9:36 a.m.
Hi Everyone,
I am using this for the first time so if there are protocols to follow please let me know.
I have a problem with binding from my client to provider as the provider does not allow
anonymous binding, I am also new to openldap, and it is centos 7 I am using which no
longer uses slapd.conf. I initially used this to change the monitor ACL:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
by * none
EOF
Which worked fined. Then tried to modifying it by adding:
'by anonymous search'
and try to run the same ldapmodify as:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
by anonymous search
EOF
and I get this error:
ldap_start_tls: Can't contact LDAP server (-1)
I think my binding inside sssd.conf on the client side is incorrect for the newuser01 I
have added to the ldapserver
Useldap_default_bind_dn = cn=newuser01,dc=example,dc=com
Thanks for all the feed backs.
6:04 a.m.
Kaveh,
Am 27.06.2016 um 18:36 Uhr schrieb Kaveh Ehsani:
I am using this for the first time so if there are protocols to
follow
please let me know.
please, describte your problem in the subject as clear as
possible!
and try to run the same ldapmodify as:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
by anonymous search
EOF
and I get this error:
ldap_start_tls: Can't contact LDAP server (-1)
What does an corresponding
ldapsearch say?
You just posted what the client logged.
What does the server log say?
Does the server still run?
I think my binding inside sssd.conf on the client side is incorrect
for
the newuser01 I have added to the ldapserver
Useldap_default_bind_dn = cn=newuser01,dc=example,dc=com
I think your pure
ldapmodify example here has nothing zu do with sssd.
Marc
6:09 a.m.
Well this is my sssd.conf file.
ldap_default_bind_dn = uid=newuser01,ou=people,dc=example,dc=comThis is the line that I
think suppose to bind to ACL monitor and probably is the problem. Unless I am wrong.
[domain/default]
autofs_provider = ldap
ldap_schema = rfc2307bis
cache_credentials = True
debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://provider.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
#ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/ca.crt
ldap_default_bind_dn = uid=newuser01,ou=people,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = {SSHA}UJzXEfBudfu5U6IGzFlea0TjKUvxBtc/
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
debug_level = 999999999
[nss]
homedir_substring = /home
debug_level = 9
[pam]
debug_level = 9
________________________________
From: openldap-technical <openldap-technical-bounces(a)openldap.org> on behalf of Marc
Patermann <hans.moser(a)ofd-z.niedersachsen.de>
Sent: Tuesday, June 28, 2016 9:04:15 AM
To: openldap-technical(a)openldap.org
Subject: Re: first time user
Kaveh,
Am 27.06.2016 um 18:36 Uhr schrieb Kaveh Ehsani:
I am using this for the first time so if there are protocols to
follow
please let me know.
please, describte your problem in the subject as clear as
possible!
and try to run the same ldapmodify as:
ldapmodify -H ldapi:/// -x -D "cn=config" -W <<EOF
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.base="cn=Manager,dc=${MYDOMAIN},dc=${MYTLD}" read
by anonymous search
EOF
and I get this error:
ldap_start_tls: Can't contact LDAP server (-1)
What does an corresponding
ldapsearch say?
You just posted what the client logged.
What does the server log say?
Does the server still run?
I think my binding inside sssd.conf on the client side is incorrect
for
the newuser01 I have added to the ldapserver
Useldap_default_bind_dn = cn=newuser01,dc=example,dc=com
I think your pure
ldapmodify example here has nothing zu do with sssd.
Marc
2720
days inactive
2721
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Kaveh Ehsani -
Marc Patermann