OS: Debian 13 Running in an LXC on Proxmox VE 9.0.10
OpenLDAP Ver: @(#) $OpenLDAP: slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org
Current mdb ACL (Playing around with ACLS to get this to work) # {1}mdb, config dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage olcAccess: {1}to * by dn.exact="cn=admin,dc=ahmza,dc=com" manage olcAccess: {2}to attrs=userPassword by anonymous auth by self auth olcAccess: {3}to * by * none
Oct 25 02:30:35 ldap slapd[460]: >>> slap_listener(ldaps:///) Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 ACCEPT from IP=10.10.100.12:19604 (IP=0.0.0.0:636) Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): unable to get TLS client DN, error=49 id=1011 Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: op tag 0x60, time 1761359435 Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 do_bind Oct 25 02:30:35 ldap slapd[460]: >>> dnPrettyNormal: <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com> Oct 25 02:30:35 ldap slapd[460]: <<< dnPrettyNormal: <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com>, <uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com> Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 BIND dn="uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" method=128 Oct 25 02:30:35 ldap slapd[460]: do_bind: version=3 dn="uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" method=128 Oct 25 02:30:35 ldap slapd[460]: mdb_dn2entry("uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com") Oct 25 02:30:35 ldap slapd[460]: => mdb_dn2id("uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com") Oct 25 02:30:35 ldap slapd[460]: <= mdb_dn2id: got id=0xa Oct 25 02:30:35 ldap slapd[460]: => mdb_entry_decode: Oct 25 02:30:35 ldap slapd[460]: <= mdb_entry_decode Oct 25 02:30:35 ldap slapd[460]: => access_allowed: result not in cache (userPassword) Oct 25 02:30:35 ldap slapd[460]: => access_allowed: auth access to "uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com" "userPassword" requested Oct 25 02:30:35 ldap slapd[460]: => acl_get: [1] attr userPassword Oct 25 02:30:35 ldap slapd[460]: => acl_mask: access to entry "uid=jellyfin,ou=service-accounts,dc=ahmza,dc=com", attr "userPassword" requested Oct 25 02:30:35 ldap slapd[460]: => acl_mask: to value by "", (=0) Oct 25 02:30:35 ldap slapd[460]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Oct 25 02:30:35 ldap slapd[460]: <= acl_mask: no more <who> clauses, returning =0 (stop) Oct 25 02:30:35 ldap slapd[460]: => slap_access_allowed: auth access denied by =0 Oct 25 02:30:35 ldap slapd[460]: => access_allowed: no more rules Oct 25 02:30:35 ldap slapd[460]: send_ldap_result: conn=1011 op=0 p=3 Oct 25 02:30:35 ldap slapd[460]: send_ldap_response: msgid=1 tag=97 err=49 Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=0 RESULT tag=97 err=49 qtime=0.000029 etime=0.000148 text= Oct 25 02:30:35 ldap slapd[460]: connection_get(15): got connid=1011 Oct 25 02:30:35 ldap slapd[460]: connection_read(15): checking for input on id=1011 Oct 25 02:30:35 ldap slapd[460]: op tag 0x42, time 1761359435 Oct 25 02:30:35 ldap slapd[460]: ber_get_next on fd 15 failed errno=0 (Success) Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=1 do_unbind Oct 25 02:30:35 ldap slapd[460]: conn=1011 op=1 UNBIND Oct 25 02:30:35 ldap slapd[460]: connection_close: conn=1011 sd=15 Oct 25 02:30:35 ldap slapd[460]: conn=1011 fd=15 closed
Im happy to share my config too but this is already getting long
Le 25/10/2025 à 04:45, hamzaahmed12328@gmail.com a écrit :
OS: Debian 13 Running in an LXC on Proxmox VE 9.0.10
OpenLDAP Ver: @(#) $OpenLDAP: slapd 2.6.10+dfsg-1 (May 29 2025 23:41:48) $ Debian OpenLDAP Maintainers pkg-openldap-devel@lists.alioth.debian.org
Current mdb ACL (Playing around with ACLS to get this to work) # {1}mdb, config dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=externa l,cn=auth" manage olcAccess: {1}to * by dn.exact="cn=admin,dc=ahmza,dc=com" manage olcAccess: {2}to attrs=userPassword by anonymous auth by self auth olcAccess: {3}to * by * none
... Oct 25 02:30:35 ldap slapd[460]: => slap_access_allowed: auth access denied by =0 ...
The ACLs should be:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * break olcAccess: {1}to * by dn.exact="cn=admin,dc=ahmza,dc=com" manage by * break olcAccess: {2}to attrs=userPassword by anonymous auth by * break olcAccess: {3}to * by * none
First two ones could be merged in a single one.
openldap-technical@openldap.org
-
Clément OUDOT -
hamzaahmed12328@gmail.com