Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de To: espeake@oreillyauto.com Date: 08/29/2013 01:46 AM Subject: Antw: Re: Object not found
Eric,
following you progress on LDAP, why don't you use a working simple starting configuration and then try simple steps towards getting where you want to be at the end? Only proceed if the current configuration works as intended; if not either undo or fix it.
Something like: olcAccess: {0}to * by dn.base="uid=syncrepl,ou=system,dc=whatever" read by group/organizationalRole/roleOccupant.exact="cn=LDAP-Manager,dc=whatever" write by * break olcAccess: {1}to attrs=userPassword by self write by * auth olcAccess: {2}to attrs=shadowLastChange by self write by * read olcAccess: {3}to attrs=userPKCS12 by self read by * none olcAccess: {4}to * by * read
You can leave out rule {0}, because that's some local extension used here (use a group for Managers).
Also I can recommend turning on auth logging for your tests. In LDIF-format: dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: ACL -
I also recommend doing frequent database dumps per slapcat, so you can revert to a working configuration once you messed up things. However when using replication, be aware that restoring one node to an older configuration, the older node may be overwritten if the other nodes still have a newer configuration.
To all: Is there an option to slapadd to make any entries actually added being "new" (i.e. ignoring CSNs and modification timestamps in the LDIF)?
Regards, Ulrich
espeake@oreillyauto.com schrieb am 29.08.2013 um 05:25 in Nachricht
OF5EFEDB5F.26657526-ON86257BD6.001209FD-86257BD6.0012CADD@LocalDomain:
Okay so I have the access list figured out and everything looks good
except
now the credentials for my user aren't working. I get an error 49
(invalid
credentials) I have reentered the password for the user. There is one other user that will not autenticate. Both of thes users are in the ou System. The base admin account can login and get the informatio. Here
is
the new access list.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreillyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya
uto,dc=com" write by anonymous auth by self write olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com by self read by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya
uto,dc=com" read by * none olcAccess: {8}to * by self read by users read
The two users that I need to work are: readOnlyUser dn="uid=readOnlyUser,ou=System,dc=oreilly,dc=com and ldapadmin dn="uid=ldapadmin,
ou=System,dc=oreulllyauto,dc=com
Here is the search and result:
root@tntest-ldap-3:/var/lib/ldap# ldapsearch -Wx -D "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" -b "dc=oreillyauto,dc=com" -H ldap://<ldap-server>.oreillyauto.com
uid=espeake
uid dsplayName employeeNumber Enter LDAP Password: ldap_bind: Invalid credentials (49)
any and all ideas are welcomed. Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com, openldap-technical@openldap.org Date: 08/28/2013 11:35 AM Subject: Re: Object not found Sent by: openldap-technical-bounces@OpenLDAP.org
--On Wednesday, August 28, 2013 8:12 AM -0500 espeake@oreillyauto.com wrote:
I have a user name readonly that we use in our applications to get
uid's.
THis has worked in the past with our old LDAP solution. We have moved
to
2.4.31 on Ubuntu 12.04 with a n-way Multi master setup.
The slap cat for this database looks like this.
dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=oreillyauto,dc=com olcAccess: {0}to attrs=userPassword by anonymous auth by * none olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueName s/uniqueMember="cn=System
Administrators,ou=Groups,dc=oreillyauto,dc=com"
wri te by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreil lyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous
auth
by s elf write
Hi,
You need to spend some time reading the manual pages and admin guide on access rules for slapd.
It is immediately obvious that rule {2) will never evaluate because of
rule
{0}. Those shouldn't even be separate rule lines, they should be a
single
rule. I haven't looked further because that was so blatant, I'm guessing you have any number of other issues in your access lines.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 898DB600A44.A073B
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the
intended
recipient, and may contain legally privileged material. If you are not
the
intended recipient, please return or destroy it immediately. Thank you.
Here what shows up in the log. I am high lighting what I thought would have been the issue but it appears to be a double-negative so it is not where it is getting denied. Just must be missing it because it looks like it really working.
Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: conn=1027 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_get: [1] attr userPassword Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_mask: to value by "", (=0) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= acl_mask: no more <who> clauses, returning =0 (stop) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => slap_access_allowed: auth access denied by =0 Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: no more rules Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 slapd[18777]: last message repeated 3 times Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= acl_access_allowed: granted to database root Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (uid) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (description) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (uid) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (description) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdPolicySubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (structuralObjectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryUUID) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (creatorsName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (createTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdPolicySubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (structuralObjectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryUUID) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (creatorsName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (createTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdChangedTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdFailureTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdChangedTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdFailureTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdFailureTime) Aug 29 08:53:32 slapd[18777]: last message repeated 5 times Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryCSN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryCSN" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (modifiersName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifiersName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (modifyTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifyTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryDN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryDN" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (entryDN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (subschemaSubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "subschemaSubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (subschemaSubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (hasSubordinates) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "hasSubordinates" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (hasSubordinates) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd)
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 28CE360097D.AE572
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
From: espeake@oreillyauto.com To: "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de Cc: openldap-technical@openldap.org Date: 08/29/2013 10:29 AM Subject: Re: Antw: Re: Object not found Sent by: openldap-technical-bounces@OpenLDAP.org
Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de To: espeake@oreillyauto.com Date: 08/29/2013 01:46 AM Subject: Antw: Re: Object not found
Eric,
following you progress on LDAP, why don't you use a working simple starting configuration and then try simple steps towards getting where you want to be at the end? Only proceed if the current configuration works as intended; if not either undo or fix it.
Something like: olcAccess: {0}to * by dn.base="uid=syncrepl,ou=system,dc=whatever" read by group/organizationalRole/roleOccupant.exact="cn=LDAP-Manager,dc=whatever" write by * break olcAccess: {1}to attrs=userPassword by self write by * auth olcAccess: {2}to attrs=shadowLastChange by self write by * read olcAccess: {3}to attrs=userPKCS12 by self read by * none olcAccess: {4}to * by * read
You can leave out rule {0}, because that's some local extension used here (use a group for Managers).
Also I can recommend turning on auth logging for your tests. In LDIF-format: dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: ACL -
I also recommend doing frequent database dumps per slapcat, so you can revert to a working configuration once you messed up things. However when using replication, be aware that restoring one node to an older configuration, the older node may be overwritten if the other nodes still have a newer configuration.
To all: Is there an option to slapadd to make any entries actually added being "new" (i.e. ignoring CSNs and modification timestamps in the LDIF)?
Regards, Ulrich
espeake@oreillyauto.com schrieb am 29.08.2013 um 05:25 in Nachricht
OF5EFEDB5F.26657526-ON86257BD6.001209FD-86257BD6.0012CADD@LocalDomain:
Okay so I have the access list figured out and everything looks good
except
now the credentials for my user aren't working. I get an error 49
(invalid
credentials) I have reentered the password for the user. There is one other user that will not autenticate. Both of thes users are in the ou System. The base admin account can login and get the informatio. Here
is
the new access list.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreillyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya
uto,dc=com" write by anonymous auth by self write olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com by self read by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya
uto,dc=com" read by * none olcAccess: {8}to * by self read by users read
The two users that I need to work are: readOnlyUser dn="uid=readOnlyUser,ou=System,dc=oreilly,dc=com and ldapadmin
dn="uid=ldapadmin, ou=System,dc=oreulllyauto,dc=com
Here is the search and result:
root@tntest-ldap-3:/var/lib/ldap# ldapsearch -Wx -D "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" -b "dc=oreillyauto,dc=com" -H ldap://<ldap-server>.oreillyauto.com
uid=espeake
uid dsplayName employeeNumber Enter LDAP Password: ldap_bind: Invalid credentials (49)
any and all ideas are welcomed. Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com,
openldap-technical@openldap.org
Date: 08/28/2013 11:35 AM Subject: Re: Object not found Sent by: openldap-technical-bounces@OpenLDAP.org
--On Wednesday, August 28, 2013 8:12 AM -0500 espeake@oreillyauto.com wrote:
I have a user name readonly that we use in our applications to get
uid's.
THis has worked in the past with our old LDAP solution. We have moved
to
2.4.31 on Ubuntu 12.04 with a n-way Multi master setup.
The slap cat for this database looks like this.
dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=oreillyauto,dc=com olcAccess: {0}to attrs=userPassword by anonymous auth by * none olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueName s/uniqueMember="cn=System
Administrators,ou=Groups,dc=oreillyauto,dc=com"
wri te by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreil lyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous
auth
by s elf write
Hi,
You need to spend some time reading the manual pages and admin guide on access rules for slapd.
It is immediately obvious that rule {2) will never evaluate because of
rule
{0}. Those shouldn't even be separate rule lines, they should be a
single
rule. I haven't looked further because that was so blatant, I'm guessing you have any number of other issues in your access lines.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 898DB600A44.A073B
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the
intended
recipient, and may contain legally privileged material. If you are not
the
intended recipient, please return or destroy it immediately. Thank you.
Here what shows up in the log. I am high lighting what I thought would have been the issue but it appears to be a double-negative so it is not where it is getting denied. Just must be missing it because it looks like it really working.
Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: conn=1027 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: auth access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_get: [1] attr userPassword Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_mask: access to entry "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => acl_mask: to value by "", (=0) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=syncrepl,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=readonlyuser,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=ldapadmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=newuseradmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= check a_dn_pat: uid=passwordadmin,ou=system,dc=oreillyauto,dc=com Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= acl_mask: no more <who> clauses, returning =0 (stop) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => slap_access_allowed: auth access denied by =0 Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: no more rules Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 slapd[18777]: last message repeated 3 times Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "cn=passwordadminpolicy,ou=policies,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= acl_access_allowed: granted to database root Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: search access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (uid) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (description) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => bdb_entry_get: found entry: "uid=readonlyuser,ou=system,dc=oreillyauto,dc=com" Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "objectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (objectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (uid) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "uid" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (description) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "description" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdPolicySubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (structuralObjectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryUUID) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (creatorsName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (createTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdPolicySubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdPolicySubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (structuralObjectClass) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "structuralObjectClass" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryUUID) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryUUID" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (creatorsName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "creatorsName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (createTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "createTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdHistory" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdHistory) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdChangedTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (userPassword) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdFailureTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "userPassword" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdChangedTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdChangedTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (pwdFailureTime) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "pwdFailureTime" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (pwdFailureTime) Aug 29 08:53:32 slapd[18777]: last message repeated 5 times Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryCSN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryCSN" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (modifiersName) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifiersName" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (modifyTimestamp) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "modifyTimestamp" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (entryDN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "entryDN" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (entryDN) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (subschemaSubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "subschemaSubentry" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (subschemaSubentry) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result not in cache (hasSubordinates) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access to "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" "hasSubordinates" requested Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: result was in cache (hasSubordinates) Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: <= root access granted Aug 29 08:53:32 tntest-ldap-1 slapd[18777]: => access_allowed: read access granted by manage(=mwrscxd)
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 28CE360097D.AE572
Quanah,
I have retyped the password a couple of times to be sure I didn't fat-finger the password. I have a 3 node n-way multimaster cluster that working with replication on all changes with no issues other than the authentication. I changed the password for the user on one server and checked the other two making sure the password hash replicated to the other servers and it did with no problems. I tried the ldapsearch with two system users that will be used against the ldap server with the same result for both. The only user that will authenticate is the DB rootDN user. And of course that password is stored in the config.
Any ideas on what I can check on next. I tried changing the logging to -1 to get everything, but I just wasn't seeing anything that looked helpful.
Thanks for the help, Eric
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: C880F600DE5.A20BF
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Thursday, August 29, 2013 2:30 PM -0500 espeake@oreillyauto.com wrote:
Quanah,
I have retyped the password a couple of times to be sure I didn't fat-finger the password. I have a 3 node n-way multimaster cluster that working with replication on all changes with no issues other than the authentication. I changed the password for the user on one server and checked the other two making sure the password hash replicated to the other servers and it did with no problems. I tried the ldapsearch with two system users that will be used against the ldap server with the same result for both. The only user that will authenticate is the DB rootDN user. And of course that password is stored in the config.
Any ideas on what I can check on next. I tried changing the logging to -1 to get everything, but I just wasn't seeing anything that looked helpful.
So, as someone else noted, if your previous OpenLDAP version used a {crypt} type hash, the newer build of OpenLDAP may not support {crypt} type passwords. So, my suggestion was you modify the password of the user who can't bind. You can do this using the rootdn and the ldappasswd utility.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Thursday, August 29, 2013 6:11 PM -0500 espeake@oreillyauto.com wrote:
Sorry that I was unclear. I have changed the password and I still the invalid credentials error.
Changed it how?
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: espeake@oreillyauto.com To: Quanah Gibson-Mount quanah@zimbra.com Cc: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de, openldap-technical@openldap.org Date: 08/29/2013 06:39 PM Subject: Re: Antw: Re: Object not found Sent by: openldap-technical-bounces@OpenLDAP.org
To: espeake@oreillyauto.com From: Quanah Gibson-Mount quanah@zimbra.com Date: 08/29/2013 05:55PM Cc: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de, openldap-technical@openldap.org Subject: Re: Antw: Re: Object not found
--On Thursday, August 29, 2013 2:30 PM -0500 espeake@oreillyauto.com wrote:
Quanah,
I have retyped the password a couple of times to be sure I didn't fat-finger the password. I have a 3 node n-way multimaster cluster that working with replication on all changes with no issues other than the authentication. I changed the password for the user on one server and checked the other two making sure the password hash replicated to the other servers and it did with no problems. I tried the ldapsearch with two system users that will be used against the ldap server with the same result for both. The only user that will authenticate is the DB rootDN user. And of course that password is stored in the config.
Any ideas on what I can check on next. I tried changing the logging to
-1
to get everything, but I just wasn't seeing anything that looked helpful.
So, as someone else noted, if your previous OpenLDAP version used a {crypt}
type hash, the newer build of OpenLDAP may not support {crypt} type passwords. So, my suggestion was you modify the password of the user who can't bind. You can do this using the rootdn and the ldappasswd utility.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Sorry that I was unclear. I have changed the password and I still the invalid credentials error.
Thanks, Eric -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 879D0600DEB.AF5BB
I came across something might explain what is causing the authentication issue. In looking at the readOnlyUser that is not authenticating on my new server running openladap 2.4.31 and my old server running openldap 2.4.21 is the password hash. When decode the provided password hash the old server returns that the the password was generated with a standard hash and on the new server it is a salted hash. I have looked through ppolicy from my slapcat.ldif file and I don't see anything there dealing with password storage. I am trying to figure out how I can toggle the salt hash off to do further testing.
Thanks, Eric
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you. This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you. -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: D3D8E600DEA.A3662
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de, openldap-technical@openldap.org Date: 08/29/2013 06:25 PM Subject: Re: Antw: Re: Object not found Sent by: openldap-technical-bounces@OpenLDAP.org
--On Thursday, August 29, 2013 2:30 PM -0500 espeake@oreillyauto.com wrote:
Quanah,
I have retyped the password a couple of times to be sure I didn't fat-finger the password. I have a 3 node n-way multimaster cluster that working with replication on all changes with no issues other than the authentication. I changed the password for the user on one server and checked the other two making sure the password hash replicated to the other servers and it did with no problems. I tried the ldapsearch with two system users that will be used against the ldap server with the same result for both. The only user that will authenticate is the DB rootDN user. And of course that password is stored in the config.
Any ideas on what I can check on next. I tried changing the logging to
-1
to get everything, but I just wasn't seeing anything that looked helpful.
So, as someone else noted, if your previous OpenLDAP version used a {crypt}
type hash, the newer build of OpenLDAP may not support {crypt} type passwords. So, my suggestion was you modify the password of the user who can't bind. You can do this using the rootdn and the ldappasswd utility.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah,
I tried this morning to change the password:
ldappasswd -s <password> -Wx -D "uid=admin,dc=<domain>,dc=com" "uid=readOnlyUser,ou=system,dc=<domain>,dc=com"
I confirmed that the hashed password changed. I still get invalid credentials. I am betting that there is some little simple thing that is holding this up.
Thanks, Eric -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 4651C600DEA.A3E58
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, August 30, 2013 10:55 AM -0500 espeake@oreillyauto.com wrote:
Quanah,
I tried this morning to change the password:
ldappasswd -s <password> -Wx -D "uid=admin,dc=<domain>,dc=com" "uid=readOnlyUser,ou=system,dc=<domain>,dc=com"
I confirmed that the hashed password changed. I still get invalid credentials. I am betting that there is some little simple thing that is holding this up.
Ok, so error (49) means one of two things:
a) Password is incorrect b) No such object
No such object means either the entry you are attempting to bind as does not exist in the LDAP DB, or ACLs prevent reading it, so it appears not to exist.
My guess is this ACL is blocking access to the entry:
olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org, openldap-technical-bounces@OpenLDAP.org, Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Date: 08/30/2013 12:37 PM Subject: Re: Antw: Re: Object not found
--On Friday, August 30, 2013 10:55 AM -0500 espeake@oreillyauto.com wrote:
Quanah,
I tried this morning to change the password:
ldappasswd -s <password> -Wx -D "uid=admin,dc=<domain>,dc=com" "uid=readOnlyUser,ou=system,dc=<domain>,dc=com"
I confirmed that the hashed password changed. I still get invalid credentials. I am betting that there is some little simple thing that is holding this up.
Ok, so error (49) means one of two things:
a) Password is incorrect b) No such object
No such object means either the entry you are attempting to bind as does not exist in the LDAP DB, or ACLs prevent reading it, so it appears not to exist.
My guess is this ACL is blocking access to the entry:
olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration Wouldn't the following control grant the access first since it is the first in the list.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
I think it may be in how the password is presented. When I do a ldapsearch for the readOnlyUser, the account is found. I decode the password that is presented and the password in the encrypted {SSHA} matches what I see in my ldap browser. I am going to have my developers do some further testing against this ldap instance. -- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 63BD3600DF4.A1731
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Friday, August 30, 2013 1:37 PM -0500 espeake@oreillyauto.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org, openldap-technical-bounces@OpenLDAP.org, Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Date: 08/30/2013 12:37 PM Subject: Re: Antw: Re: Object not found
--On Friday, August 30, 2013 10:55 AM -0500 espeake@oreillyauto.com wrote:
Quanah,
I tried this morning to change the password:
ldappasswd -s <password> -Wx -D "uid=admin,dc=<domain>,dc=com" "uid=readOnlyUser,ou=system,dc=<domain>,dc=com"
I confirmed that the hashed password changed. I still get invalid credentials. I am betting that there is some little simple thing that is holding this up.
Ok, so error (49) means one of two things:
a) Password is incorrect b) No such object
No such object means either the entry you are attempting to bind as does not exist in the LDAP DB, or ACLs prevent reading it, so it appears not to exist.
My guess is this ACL is blocking access to the entry:
olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration Wouldn't the following control grant the access first since it is the first in the list.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
No, it would not, because you aren't bound as that user yet, you are still anonymous.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
espeake@oreillyauto.com -
Quanah Gibson-Mount