On 27-02-14 17:49, Quanah Gibson-Mount wrote:
--On Thursday, February 27, 2014 4:19 PM +0100 Jonas Kellens jonas.kellens@telenet.be wrote:
Hello,
I have a working openLDAP server version 2.3.43. My configuration there works : the correct users have the correct access.
I have set up a new openLDAP-server with newer version 2.3.43.
I have no working openLDAP on version 2.3.43.
I have tried with the new syntax and with the command /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v to use the build in converion tool, but I always got : ldap_bind: Invalid credentials (49)
So I forgot this conversion and continued with the "old" slapd.conf file.
But in this configuration (which is just a copy/paste of my openLDAP 2.3.43) no user can query the LDAP entries.
So this is the setup :
I have a user : cn=U101001,ou=101001,dc=mydomain This user is member of the group : cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain These members can read entries in the tree : ou=tbook1,ou=contacten,ou=101001,dc=mydomain
I have in slapd.conf :
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read
So why does my user cn=U101001,ou=101001,dc=mydomain fails to get results ??
Likely the 2.3 acl set needs adjusting for 2.4.
I would also note it appears you're using the utterly broken packages provided by RH. I'd strongly advise you to get sane, safe packages, such as those provided by Symas or the LTB project.
--Quanah
Hello,
what kind of adjustments are needed then ?
access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read
What of the above ACL-statement is incorrect ?
Kind regards, Jonas.