I just resolved the problem myself. I think the slapd was confused by some "commented out" access entries (access entries with a pound sign to being with). I removed those entries and the problem just went away. Thank you for taking time and trying to help. Luke
----- Original Message ---- From: Luke Lee leeluke77@yahoo.com To: Dieter Kluenter dieter@dkluenter.de; openldap-technical@openldap.org Sent: Monday, May 12, 2008 10:56:00 AM Subject: Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager
My access rules in the slapd..conf are the following: access to attrs=userPassword by self write by anonymous auth by dn.base="cn=sysadmin,dc=mydomain,dc=com" write by group.exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write by * none access to * by self write by dn.base="cn=sysadmin,dc=mydomain,dc=com" write by group.exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write by * read If I don't have the following entries in a client's /etc/ldap.conf, when I login the client by using ssh I will get the "Access denied" message: binddn cn=Manager,dc=mydomain,dc=com bindpw secret The ldap log is the following: May 11 16:08:18 ldapm slapd[24629]: conn=0 fd=13 ACCEPT from IP=192.168.2.161:33801 (IP=0.0.0.0:389) May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 BIND dn="" method=128 May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 RESULT tag=97 err=0 text= May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))" May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))" May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= May 11 16:08:23 ldapm slapd[24629]: conn=1 fd=16 ACCEPT from IP=192.168.2.161:33802 (IP=0.0.0.0:389) May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 BIND dn="" method=128 May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 RESULT tag=97 err=0 text= May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)" May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= If I have the binddn and bindpw using the distinguished name, Manager, the login will succeed. The ldap log is the following: May 11 17:22:32 ldapm slapd[24629]: conn=20 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)" May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luke_l)(uniqueMember=uid=luke_l,ou=people,dc=mydomain,dc=com)))" May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH attr=cn userPassword memberUid uniqueMember gidNumber May 11 17:22:32 ldapm slapd[24629]: <= bdb_equality_candidates: (uniqueMember) not indexed May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=20 op=6 UNBIND May 11 17:22:32 ldapm slapd[24629]: conn=20 fd=18 closed May 11 17:22:32 ldapm slapd[24629]: conn=21 fd=16 ACCEPT from IP=192.168.2.161:33816 (IP=0.0.0.0:389) May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118 May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0 May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 RESULT tag=97 err=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))" May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))" May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=22 fd=18 ACCEPT from IP=192.168.2.161:33817 (IP=0.0.0.0:389) May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118 May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0 May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 RESULT tag=97 err=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))" May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 ACCEPT from IP=192.168.2.161:33818 (IP=0.0.0.0:389) May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118 May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0 May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 RESULT tag=97 err=0 text= May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))" May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 closed (connection lost) What should I do to fix the problem and bind the server anonymously but get the authetication working? Thanks. Luke
----- Original Message ---- From: Dieter Kluenter dieter@dkluenter.de To: openldap-technical@openldap.org Sent: Saturday, May 10, 2008 1:32:58 AM Subject: Re: Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager
Hi,
Luke Lee leeluke77@yahoo.com writes:
I am running OpenLDAP 2.3.39 on RedHat. My login authentication on a client system will fail if I don't configure the optional binddn and bindpw by using cn=Manager. Can anyone please enlighten me what could cause the strange problem? Thanks!
Could you be a bit more specific and could you provide the access rules of slapd.conf?
-Dieter
openldap-technical@openldap.org