My access rules in the slapd.conf are the following:
 
access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=sysadmin,dc=mydomain,dc=com" write
        by group..exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write
        by * none
access to *
        by self write
        by dn.base="cn=sysadmin,dc=mydomain,dc=com" write
        by group.exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write
        by * read
 
If I don't have the following entries in a client's /etc/ldap.conf, when I login the client by using ssh I will get the "Access denied" message:
 
binddn cn=Manager,dc=mydomain,dc=com
 
bindpw secret
 
The ldap log is the following:
 

May 11 16:08:18 ldapm slapd[24629]: conn=0 fd=13 ACCEPT from IP=192.168.2.161:33801 (IP=0.0.0.0:389)

May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 BIND dn="" method=128

May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 RESULT tag=97 err=0 text=

May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))"

May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))"

May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

May 11 16:08:23 ldapm slapd[24629]: conn=1 fd=16 ACCEPT from IP=192.168.2.161:33802 (IP=0.0.0.0:389)

May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 BIND dn="" method=128

May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 RESULT tag=97 err=0 text=

May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)"

May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

 

 

 

 

If I have the binddn and bindpw using the distinguished name, Manager, the login will succeed. The ldap log is the following:

 

May 11 17:22:32 ldapm slapd[24629]: conn=20 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)"

May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=

May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luke_l)(uniqueMember=uid=luke_l,ou=people,dc=mydomain,dc=com)))"

May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH attr=cn userPassword memberUid uniqueMember gidNumber

May 11 17:22:32 ldapm slapd[24629]: <= bdb_equality_candidates: (uniqueMember) not indexed

May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text=

May 11 17:22:32 ldapm slapd[24629]: conn=20 op=6 UNBIND

May 11 17:22:32 ldapm slapd[24629]: conn=20 fd=18 closed

May 11 17:22:32 ldapm slapd[24629]: conn=21 fd=16 ACCEPT from IP=192.168.2.161:33816 (IP=0.0.0.0:389)

May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118

May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0

May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 RESULT tag=97 err=0 text=

May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))"

May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))"

May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=

May 11 17:22:32 ldapm slapd[24629]: conn=22 fd=18 ACCEPT from IP=192.168.2.161:33817 (IP=0.0.0.0:389)

May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118

May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0

May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 RESULT tag=97 err=0 text=

May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))"

May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 ACCEPT from IP=192.168.2.161:33818 (IP=0.0.0.0:389)

May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118

May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0

May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 RESULT tag=97 err=0 text=

May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))"

May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 closed (connection lost)

 

What should I do to fix the problem and bind the server anonymously but get the authetication working? Thanks.

 

Luke




----- Original Message ----
From: Dieter Kluenter <dieter@dkluenter.de>
To: openldap-technical@openldap.org
Sent: Saturday, May 10, 2008 1:32:58 AM
Subject: Re: Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager

Hi,

Luke Lee <leeluke77@yahoo.com> writes:

> I am running OpenLDAP 2.3.39 on RedHat. My login authentication on a client
> system will fail if I don't configure the optional binddn and bindpw by using
> cn=Manager.

> Can anyone please enlighten me what could cause the strange problem? Thanks!

Could you be a bit more specific and could you provide the access
rules of slapd.conf?

-Dieter

--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.