I have a user name readonly that we use in our applications to get uid's. THis has worked in the past with our old LDAP solution. We have moved to 2.4.31 on Ubuntu 12.04 with a n-way Multi master setup.
The slap cat for this database looks like this.
dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=oreillyauto,dc=com olcAccess: {0}to attrs=userPassword by anonymous auth by * none olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueName s/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" wri te by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreil lyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth by s elf write olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="o u=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillya uto,dc=com" read by * none olcAccess: {8}to * by self read by users read olcAddContentAcl: FALSE olcLastMod: TRUE olcLimits: {0}dn.exact="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" time.sof t=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: {1}dn.exact="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" time.so ft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcLimits: {2}dn.exact="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" time .soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: uid=admin,dc=oreillyauto,dc=com olcRootPW:: c2VjcmV0 olcSyncUseSubentry: FALSE olcDbCacheSize: 50000 olcDbCheckpoint: 512 30 olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 150000 olcDbIndex: objectClass eq olcDbIndex: cn eq olcDbIndex: uid eq olcDbIndex: oreillyGroup eq olcDbIndex: locationEntry eq olcDbIndex: counterNumber eq olcDbIndex: businessCategory eq olcDbIndex: locationNumber eq olcDbIndex: position eq olcDbIndex: title eq,subany olcDbIndex: givenName eq,subany olcDbIndex: functionListing eq olcDbIndex: manager eq olcDbIndex: sn eq,subany olcDbIndex: nickName eq,subany olcDbIndex: employeeNumber eq olcDbIndex: ou eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: supervisor eq olcDbIndex: status eq olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 structuralObjectClass: olcHdbConfig entryUUID: 91ce693e-9e13-1032-84c2-0151b658a842 createTimestamp: 20130820183919Z creatorsName: cn=config olcMirrorMode: TRUE olcSyncrepl: {0}rid=004 provider=ldap://tntest-ldap-3.oreillyauto.com b inddn="uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password> searchbase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +" tim eout=1 olcSyncrepl: {1}rid=005 provider=ldap://tntest-ldap-1.oreillyauto.com binddn=" uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password> searchb ase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +" timeout=1 olcSyncrepl: {2}rid=006 provider=ldap://tntest-ldap-2.oreillyauto.com binddn=" uid=admin,dc=oreillyauto,dc=com" bindmethod=simple credentials=<password> searchb ase="dc=oreillyauto,dc=com" type=refreshAndPersist retry="5 5 5 +" timeout=1 entryCSN: 20130821193620.549061Z#000000#002#000000 modifiersName: uid=admin,dc=oreillyauto,dc=com modifyTimestamp: 20130821193620Z
And the ldap logs show this:
Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" method=128 Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 BIND dn="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" mech=SIMPLE ssf=0 Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=0 RESULT tag=97 err=0 text= Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=1 SRCH base="uid=espeake,ou=Users,dc=oreillyauto,dc=com" scope=0 deref=3 filter="(objectClass=*)" Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 op=2 UNBIND Aug 28 07:56:48 tntest-ldap-1 slapd[3067]: conn=27464 fd=40 closed
We had one issue with this server not running a rebuild last night due to a certificate error of the cacert not being found and we are addressing the through the following article:
http://www.mikepilat.com/blog/2011/05/adding-a-certificate-authority-to-the-...
Searching as the ldapadmin user I find the user. So I am thinking that I need to adjust the ACL here but I'm not seeing what is wrong.
Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
--On Wednesday, August 28, 2013 8:12 AM -0500 espeake@oreillyauto.com wrote:
I have a user name readonly that we use in our applications to get uid's. THis has worked in the past with our old LDAP solution. We have moved to 2.4.31 on Ubuntu 12.04 with a n-way Multi master setup.
The slap cat for this database looks like this.
dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=oreillyauto,dc=com olcAccess: {0}to attrs=userPassword by anonymous auth by * none olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueName s/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" wri te by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreil lyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth by s elf write
Hi,
You need to spend some time reading the manual pages and admin guide on access rules for slapd.
It is immediately obvious that rule {2) will never evaluate because of rule {0}. Those shouldn't even be separate rule lines, they should be a single rule. I haven't looked further because that was so blatant, I'm guessing you have any number of other issues in your access lines.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Okay so I have the access list figured out and everything looks good except now the credentials for my user aren't working. I get an error 49 (invalid credentials) I have reentered the password for the user. There is one other user that will not autenticate. Both of thes users are in the ou System. The base admin account can login and get the informatio. Here is the new access list.
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNames/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreillyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth by self write olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=owner write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" read by * none olcAccess: {8}to * by self read by users read
The two users that I need to work are: readOnlyUser dn="uid=readOnlyUser,ou=System,dc=oreilly,dc=com and ldapadmin dn="uid=ldapadmin, ou=System,dc=oreulllyauto,dc=com
Here is the search and result:
root@tntest-ldap-3:/var/lib/ldap# ldapsearch -Wx -D "uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" -b "dc=oreillyauto,dc=com" -H ldap://<ldap-server>.oreillyauto.com uid=espeake uid dsplayName employeeNumber Enter LDAP Password: ldap_bind: Invalid credentials (49)
any and all ideas are welcomed. Eric Speake Web Systems Administrator O'Reilly Auto Parts
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com, openldap-technical@openldap.org Date: 08/28/2013 11:35 AM Subject: Re: Object not found Sent by: openldap-technical-bounces@OpenLDAP.org
--On Wednesday, August 28, 2013 8:12 AM -0500 espeake@oreillyauto.com wrote:
I have a user name readonly that we use in our applications to get uid's. THis has worked in the past with our old LDAP solution. We have moved to 2.4.31 on Ubuntu 12.04 with a n-way Multi master setup.
The slap cat for this database looks like this.
dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=oreillyauto,dc=com olcAccess: {0}to attrs=userPassword by anonymous auth by * none olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueName s/uniqueMember="cn=System
Administrators,ou=Groups,dc=oreillyauto,dc=com"
wri te by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=oreil lyauto,dc=com" write by * none break olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember=" cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth by s elf write
Hi,
You need to spend some time reading the manual pages and admin guide on access rules for slapd.
It is immediately obvious that rule {2) will never evaluate because of rule
{0}. Those shouldn't even be separate rule lines, they should be a single rule. I haven't looked further because that was so blatant, I'm guessing you have any number of other issues in your access lines.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
-- This message has been scanned for viruses and dangerous content, and is believed to be clean. Message id: 898DB600A44.A073B
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
openldap-technical@openldap.org
-
espeake@oreillyauto.com -
Quanah Gibson-Mount