Hi Everyone,
I am using this for the first time so if there are protocols to follow please let me know. I have a problem with binding from my client to provider as the provider does not allow anonymous binding, I am also new to openldap, and it is centos 7 I am using which no longer uses slapd.conf. I initially used this to change the monitor ACL:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by * none EOF
Which worked fined. Then tried to modifying it by adding:
'by anonymous search'
and try to run the same ldapmodify as:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by anonymous search EOF
and I get this error:
ldap_start_tls: Can't contact LDAP server (-1)
I think my binding inside sssd.conf on the client side is incorrect for the newuser01 I have added to the ldapserver
Useldap_default_bind_dn = cn=newuser01,dc=example,dc=com
Thanks for all the feed backs.
Kaveh,
Am 27.06.2016 um 18:36 Uhr schrieb Kaveh Ehsani:
I am using this for the first time so if there are protocols to follow please let me know.
please, describte your problem in the subject as clear as possible!
and try to run the same ldapmodify as:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by anonymous search EOF
and I get this error:
ldap_start_tls: Can't contact LDAP server (-1)
What does an corresponding ldapsearch say? You just posted what the client logged. What does the server log say? Does the server still run?
I think my binding inside sssd.conf on the client side is incorrect for the newuser01 I have added to the ldapserver
Useldap_default_bind_dn = cn=newuser01,dc=example,dc=com
I think your pure ldapmodify example here has nothing zu do with sssd.
Marc
Well this is my sssd.conf file.
ldap_default_bind_dn = uid=newuser01,ou=people,dc=example,dc=comThis is the line that I think suppose to bind to ACL monitor and probably is the problem. Unless I am wrong.
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
cache_credentials = True
debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://provider.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
#ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_default_bind_dn = uid=newuser01,ou=people,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = {SSHA}UJzXEfBudfu5U6IGzFlea0TjKUvxBtc/
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
debug_level = 999999999
[nss]
homedir_substring = /home
debug_level = 9
[pam]
debug_level = 9
________________________________ From: openldap-technical openldap-technical-bounces@openldap.org on behalf of Marc Patermann hans.moser@ofd-z.niedersachsen.de Sent: Tuesday, June 28, 2016 9:04:15 AM To: openldap-technical@openldap.org Subject: Re: first time user
Kaveh,
Am 27.06.2016 um 18:36 Uhr schrieb Kaveh Ehsani:
I am using this for the first time so if there are protocols to follow please let me know.
please, describte your problem in the subject as clear as possible!
and try to run the same ldapmodify as:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF dn: olcDatabase={1}monitor,cn=config changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read by anonymous search EOF
and I get this error:
ldap_start_tls: Can't contact LDAP server (-1)
What does an corresponding ldapsearch say? You just posted what the client logged. What does the server log say? Does the server still run?
I think my binding inside sssd.conf on the client side is incorrect for the newuser01 I have added to the ldapserver
Useldap_default_bind_dn = cn=newuser01,dc=example,dc=com
I think your pure ldapmodify example here has nothing zu do with sssd.
Marc
openldap-technical@openldap.org
-
Kaveh Ehsani -
Marc Patermann