OS: Debian 13 Running in an LXC on Proxmox VE 9.0.10
OpenLDAP Ver: @(#) $OpenLDAP: slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org
Current mdb ACL (Playing around with ACLS to get this to work) # {1}mdb, config dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage olcAccess: {1}to * by dn.exact="cn=admin,dc=ahmza,dc=com" manage olcAccess: {2}to attrs=userPassword by anonymous auth by self auth olcAccess: {3}to * by * none
Oct 25 02:30:35 ldap slapd[460]: >>> slap_listener(ldaps:///) Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 ACCEPT from IP=10.10.100.12:19604 (IP=0.0.0.0:636) Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): unable to get TLS client DN, error=49 id=1011 Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: op tag 0x60, time 1761359435 Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 do_bind Oct 25 02:30:35 ldap slapd[460]: >>> dnPrettyNormal: <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com> Oct 25 02:30:35 ldap slapd[460]: <<< dnPrettyNormal: <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com>, <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com> Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 BIND dn="uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" method=128 Oct 25 02:30:35 ldap slapd[460]: do_bind: version=3 dn="uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" method=128 Oct 25 02:30:35 ldap slapd[460]: mdb_dn2entry("uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com") Oct 25 02:30:35 ldap slapd[460]: => mdb_dn2id("uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com") Oct 25 02:30:35 ldap slapd[460]: <= mdb_dn2id: got id=0xa Oct 25 02:30:35 ldap slapd[460]: => mdb_entry_decode: Oct 25 02:30:35 ldap slapd[460]: <= mdb_entry_decode Oct 25 02:30:35 ldap slapd[460]: => access_allowed: result not in cache (userPassword) Oct 25 02:30:35 ldap slapd[460]: => access_allowed: auth access to "uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" "userPassword" requested Oct 25 02:30:35 ldap slapd[460]: => acl_get: [1] attr userPassword Oct 25 02:30:35 ldap slapd[460]: => acl_mask: access to entry "uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com", attr "userPassword" requested Oct 25 02:30:35 ldap slapd[460]: => acl_mask: to value by "", (=0) Oct 25 02:30:35 ldap slapd[460]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 25 02:30:35 ldap slapd[460]: <= acl_mask: no more <who> clauses, returning =0 (stop) Oct 25 02:30:35 ldap slapd[460]: => slap_access_allowed: auth access denied by =0 Oct 25 02:30:35 ldap slapd[460]: => access_allowed: no more rules Oct 25 02:30:35 ldap slapd[460]: send_ldap_result: conn=1011 op=0 p=3 Oct 25 02:30:35 ldap slapd[460]: send_ldap_response: msgid=1 tag=97 err=49 Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 RESULT tag=97 err=49 qtime=0.000029 etime=0.000148 text= Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: op tag 0x42, time 1761359435 Oct 25 02:30:35 ldap slapd[460]: ber_get_next on fd 15 failed errno=0 (Success) Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=1 do_unbind Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=1 UNBIND Oct 25 02:30:35 ldap slapd[460]: connection_close: conn=1011 sd=15 Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 closed
Im happy to share my config too but this is already getting long
Le 25/10/2025 à 04:45, hamzaahmed12328@gmail.com a écrit :
OS: Debian 13 Running in an LXC on Proxmox VE 9.0.10
OpenLDAP Ver: @(#) $OpenLDAP: slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org
Current mdb ACL (Playing around with ACLS to get this to work) # {1}mdb, config dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage olcAccess: {1}to * by dn.exact="cn=admin,dc=ahmza,dc=com" manage olcAccess: {2}to attrs=userPassword by anonymous auth by self auth olcAccess: {3}to * by * none
... Oct 25 02:30:35 ldap slapd[460]: => slap_access_allowed: auth access denied by =0 ...
The ACLs should be:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * break olcAccess: {1}to * by dn.exact="cn=admin,dc=ahmza,dc=com" manage by * break olcAccess: {2}to attrs=userPassword by anonymous auth by * break olcAccess: {3}to * by * none
First two ones could be merged in a single one.
Hi Clément, Hope you are well.
Thank you for you input, that was the issue indeed. The break at the end. I looked into this and yeas it makes total sense now. The break is required for moving on to the next ACL rule when it doesnt match the first.
Thank you for your input, Appreciate it
-- Hamza
openldap-technical@openldap.org
-
Clément OUDOT -
hamzaahmed12328@gmail.com