Hello, I have a problem with acl and group. I configured a proxy slapd and add acl (see slapd.conf below)
When I run a ldapsearch command with user 'Test User' the attributes are displayed. It's Ok
But when I run the same ldapsearch command with user 'Synchro1 User' the message 'Insufficient access (50)' are displayed. It's not ok The user 'Synchro1 User' is member of CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch
Are you an idea ? Thank you for you help Dysan
My environment --------------------- ldapproxy server is CentOS release 5.9 (Final) openldap version 2.3.43 dc1-test Windows Server 2008 R2 (Domain Controler)
Ldapsearch command ------------------- $ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 -D "CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=ch" -s sub cn=* Enter LDAP Password: dn: ........ ...
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 -D "CN=Synchro1 User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=ch" -s sub cn=* Enter LDAP Password: Insufficient access (50)
slapd.conf ---------- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH:-SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacerts.crt TLSCertificateFile /etc/openldap/cacerts/ldapproxy.example.ch.crt TLSCertificateKeyFile /etc/openldap/cacerts/ldapproxy.example.ch.key
loglevel -1 disallow bind_anon
# AD database ldap suffix "dc=activedir,dc=example,dc=ch" uri "ldaps://dc1-test.example.ch/" readonly on rebind-as-user lastmod off
access to attrs=displayname,sn,givenname,mail,telephoneNumber by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch" read by * none
# The users must see the entry itself access to attrs=entry by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch" read by * none
# Other attributes, others users have no access access to * by * none #--------------------------------------------------------------------------------------------------------------- slapd.conf end
Dysan 67 wrote:
Hello, I have a problem with acl and group. I configured a proxy slapd and add acl (see slapd.conf below)
Read the slapd-ldap(5) manpage. Since your remote server is AD you must configure explicit Bind credentials for any access of the remote server. In this case, back-ldap cannot look up the remote group memberships because you have failed to configure acl-bind.
Run slapd with -d7 and it will be obvious that this is the problem.
When I run a ldapsearch command with user 'Test User' the attributes are displayed. It's Ok
But when I run the same ldapsearch command with user 'Synchro1 User' the message 'Insufficient access (50)' are displayed. It's not ok The user 'Synchro1 User' is member of CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch
Are you an idea ? Thank you for you help Dysan
My environment
ldapproxy server is CentOS release 5.9 (Final) openldap version 2.3.43 dc1-test Windows Server 2008 R2 (Domain Controler)
Ldapsearch command
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 http://ldapproxy.example.ch:636 -D "CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=ch" -s sub cn=* Enter LDAP Password: dn: ........ ...
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:636 http://ldapproxy.example.ch:636 -D "CN=Synchro1 User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=ch" -s sub cn=* Enter LDAP Password: Insufficient access (50)
slapd.conf
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH:-SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacerts.crt TLSCertificateFile /etc/openldap/cacerts/ldapproxy.example.ch.crt TLSCertificateKeyFile /etc/openldap/cacerts/ldapproxy.example.ch.key
loglevel -1 disallow bind_anon
# AD database ldap suffix "dc=activedir,dc=example,dc=ch" uri "ldaps://dc1-test.example.ch/ http://dc1-test.example.ch/" readonly on rebind-as-user lastmod off
access to attrs=displayname,sn,givenname,mail,telephoneNumber by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch" read by * none
# The users must see the entry itself access to attrs=entry by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,OU=Gina,OU=Applications,DC=activedir,DC=example,DC=ch" read by * none
# Other attributes, others users have no access access to * by * none #--------------------------------------------------------------------------------------------------------------- slapd.conf end
Hello,
It's running. Thank you for you help
For information you find bellow the correct slapd.conf
slapd.conf ---------- include /etc/openldap/schema/core.**schema include /etc/openldap/schema/cosine.**schema include /etc/openldap/schema/**inetorgperson.schema include /etc/openldap/schema/nis.**schema allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH:-SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacerts.**crt TLSCertificateFile /etc/openldap/cacerts/**ldapproxy.example.ch.crt TLSCertificateKeyFile /etc/openldap/cacerts/**ldapproxy.example.ch.key
loglevel -1 disallow bind_anon
# AD database ldap suffix "dc=activedir,dc=example,dc=**ch" uri "ldaps://dc1-test.example.ch/ http://dc1-test.example.ch/"
readonly on rebind-as-user lastmod off
*idassert-bind bindmethod=simple* * binddn="CN=LDAPAccess,OU=TST,OU=USERS,DC=activedir,DC=example,DC=ch"* * credentials=secret* * mode=none* *idassert-authzFrom "*"*
access to attrs=displayname,sn,**givenname,mail,telephoneNumber by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=**acti vedir,DC=example,DC=ch" read by * none
# The users must see the entry itself access to attrs=entry by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=**acti vedir,DC=example,DC=ch" read by * none
# Other attributes, others users have no access access to * by * none #-----------------------------**------------------------------** ------------------------------**---------------------- slapd.conf end
2013/6/7 Howard Chu hyc@symas.com
Dysan 67 wrote:
Hello, I have a problem with acl and group. I configured a proxy slapd and add acl (see slapd.conf below)
Read the slapd-ldap(5) manpage. Since your remote server is AD you must configure explicit Bind credentials for any access of the remote server. In this case, back-ldap cannot look up the remote group memberships because you have failed to configure acl-bind.
Run slapd with -d7 and it will be obvious that this is the problem.
When I run a ldapsearch command with user 'Test User' the attributes are
displayed. It's Ok
But when I run the same ldapsearch command with user 'Synchro1 User' the message 'Insufficient access (50)' are displayed. It's not ok The user 'Synchro1 User' is member of CN=Grp_Users_UG,OU=Gina,OU=**Applications,DC=activedir,DC=**example,DC=ch
Are you an idea ? Thank you for you help Dysan
My environment
ldapproxy server is CentOS release 5.9 (Final) openldap version 2.3.43 dc1-test Windows Server 2008 R2 (Domain Controler)
Ldapsearch command
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:**636http://ldapproxy.example.ch:636 <http://ldapproxy.example.ch:**636 http://ldapproxy.example.ch:636> -D "CN=Test
User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=**ch" -s sub cn=* Enter LDAP Password: dn: ........ ...
$ ldapsearch -x -LLL -H ldaps://ldapproxy.example.ch:**636http://ldapproxy.example.ch:636 <http://ldapproxy.example.ch:**636 http://ldapproxy.example.ch:636> -D "CN=Synchro1
User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" -W -b "dc=activedir,dc=example,dc=**ch" -s sub cn=* Enter LDAP Password: Insufficient access (50)
slapd.conf
include /etc/openldap/schema/core.**schema include /etc/openldap/schema/cosine.**schema include /etc/openldap/schema/**inetorgperson.schema include /etc/openldap/schema/nis.**schema allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCipherSuite HIGH:-SSLv2 TLSCACertificateFile /etc/openldap/cacerts/cacerts.**crt TLSCertificateFile /etc/openldap/cacerts/**ldapproxy.example.ch.crt TLSCertificateKeyFile /etc/openldap/cacerts/**ldapproxy.example.ch.key
loglevel -1 disallow bind_anon
# AD database ldap suffix "dc=activedir,dc=example,dc=**ch" uri "ldaps://dc1-test.example.ch/ < http://dc1-test.example.ch/%3E"
readonly on rebind-as-user lastmod off
access to attrs=displayname,sn,**givenname,mail,telephoneNumber by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=** activedir,DC=example,DC=ch" read by * none
# The users must see the entry itself access to attrs=entry by dn.exact="CN=Test User,OU=TST,OU=USERS,DC=**activedir,DC=example,DC=ch" read by group.exact="CN=Grp_Users_UG,**OU=Gina,OU=Applications,DC=** activedir,DC=example,DC=ch" read by * none
# Other attributes, others users have no access access to * by * none #-----------------------------**------------------------------** ------------------------------**---------------------- slapd.conf end
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/**project/http://www.openldap.org/project/
openldap-technical@openldap.org
-
Dysan 67 -
Howard Chu