Hi,
After running slapd with "-d 128" i have found lot of messages like this.
Can somebody point me to standard acl for users, i want to authenticate for every user using ldap browser or c ldap api with ldap_simple_bind with binddn bindn=uid=rui,ou=People,o=m1,c=GB
############################### Dec 29 14:13:53 m4mrh01 slapd: => acl_mask: access to entry "cn=rui,ou=Group,o=m1,c=GB", attr "objectClass" requested Dec 29 14:13:53 m4mrh01 slapd: => acl_mask: to value by "", (=n) Dec 29 14:13:54 m4mrh01 slapd: <= acl_mask: no more <who> clauses, returning =n (stop) Dec 29 14:13:54 m4mrh01 slapd: => access_allowed: search access denied by =n Dec 29 14:13:54 m4mrh01 slapd: => access_allowed: search access to "cn=m4musers,ou=Group,o=m1,c=GB" "memberUid" requested Dec 29 14:13:54 m4mrh01 slapd: => acl_get: [2] attr memberUid Dec 29 14:13:54 m4mrh01 slapd: => acl_mask: access to entry "cn=m4musers,ou=Group,o=m1,c=GB", attr "memberUid" requested Dec 29 14:13:54 m4mrh01 slapd: => acl_mask: to value by "", (=n) Dec 29 14:13:54 m4mrh01 slapd: <= acl_mask: no more <who> clauses, returning =n (stop) Dec 29 14:13:54 m4mrh01 slapd: => access_allowed: search access denied by =n Dec 29 14:18:04 m4mrh01 slapd: => access_allowed: auth access to "uid=rui,ou=People,o=m1,c=GB" "userPassword" requested Dec 29 14:18:04 m4mrh01 slapd: => acl_get: [1] attr userPassword Dec 29 14:18:04 m4mrh01 slapd: => acl_mask: access to entry "uid=rui,ou=People,o=m1,c=GB", attr "userPassword" requested Dec 29 14:18:04 m4mrh01 slapd: => acl_mask: to all values by "", (=n) Dec 29 14:18:04 m4mrh01 slapd: <= acl_mask: no more <who> clauses, returning =n (stop) Dec 29 14:18:04 m4mrh01 slapd: => access_allowed: auth access denied by =n ###############################
I have also changed slapd.conf slightly
#############################
access to attr=userPassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * read
access to * by self write by users read by anonymous auth
###############################
Regards, rui
1. invalid credentials (49) for normal user (rui) 2. Re: invalid credentials (49) for normal user (Dieter Kluenter)
Message: 1 Date: Fri, 24 Dec 2010 10:32:03 +0000 From: rui guideveloper@gmail.com To: openldap-technical@openldap.org Subject: invalid credentials (49) for normal user Message-ID: AANLkTikbS2LTj4D-0WMBdJXzMeBMpb3qO2=Y4wzPLv0G@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1
Hi,
I have imported my passwd and groups file in ldap using migrate_all_online.sh script.
I am able to simple bind to ldap using binddn= uid=root,ou=People,o=M1,c=GB but i can't seem to bind with any other user like rui etc with their linux password. Its says invalid credentials.
I need to bind for authentication and then get all the primary and secondary groups of a user(how can i do that). Why am i having this problem - do i have to do something extra?
When bound as root, if i do "memberUid=root" i get all the secondary groups but i want to do it for any user.
I am using c ldap api at the moment.
Here is my slapd.conf file: ################################################## # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema
####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "o=M1,c=GB" rootdn "uid=root,ou=People,o=M1,c=GB" rootpw abc123 directory /var/lib/ldap
# Indices to maintain index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial
# # ACLs # #access to dn="ou=People,o=M1,c=GB" #attr=userPassword #by self write #by dn="uid=root,ou=People,o=M1,c=GB" write #by * auth access to dn=".*,o=M1,c=GB" by self write #by dn="uid=root,ou=People,o=M1,c=GB" write #by * read access to dn=".*,o= M1,c=GB" #by * read defaultaccess read
access to attr=userpassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * read
access to * by self write by dn=".+" read by * read
###############################################
Regards, rui
Message: 2 Date: Sat, 25 Dec 2010 22:58:14 +0100 From: "Dieter Kluenter" dieter@dkluenter.de To: openldap-technical@openldap.org Subject: Re: invalid credentials (49) for normal user Message-ID: 87d3op1pmx.fsf@rubin.avci.de Content-Type: text/plain; charset=utf-8
rui guideveloper@gmail.com writes:
Hi,
I have imported my passwd and groups file in ldap using migrate_all_online.sh script.
I am able to simple bind to ldap using binddn= uid=root,ou=People,o=M1,c=GB but i can't seem to bind with any other user like rui etc with their linux password. Its says invalid credentials.
[...]
run slapd in debugging mode, i.e. -d acl
############
# ldbm database definitions ####################################################################### database ldbm
ldbm is historic and not supported.
-Dieter
-- Dieter Kl?nter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53?37'09,95"N 10?08'02,42"E
openldap-technical mailing list openldap-technical@openldap.org http://www.openldap.org/lists/mm/listinfo/openldap-technical
End of openldap-technical Digest, Vol 37, Issue 22
Am Wed, 29 Dec 2010 14:52:39 +0000 schrieb rui guideveloper@gmail.com:
Hi,
After running slapd with "-d 128" i have found lot of messages like this.
Can somebody point me to standard acl for users, i want to authenticate for every user using ldap browser or c ldap api with ldap_simple_bind with binddn bindn=uid=rui,ou=People,o=m1,c=GB
[...]
I have also changed slapd.conf slightly
#############################
access to attr=userPassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * read
access to * by self write by users read by anonymous auth
access to attrs=userPassword by self write by dn="uid=root,ou=people,o=M1,c=GB" write by * auth access to * by self write by users read by * auth
-Dieter
Hi,
I have changed the slapd.conf acl settings accordingly.
Also i have switched to bdb through these two commands slapcat -f /etc/openldap/slapd.conf -l dumps.ldif slapadd -l dumps.ldif
Still no luck, can't bind with bindn=uid=rui,ou=People,o=m1,c=GB
Regards, rui
On Wed, Dec 29, 2010 at 4:18 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Am Wed, 29 Dec 2010 14:52:39 +0000 schrieb rui guideveloper@gmail.com:
Hi,
After running slapd with "-d 128" i have found lot of messages like this.
Can somebody point me to standard acl for users, i want to authenticate for every user using ldap browser or c ldap api with ldap_simple_bind with binddn bindn=uid=rui,ou=People,o=m1,c=GB
[...]
I have also changed slapd.conf slightly
#############################
access to attr=userPassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * read
access to * by self write by users read by anonymous auth
access to attrs=userPassword by self write by dn="uid=root,ou=people,o=M1,c=GB" write by * auth access to * by self write by users read by * auth
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
Am Wed, 29 Dec 2010 16:32:52 +0000 schrieb rui guideveloper@gmail.com:
Hi,
I have changed the slapd.conf acl settings accordingly.
Also i have switched to bdb through these two commands slapcat -f /etc/openldap/slapd.conf -l dumps.ldif slapadd -l dumps.ldif
Still no luck, can't bind with bindn=uid=rui,ou=People,o=m1,c=GB
Regards, rui
If you run slapd in debugging mode 128 or 384 you should see something like http://pastebin.de/13398
If not, please provide debugging output of a bind operation and your slapd.conf.
-Dieter
Hi,
This is the output after doing "-d 128" http://pastebin.com/6Jb9j7F7
my latest slapd.conf is this: ########################################################################### # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema
####################################################################### # bdb database definitions ####################################################################### database bdb suffix "o=M1,c=GB" rootdn "uid=root,ou=People,o=M1,c=GB" rootpw test123 directory /var/lib/ldap
# Indices to maintain index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial
## logging. #loglevel acl
access to attrs=userPassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * auth
access to * by self write by users read by anonymous auth
########################################################
Regards, rui
On Wed, Dec 29, 2010 at 5:14 PM, Dieter Kluenter dieter@dkluenter.de wrote:
Am Wed, 29 Dec 2010 16:32:52 +0000 schrieb rui guideveloper@gmail.com:
Hi,
I have changed the slapd.conf acl settings accordingly.
Also i have switched to bdb through these two commands slapcat -f /etc/openldap/slapd.conf -l dumps.ldif slapadd -l dumps.ldif
Still no luck, can't bind with bindn=uid=rui,ou=People,o=m1,c=GB
Regards, rui
If you run slapd in debugging mode 128 or 384 you should see something like http://pastebin.de/13398
If not, please provide debugging output of a bind operation and your slapd.conf.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
Am Thu, 30 Dec 2010 15:14:34 +0000 schrieb rui guideveloper@gmail.com:
Hi,
This is the output after doing "-d 128" http://pastebin.com/6Jb9j7F7
my latest slapd.conf is this: ########################################################################### # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema
####################################################################### # bdb database definitions ####################################################################### database bdb suffix "o=M1,c=GB" rootdn "uid=root,ou=People,o=M1,c=GB" rootpw test123 directory /var/lib/ldap
# Indices to maintain index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial
## logging. #loglevel acl
access to attrs=userPassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * auth
access to * by self write by users read by anonymous auth
The warnings in the debugging output (no by clauses specified) should have raised your attention. The way access rules are written, is bogus. Access rules have to be put on a single line, but this line may have continuations. The manual page slapd.access(5) and the admin guide http://www.openldap.org/doc/admin24/access-control.html give a good idea on how access rules should be written.
-Dieter
Try:
access to attrs=userPassword by dn="uid=root,ou=People,o=M1,c=GB" write by self write by anonymous auth by * none
access to * by self write by users read by anonymous auth
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter Kluenter Sent: Thursday, December 30, 2010 7:56 AM To: openldap-technical@openldap.org Subject: Re: invalid credentials (49) for normal user
Am Thu, 30 Dec 2010 15:14:34 +0000 schrieb rui guideveloper@gmail.com:
Hi,
This is the output after doing "-d 128" http://pastebin.com/6Jb9j7F7
my latest slapd.conf is this: ########################################################################### # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema
####################################################################### # bdb database definitions ####################################################################### database bdb suffix "o=M1,c=GB" rootdn "uid=root,ou=People,o=M1,c=GB" rootpw test123 directory /var/lib/ldap
# Indices to maintain index objectClass,uid,uidNumber,gidNumber eq index cn,mail,surname,givenname eq,subinitial
## logging. #loglevel acl
access to attrs=userPassword by self write by dn="uid=root,ou=People,o=M1,c=GB" write by * auth
access to * by self write by users read by anonymous auth
The warnings in the debugging output (no by clauses specified) should have raised your attention. The way access rules are written, is bogus. Access rules have to be put on a single line, but this line may have continuations. The manual page slapd.access(5) and the admin guide http://www.openldap.org/doc/admin24/access-control.html give a good idea on how access rules should be written.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org
-
Chris Jacobs -
Dieter Kluenter -
rui