Quanah Gibson-Mount wrote on 01/31/2017 05:25 PM:
--On Monday, January 30, 2017 7:08 PM -0700 scar scar@drigon.com wrote:
However, this brings me to the next problem: the contents of slapd.conf do not match the slapd.d/cn=config.ldif file, so it seems the fixes i am trying to the ACL's don't have any effect, even when i restart slapd. If i try "ldapmodify -nv" it just hangs. When i try to stop slapd and remove slapd.d/* and then start slapd, the contents are recreated according to the config file, but then users can't login (all i see in the logfile is access_allowed and slap_access_allowed but no conn lines)
If you are using the configuration backend for slapd, then you can ignore the slapd.conf file entirely, and simply use the ldapmodify command to modify your access rules. I suggest reading the ldapmodify manual page for information on how to properly execute it. If you are using a distribution provided build of OpenLDAP, the necessary steps may depend on how they configured things.
Well it's kind of a mess here and my lack of experience with LDAP isn't helping much. There is no slapd-config program although there is a manual page entry for it. "yum whatprovides */slapd-config" returns no packages.
I was able to enable users to change their passwords by directly modifying /etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif and adding these lines to the bottom:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=X,dc=Y,dc=Z" write by * none olcAccess: {1}to * by dn.base="cn=Manager,dc=X,dc=Y,dc=Z" write by self write by * read
I know that's not proper but i needed users to be able to change their password. Thanks for the info about ACLs. the "next to last ACL" mentioned is for the "database monitor" (see slapd.conf below) and i'm not sure why "by * read" should be granted that access, perhaps you can shed some light on why that exists in our config? maybe i don't need ACLs for that so only rootdn has access?
We have a new LDAP server that I am setting up, so I'd like to focus on moving the database and getting the new server into production, and we can iron out the wrinkles in this mess at the same time. My understanding is that I can use slapcat/slapadd to do the export/import...
I used "slapcat > /tmp/ldif" on current server, then moved ldif and updated [slapd.conf] (see below) file to the new server, then ran "slapadd -l /tmp/ldif -l /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/" but i get an error when trying to start slapd: "ls: cannot access /etc/openldap/slapd.d//cn=config/olcDatabase*.ldif: No such file or directory" so how am i supposed to get the slapd.d/* files? If I am to just copy those over from the current server then I'd like to figure out why I had to modify the ldif file directly...
The current LDAP server is running RHEL 6.8 with kernel 2.6.32-642.11.1.el6.x86_64. The new LDAP server is running CentOS 6.8 with kernel 2.6.32-642.13.1.el6.x86_64. The nss/pam configuration for one of our clients is this (i hope this is what Michael Wandel meant):
$ authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://foo.X.Y.Z" LDAP base DN = "dc=X,dc=Y,dc=Z" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap range = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com" pam_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://foo.X.Y.Z" LDAP base DN = "dc=X,dc=Y,dc=Z" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "" smartcard removal action = "" pam_fprintd is disabled pam_winbind is disabled SMB workgroup = "MYGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is disabled IPAv2 is disabled IPAv2 domain was not joined IPAv2 server = "" IPAv2 realm = "" IPAv2 domain = "" pam_cracklib is enabled (try_first_pass retry=3 type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077) Always authorize local users is enabled () Authenticate system accounts against network services is disabled $
[slapd.conf] loglevel 128
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
moduleload ppolicy.la
TLSCertificateFile /etc/pki/tls/certs/foo_X_Y_X_cert.cer TLSCertificateKeyFile /etc/pki/tls/certs/foo_X_Y_Z.key
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=X,dc=Y,dc=Z" checkpoint 1024 15 rootdn "cn=Manager,dc=X,dc=Y,dc=Z" rootpw {SSHA}<foo>
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=X,dc=Y,dc=Z"
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index uid pres,eq,sub index cn,sn pres,eq,sub,subany index gidnumber,memberUid,uidNumber eq
access to attrs=userPassword by self write by anonymous auth by * none
# enable monitoring database monitor
access to * by self write by * read by * auth