else will clarify this one (?).
On the other hand, this does work if I supply the admin DN and password:
~$ ldapwhoami -x -D "cn=admin,dc=umrk,dc=nl" -w adminpass dn:cn=admin,dc=umrk,dc=nl ~$ _
The "ldapsearch" command is the same: I can get a response when binding anonymously ("-x"), as well as when binding as the admin user, but not when I use a normal user account, which results in the same error 49 as above.
It sounds to me you've mis-configured ACL somewhere. If you have only these three ACL, how about to start over? Comment them out and add one by one. I know it's not the straight solution, but-
This behavior seems rather useless to me. Surely I've made a mistake somewhere. Can anyone say what it might be?
Thanks,
Jaap
Regards, Zdenek