Il Neofita wrote:
Hi I delete everything and I did everything from scratch but I have the same problem I am using RH 5.4
Hello,
I have no idea what the problem might be. Yet, I've noticed you don't have HASH type prefix to your passwords, and it should be there.
userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF XXX userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
The next thing I can suggest is to strip all ACLs except the basic ones and build up, build up... I'd also move attrs=userPassword up in the tree, as ACL ends when the first match is found. Thus it's possible this ACL is never matched.
Regards, Zdenek
I am posting my configuration slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/pykota.schema
allow bind_v2 loglevel 128
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
access to dn.subtree="ou=PyKota,dc=test,dc=xx" by dn="cn=pykotaadmin,dc=test,dc=xx" write access to dn.subtree="ou=people,dc=test,dc=xx" by dn="cn=mmm,dc=test,dc=xx" manage by dn="cn=pykotaadmin,dc=test,dc=xx" manage by * read access to dn.subtree="ou=Groups,dc=test,dc=xx" by dn="cn=pykotaadmin,dc=test,dc=xx" write
access to * by self write by users read by * none
access to attrs=userPassword by self =w by anonymous auth
database bdb suffix "dc=test,dc=xx" rootdn "cn=admin,dc=test,dc=xx" rootpw {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF
directory /var/lib/ldap
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index pykotaUserName pres,eq,sub index pykotaGroupName pres,eq,sub index pykotaPrinterName pres,eq,sub index pykotaBillingCode pres,eq,sub index pykotaLastJobIdent eq
my ldif
# extended LDIF # # LDAPv3 # base <dc=test,dc=xx> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# test.xx dn: dc=test,dc=xx objectClass: dcObject objectClass: organization o: Directory Server dc:: dGVzdCA=
# admin, test.xx dn: cn=admin,dc=test,dc=xx objectClass: organizationalRole objectClass: posixAccount cn:: YWRtaW4g gidNumber: 500 homeDirectory: /home/admin uid: admin uidNumber: 500
# mmm, test.xx dn: cn=mmm,dc=test,dc=xx cn:: bW1tIA== sn: mmm objectClass: person objectClass: top userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
# people, test.xx dn: ou=people,dc=test,dc=xx objectClass: top objectClass: organizationalUnit ou: people description: Fictional example organizational unit
# bjensen, people, test.xx dn: uid=bjensen,ou=people,dc=test,dc=xx objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Babs Jensen sn: Jensen givenName: Babs uid: bjensen ou: people description: Fictional example person telephoneNumber: 555-5557 userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==
# search result search: 2 result: 0 Success
# numResponses: 6 # numEntries: 5
And this is the log Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access to "cn=mmm,dc=test,dc=xx" "userPassword" requested Dec 22 09:42:07 sim slapd[11187]: => dn: [1] ou=pykota,dc=test,dc=xx Dec 22 09:42:07 sim slapd[11187]: => dn: [2] ou=people,dc=test,dc=xx Dec 22 09:42:07 sim slapd[11187]: => dn: [3] ou=groups,dc=test,dc=xx Dec 22 09:42:07 sim slapd[11187]: => acl_get: [4] attr userPassword Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state (userPassword) Dec 22 09:42:07 sim slapd[11187]: => acl_mask: access to entry "cn=mmm,dc=test,dc=xx", attr "userPassword" requested Dec 22 09:42:07 sim slapd[11187]: => acl_mask: to value by "", (=0) Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: self Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: users Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: * Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] applying none(=0) (stop) Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] mask: none(=0) Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access denied by none(=0)
Thank you
On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik stybla@turnovfree.net wrote:
Il Neofita wrote:
Hi
Hello,
I am new and probably I am facing a very basic error
I am tring to create an admin for a subset
I create this ldif dn: cn=mmmm,dc=test,dc=xx cn: mmmm sn: mmmm objectClass: person objectClass: top userPassword: test
If you added it exactly like this- 1] delete dn: cn=mmmm,dc=test,dc=xx 2] use % slappasswd; to generate password HASH 3] add DN again
--- SNIP --- slappasswd -s test {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF --- SNIP --- --- SNIP --- dn: cn=mmmm,dc=test,dc=xx cn: mmmm sn: mmmm objectClass: person objectClass: top userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF --- SNIP ---
Just a morning loto :)
Regards, Zdenek
then on sladp.conf
... access to dn.subtree="ou=people,dc=test,dc=xx" by dn="cn=mmmm,dc=test,dc=xx" write by * read ...
Restarted ldap
ldapsearch -x -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)' ldap_bind: Invalid credentials (49)
What am I do wrong?
-- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: stybla@turnovfree.net jabber: stybla@jabber.turnovfree.net