6:52 a.m.
Hi,
After running slapd with "-d 128" i have found lot of messages like this.
Can somebody point me to standard acl for users, i want to
authenticate for every user using ldap browser or c ldap api with
ldap_simple_bind with binddn
bindn=uid=rui,ou=People,o=m1,c=GB
###############################
Dec 29 14:13:53 m4mrh01 slapd: => acl_mask: access to entry
"cn=rui,ou=Group,o=m1,c=GB", attr "objectClass" requested
Dec 29 14:13:53 m4mrh01 slapd: => acl_mask: to value by "", (=n)
Dec 29 14:13:54 m4mrh01 slapd: <= acl_mask: no more <who> clauses,
returning =n (stop)
Dec 29 14:13:54 m4mrh01 slapd: => access_allowed: search access denied by =n
Dec 29 14:13:54 m4mrh01 slapd: => access_allowed: search access to
"cn=m4musers,ou=Group,o=m1,c=GB" "memberUid" requested
Dec 29 14:13:54 m4mrh01 slapd: => acl_get: [2] attr memberUid
Dec 29 14:13:54 m4mrh01 slapd: => acl_mask: access to entry
"cn=m4musers,ou=Group,o=m1,c=GB", attr "memberUid" requested
Dec 29 14:13:54 m4mrh01 slapd: => acl_mask: to value by "", (=n)
Dec 29 14:13:54 m4mrh01 slapd: <= acl_mask: no more <who> clauses,
returning =n (stop)
Dec 29 14:13:54 m4mrh01 slapd: => access_allowed: search access denied by =n
Dec 29 14:18:04 m4mrh01 slapd: => access_allowed: auth access to
"uid=rui,ou=People,o=m1,c=GB" "userPassword" requested
Dec 29 14:18:04 m4mrh01 slapd: => acl_get: [1] attr userPassword
Dec 29 14:18:04 m4mrh01 slapd: => acl_mask: access to entry
"uid=rui,ou=People,o=m1,c=GB", attr "userPassword" requested
Dec 29 14:18:04 m4mrh01 slapd: => acl_mask: to all values by "", (=n)
Dec 29 14:18:04 m4mrh01 slapd: <= acl_mask: no more <who> clauses,
returning =n (stop)
Dec 29 14:18:04 m4mrh01 slapd: => access_allowed: auth access denied by =n
###############################
I have also changed slapd.conf slightly
#############################
access to attr=userPassword
by self write
by dn="uid=root,ou=People,o=M1,c=GB" write
by * read
access to *
by self write
by users read
by anonymous auth
###############################
Regards,
rui
1. invalid credentials (49) for normal user (rui)
2. Re: invalid credentials (49) for normal user (Dieter Kluenter)
----------------------------------------------------------------------
Message: 1
Date: Fri, 24 Dec 2010 10:32:03 +0000
From: rui <guideveloper(a)gmail.com>
To: openldap-technical(a)openldap.org
Subject: invalid credentials (49) for normal user
Message-ID:
<AANLkTikbS2LTj4D-0WMBdJXzMeBMpb3qO2=Y4wzPLv0G(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
I have imported my passwd and groups file in ldap using
migrate_all_online.sh script.
I am able to simple bind to ldap using
binddn= uid=root,ou=People,o=M1,c=GB but i can't seem to bind with any
other user like rui etc with their linux password. Its says invalid
credentials.
I need to bind for authentication and then get all the primary and
secondary groups of a user(how can i do that). Why am i having this
problem - do i have to do something extra?
When bound as root, if i do "memberUid=root" i get all the secondary
groups but i want to do it for any user.
I am using c ldap api at the moment.
Here is my slapd.conf file:
##################################################
# # See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable. #
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "o=M1,c=GB"
rootdn "uid=root,ou=People,o=M1,c=GB"
rootpw abc123
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
# # ACLs #
#access to dn="ou=People,o=M1,c=GB"
#attr=userPassword
#by self write
#by dn="uid=root,ou=People,o=M1,c=GB" write
#by * auth access to dn=".*,o=M1,c=GB" by self write
#by dn="uid=root,ou=People,o=M1,c=GB" write
#by * read access to dn=".*,o= M1,c=GB"
#by * read defaultaccess read
access to attr=userpassword
by self write
by dn="uid=root,ou=People,o=M1,c=GB" write
by * read
access to *
by self write
by dn=".+" read
by * read
###############################################
Regards,
rui
------------------------------
Message: 2
Date: Sat, 25 Dec 2010 22:58:14 +0100
From: "Dieter Kluenter" <dieter(a)dkluenter.de>
To: openldap-technical(a)openldap.org
Subject: Re: invalid credentials (49) for normal user
Message-ID: <87d3op1pmx.fsf(a)rubin.avci.de>
Content-Type: text/plain; charset=utf-8
rui <guideveloper(a)gmail.com> writes:
> Hi,
>
> I have imported my passwd and groups file in ldap using
> migrate_all_online.sh script.
>
> I am able to simple bind to ldap using
> binddn= uid=root,ou=People,o=M1,c=GB but i can't seem to bind with any
> other user like rui etc with their linux password. Its says invalid
> credentials.
[...]
run slapd in debugging mode, i.e. -d acl
############
> # ldbm database definitions
> #######################################################################
> database ldbm
ldbm is historic and not supported.
-Dieter
--
Dieter Kl?nter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53?37'09,95"N
10?08'02,42"E
------------------------------
_______________________________________________
openldap-technical mailing list
openldap-technical(a)openldap.org
http://www.openldap.org/lists/mm/listinfo/openldap-technical
End of openldap-technical Digest, Vol 37, Issue 22
**************************************************
8:18 a.m.
New subject: invalid credentials (49) for normal user
Am Wed, 29 Dec 2010 14:52:39 +0000
schrieb rui <guideveloper(a)gmail.com>:
Hi,
After running slapd with "-d 128" i have found lot of messages like
this.
Can somebody point me to standard acl for users, i want to
authenticate for every user using ldap browser or c ldap api with
ldap_simple_bind with binddn
bindn=uid=rui,ou=People,o=m1,c=GB
[...]
I have also changed slapd.conf slightly
#############################
access to attr=userPassword
by self write
by dn="uid=root,ou=People,o=M1,c=GB" write
by * read
access to *
by self write
by users read
by anonymous auth
access to attrs=userPassword
by self write
by dn="uid=root,ou=people,o=M1,c=GB" write
by * auth
access to *
by self write
by users read
by * auth
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
8:32 a.m.
New subject: invalid credentials (49) for normal user
Hi,
I have changed the slapd.conf acl settings accordingly.
Also i have switched to bdb through these two commands
slapcat -f /etc/openldap/slapd.conf -l dumps.ldif
slapadd -l dumps.ldif
Still no luck, can't bind with
bindn=uid=rui,ou=People,o=m1,c=GB
Regards,
rui
On Wed, Dec 29, 2010 at 4:18 PM, Dieter Kluenter <dieter(a)dkluenter.de> wrote:
Am Wed, 29 Dec 2010 14:52:39 +0000
schrieb rui <guideveloper(a)gmail.com>:
> Hi,
>
> After running slapd with "-d 128" i have found lot of messages like
> this.
>
> Can somebody point me to standard acl for users, i want to
> authenticate for every user using ldap browser or c ldap api with
> ldap_simple_bind with binddn
> bindn=uid=rui,ou=People,o=m1,c=GB
[...]
> I have also changed slapd.conf slightly
>
>
> #############################
>
> access to attr=userPassword
> by self write
> by dn="uid=root,ou=People,o=M1,c=GB" write
> by * read
>
> access to *
> by self write
> by users read
> by anonymous auth
access to attrs=userPassword
by self write
by dn="uid=root,ou=people,o=M1,c=GB" write
by * auth
access to *
by self write
by users read
by * auth
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
9:14 a.m.
New subject: invalid credentials (49) for normal user
Am Wed, 29 Dec 2010 16:32:52 +0000
schrieb rui <guideveloper(a)gmail.com>:
Hi,
I have changed the slapd.conf acl settings accordingly.
Also i have switched to bdb through these two commands
slapcat -f /etc/openldap/slapd.conf -l dumps.ldif
slapadd -l dumps.ldif
Still no luck, can't bind with
bindn=uid=rui,ou=People,o=m1,c=GB
Regards,
rui
If you run slapd in debugging mode 128 or 384 you should see something
like
http://pastebin.de/13398
If not, please provide debugging output of a bind operation and
your slapd.conf.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
7:14 a.m.
New subject: invalid credentials (49) for normal user
Hi,
This is the output after doing "-d 128"
http://pastebin.com/6Jb9j7F7
my latest slapd.conf is this:
###########################################################################
# # See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable. #
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
#######################################################################
# bdb database definitions
#######################################################################
database bdb
suffix "o=M1,c=GB"
rootdn "uid=root,ou=People,o=M1,c=GB"
rootpw test123
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
## logging.
#loglevel acl
access to attrs=userPassword
by self write
by dn="uid=root,ou=People,o=M1,c=GB" write
by * auth
access to *
by self write
by users read
by anonymous auth
########################################################
Regards,
rui
On Wed, Dec 29, 2010 at 5:14 PM, Dieter Kluenter <dieter(a)dkluenter.de> wrote:
Am Wed, 29 Dec 2010 16:32:52 +0000
schrieb rui <guideveloper(a)gmail.com>:
> Hi,
>
> I have changed the slapd.conf acl settings accordingly.
>
> Also i have switched to bdb through these two commands
> slapcat -f /etc/openldap/slapd.conf -l dumps.ldif
> slapadd -l dumps.ldif
>
> Still no luck, can't bind with
> bindn=uid=rui,ou=People,o=m1,c=GB
>
> Regards,
> rui
If you run slapd in debugging mode 128 or 384 you should see something
like
http://pastebin.de/13398
If not, please provide debugging output of a bind operation and
your slapd.conf.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
7:55 a.m.
New subject: invalid credentials (49) for normal user
Am Thu, 30 Dec 2010 15:14:34 +0000
schrieb rui <guideveloper(a)gmail.com>:
Hi,
This is the output after doing "-d 128"
http://pastebin.com/6Jb9j7F7
my latest slapd.conf is this:
###########################################################################
# # See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable. #
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
#######################################################################
# bdb database definitions
#######################################################################
database bdb
suffix "o=M1,c=GB"
rootdn "uid=root,ou=People,o=M1,c=GB"
rootpw test123
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
## logging.
#loglevel acl
access to attrs=userPassword
by self write
by dn="uid=root,ou=People,o=M1,c=GB" write
by * auth
access to *
by self write
by users read
by anonymous auth
The warnings in the debugging output (no by clauses specified) should
have raised your attention.
The way access rules are written, is bogus. Access rules have to be put
on a single line, but this line may have continuations. The manual
page slapd.access(5) and the admin guide
http://www.openldap.org/doc/admin24/access-control.html
give a good idea on how access rules should be written.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
10:24 a.m.
New subject: invalid credentials (49) for normal user
Try:
access to attrs=userPassword
by dn="uid=root,ou=People,o=M1,c=GB" write
by self write
by anonymous auth
by * none
access to *
by self write
by users read
by anonymous auth
-----Original Message-----
From: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dieter Kluenter
Sent: Thursday, December 30, 2010 7:56 AM
To: openldap-technical(a)openldap.org
Subject: Re: invalid credentials (49) for normal user
Am Thu, 30 Dec 2010 15:14:34 +0000
schrieb rui <guideveloper(a)gmail.com>:
Hi,
This is the output after doing "-d 128"
http://pastebin.com/6Jb9j7F7
my latest slapd.conf is this:
###########################################################################
# # See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable. #
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
#######################################################################
# bdb database definitions
#######################################################################
database bdb
suffix "o=M1,c=GB"
rootdn "uid=root,ou=People,o=M1,c=GB"
rootpw test123
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
## logging.
#loglevel acl
access to attrs=userPassword
by self write
by dn="uid=root,ou=People,o=M1,c=GB" write
by * auth
access to *
by self write
by users read
by anonymous auth
The warnings in the debugging output (no by clauses specified) should
have raised your attention.
The way access rules are written, is bogus. Access rules have to be put
on a single line, but this line may have continuations. The manual
page slapd.access(5) and the admin guide
http://www.openldap.org/doc/admin24/access-control.html
give a good idea on how access rules should be written.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
3764
days inactive
3765
days old
openldap-technical@openldap.org
6 comments
3 participants
participants (3)
-
Chris Jacobs -
Dieter Kluenter -
rui