Hello, I could please use your help regarding issues I am seeing with user access authenticating to my new LDAP server.
I am new to LDAP, and am building my first server.
I have created a new user (lou) and client (ldapServer) and am trying to authenticate the user through the client.
I have configured the LDAP server to also be the LDAP test client.
I am seeing the following errors in the /var/log/sssd/sssd_default.log when I run:
getent passwd lou
or
su - lou
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_get_rootdse_done] (0x0040): RootDSE could not be retrieved. Please check that anonymous access to RootDSE is allowed
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'IP_Address' as 'working'
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'IP_Address' as 'working'
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap: Insufficient access(50), no errmsg set
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error
(Fri Sep 25 16:43:15 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
According to the doc for common-errors doc.
http://www.openldap.org/doc/admin24/appendix-common-errors.html
I believe I am having an issue with the Default ACLs.
I have been doing much reading and am coming up short. My questions are:
First: how to delete the current default ACLs using a command line entry, or using a ldapmodify on a .ldif file
Second: how to add a new ACL allowing all users access using a command line entry or .ldif file. Once I get the user lou (and other test users) to connect, I will change the ACL
access rules for restriction. I need to get it working first.
Also, is there a step by step beginners guide for the ACL process?
Any help is greatly appreciated. Thank you - Lou
Varadi, Louis - 0442 - MITLL wrote:
Also, is there a step by step beginners guide for the ACL process?
Access control is always hard work.
There's no way around reading slapd.access(5): http://www.openldap.org/software/man.cgi?query=slapd.access
Also the FAQ contains examples and more details worthful reading: http://www.openldap.org/faq/data/cache/189.html
Make sure you start slapd with additional loglevel acl to see what's going on (much output). Note that ACL debugging on the mailing list most times does not work. The amount of work depends on your personal requirements.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Varadi, Louis - 0442 - MITLL