I have inherited an LDAP server and admittedly do not have all the technical expertise to troubleshoot the problems we have.
We are using slapd 2.4.40.
The first problem is nobody but the rootdn can change passwords. We'd like to use "passwd" utility on our servers to change our passwords but the error is "LDAP password information update failed: Insufficient access"
In slapd.conf we have (i have removed our dc for privacy):
access to attrs=userPassword by self write by anonymous auth by dn="cn=Manager,dc=X,dc=Y,dc=Z" write by * none
access to * by self write by dn="cn=Manager,dc=X,dc=Y,dc=Z" write by * read by * auth
access to * by dn="uid=ldapadmin,dc=X,dc=Y,dc=Z" read
"cn=Manager,dc=X,dc=Y,dc=Z" is our rootdn and i have enabled logleve 128
However, this brings me to the next problem: the contents of slapd.conf do not match the slapd.d/cn=config.ldif file, so it seems the fixes i am trying to the ACL's don't have any effect, even when i restart slapd. If i try "ldapmodify -nv" it just hangs. When i try to stop slapd and remove slapd.d/* and then start slapd, the contents are recreated according to the config file, but then users can't login (all i see in the logfile is access_allowed and slap_access_allowed but no conn lines)
So some basic troubleshooting help would be appreciated! Thanks
On 31.01.2017 03:08, scar wrote:
I have inherited an LDAP server and admittedly do not have all the technical expertise to troubleshoot the problems we have.
We are using slapd 2.4.40.
The first problem is nobody but the rootdn can change passwords. We'd like to use "passwd" utility on our servers to change our passwords but the error is "LDAP password information update failed: Insufficient access"
Please let me know your OS and your nss/pam configuration on the client side. Are you using sssd or something others ?
without these informations it is very difficult to help.
best regards Michael
openldap-technical@openldap.org
-
Michael Wandel -
scar