Hi,
I'm installing openldap on a ubuntu intrepid server (8.10). Everything is ok except when I want that a user is able to modify his own password using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).
So I tried to modify it using ldappasswd :
dante@kollok ~ $ ldappasswd SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
or
dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
The posix user dante is the same user than the ldap one (I use pam libs). And I know that my password is right cause I can log in ldapadmin or ssh with it.
My slapd.conf : http://pastebin.com/f44dd2b59 My ldap.conf : http://pastebin.com/f3af1bec3
Any idea ?
Cheers,
Franck Royer
On 14/04/09 2:35, Franck Royer wrote:
Hi,
I'm installing openldap on a ubuntu intrepid server (8.10). Everything is ok except when I want that a user is able to modify his own password using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).
So I tried to modify it using ldappasswd :
dante@kollok ~ $ ldappasswd SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
or
dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
The posix user dante is the same user than the ldap one (I use pam libs). And I know that my password is right cause I can log in ldapadmin or ssh with it.
My slapd.conf : http://pastebin.com/f44dd2b59 My ldap.conf : http://pastebin.com/f3af1bec3
Any idea ?
Hi,
The errors you are getting with ldappasswd are authentication errors. Probably because by default ldappasswd attemps to use a SASL bind. If you add the "-x" option to ldappasswd, you should be able to authenticate fine.
However, you also mentioned a 0x32 Insufficient access error. This is generally an ACL problem. Your slapd.conf seems to define the correct ACLs, but each one has an indentation on the first line... indenting a line usually means "this is a continuation of the previous line", which in your case are comments, so I guess your ACLs are being ignored.
Try removing the indentation in front of "access to ..." (but leave indentation on following lines in front of "by ...", restarting and trying again.
Regards, Jonathan
Franck Royer wrote:
I'm installing openldap on a ubuntu intrepid server (8.10). Everything is ok except when I want that a user is able to modify his own password using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).
What ACLs are set? See a basic userPassword-ACL here:
http://www.openldap.org/faq/data/cache/320.html
dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
As a beginner try (in one-line)
ldappasswd -x -D "uid=dante,ou=people,dc=kollok,dc=org" "uid=dante,ou=people,dc=kollok,dc=org"
for using simple bind instead of SASL/DIGEST-MD5. You also have to provide the DN of the entry which password is to be set.
Also read more information about (hashed) passwords:
http://www.openldap.org/faq/data/cache/419.html
Ciao, Michael.
On Tuesday 14 April 2009 02:35:31 Franck Royer wrote:
Hi,
I'm installing openldap on a ubuntu intrepid server (8.10). Everything is ok except when I want that a user is able to modify his own password using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).
Based on your slapd.conf, this would be the error I would expect.
So I tried to modify it using ldappasswd :
dante@kollok ~ $ ldappasswd SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
or
dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
These two are misleading, it appears you are using SASL when you haven't actually got SASL-compatible passwords. Note that PAM doesn't do SASL binds, so you should probably be using a simple bind here (see the -x flag).
The posix user dante is the same user than the ldap one (I use pam libs). And I know that my password is right cause I can log in ldapadmin or ssh with it.
My slapd.conf : http://pastebin.com/f44dd2b59 My ldap.conf : http://pastebin.com/f3af1bec3
Please see paragraph ~5 of 'man slapd.conf', which states:
"If a line begins with white space, it is considered a continuation of the previous line. No physical line should be over 2000 bytes long."
Now, please look at line 111 in your slapd.conf on pastebin, and you will notice that you have effectively given slapd one line as follows:
# protection des mots de passe access to attrs=userPassword by dn="cn=proxy,dc=kollok,dc=org" read by self write by anonymous auth by * none
(which obviously won't do what you want).
Besides this, most likely most of your indexes aren't active, your dbconfig directives wouldn't find their way to DB_CONFIG (if it was not already present), etc. etc.
You may want to run 'slaptest -d config' to see what slapd does when parsing your config file.
Regards, Buchan
Buchan Milne a écrit :
On Tuesday 14 April 2009 02:35:31 Franck Royer wrote:
Hi,
I'm installing openldap on a ubuntu intrepid server (8.10). Everything is ok except when I want that a user is able to modify his own password using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).
Based on your slapd.conf, this would be the error I would expect.
So I tried to modify it using ldappasswd :
dante@kollok ~ $ ldappasswd SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
or
dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
These two are misleading, it appears you are using SASL when you haven't actually got SASL-compatible passwords. Note that PAM doesn't do SASL binds, so you should probably be using a simple bind here (see the -x flag).
The posix user dante is the same user than the ldap one (I use pam libs). And I know that my password is right cause I can log in ldapadmin or ssh with it.
My slapd.conf : http://pastebin.com/f44dd2b59 My ldap.conf : http://pastebin.com/f3af1bec3
Please see paragraph ~5 of 'man slapd.conf', which states:
"If a line begins with white space, it is considered a continuation of the previous line. No physical line should be over 2000 bytes long."
Now, please look at line 111 in your slapd.conf on pastebin, and you will notice that you have effectively given slapd one line as follows:
# protection des mots de passe access to attrs=userPassword by dn="cn=proxy,dc=kollok,dc=org" read by self write by anonymous auth by * none
(which obviously won't do what you want).
Besides this, most likely most of your indexes aren't active, your dbconfig directives wouldn't find their way to DB_CONFIG (if it was not already present), etc. etc.
You may want to run 'slaptest -d config' to see what slapd does when parsing your config file.
Regards, Buchan
Thank you for all this information. As you all expected, the error came from the indentation of my slapd.conf file. My problem with phpldapadmin is now solved, my users can change their password without any problem.
Cheers, Franck
openldap-technical@openldap.org
-
Buchan Milne -
Franck Royer -
Jonathan Clarke -
Michael Ströder