Hi all,

On my test system, which uses OpenLDAP simple authentication, I'm unable to get clients to authenticate to a consumer server, although they can authenticate to its provider server without a problem. Here's a snippet of the consumer's syslog, for which I've set the slapd.conf loglevel to "acl":

================== Dec 30 02:13:28 ldapc2 slapd[3031]: => acl_mask: access to entry "uid=ccolumbus,ou=People,dc=example,dc=com", attr "userPassword" requested Dec 30 02:13:28 ldapc2 slapd[3031]: => acl_mask: to value by "", (=0) Dec 30 02:13:28 ldapc2 slapd[3031]: <= check a_dn_pat: cn=admin,dc=example,dc=com Dec 30 02:13:28 ldapc2 slapd[3031]: <= check a_dn_pat: anonymous Dec 30 02:13:28 ldapc2 slapd[3031]: <= acl_mask: [2] applying auth(=xd) (stop) Dec 30 02:13:28 ldapc2 slapd[3031]: <= acl_mask: [2] mask: auth(=xd) ==================

Judging from this, I suspect that I've misconfigured the account on the consumer server that the client machines must use to access password values in the database to authenticate clients. Currently, the consumer's ACLs look like this:

================== access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" read by anonymous auth by * none

access to dn.base="" by * read

access to * by * read ==================

This is the same admin account that I use on the provider. If I set the client's libnss-ldap configuration to use this account and its matching password to authenticate users via the consumer server, it doesn't work.

Any idea about what I'm doing wrong?

Thanks,

Jaap