Hi,
I can not figure out why my AIX box does not want to authenticate with my ldap server. I think I have a problem with the ldap setup so I can only bind to ldap with anonymous bind or with olcRoot.
Checking password for cn=admin,dc=axi,dc=intra (my LDAP manager account): root@ldap1:/etc # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=admin,dc=axi,dc=intra SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=admin,dc=axi,dc=intra> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# admin, axi.intra dn: cn=admin,dc=axi,dc=intra cn: admin objectClass: simpleSecurityObject objectClass: organizationalRole description: LDAP administrator userPassword:: e1NTSEF9UkJXSitCZy92V2ZLNlJ5Rzdwa1pvOStpQUh5aSt4NG0=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Changing password: root@ldap1:/etc # ldappasswd -Y EXTERNAL -H ldapi:/// -s secret cn=admin,dc=axi,dc=intra SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
Checking that the password is changed: root@ldap1:/etc # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=admin,dc=axi,dc=intra SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=admin,dc=axi,dc=intra> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# admin, axi.intra dn: cn=admin,dc=axi,dc=intra cn: admin objectClass: simpleSecurityObject objectClass: organizationalRole description: LDAP administrator userPassword:: e1NTSEF9TnBIK0hBN2JpWEczb0FSU1YwQm5HWmZSVll3S0NaTms=
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Using the password: root@ldap1:/etc # ldapsearch -D "cn=admin,dc=axi,dc=intra" -w secret ldap_bind: Invalid credentials (49)
So I change the password but I can not use it ?
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hi,
Argh, argh, argh, I took me a few days of trail and error to realize that a newline means something special in a ldif file !!
I had a newline before the access control rules so the access rules where loaded without errors, but they were never used. Once I fixed this, I was able to tune the access rules and to get my setup working.
Thx for all the help,
Stef
______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
Hey Stef,
glad you could fix it (for yourself). Are you using slapd.conf or cn=config? Seems to bo slapd.conf. Imo, the rate of mistakes is quite low if you use cn=config and modify your config via ldapmodify or any other ldapclient. Empty lines or lines that don't belong there are really difficult to trigger in this situation. :)
Bye, Benjamin.
On Tue, Nov 16, 2010 at 15:43, Stef Coene stef.coene@docum.org wrote:
Hi,
Argh, argh, argh, I took me a few days of trail and error to realize that a newline means something special in a ldif file !!
I had a newline before the access control rules so the access rules where loaded without errors, but they were never used. Once I fixed this, I was able to tune the access rules and to get my setup working.
Thx for all the help,
Stef
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
On Tuesday 16 November 2010, you wrote:
Hey Stef,
glad you could fix it (for yourself). Are you using slapd.conf or cn=config? Seems to bo slapd.conf.
cn=config
Imo, the rate of mistakes is quite low if you use cn=config and modify your config via ldapmodify or any other ldapclient. Empty lines or lines that don't belong there are really difficult to trigger in this situation. :)
Indeed.
Next step is to get the ldap server more AIX compliant so I can put extra user options like 'Password MAX. AGE' to the LDAP server.
Stef
openldap-technical@openldap.org