|
|
|
Re: open ldap configuration on rhel3-u4 | |
| [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] | |
Nilesh Joshi wrote:
Hi,
I htink error 49 is not gone till now. It was not showing any output. I
restarted openladp and started getting same error:
My slapd.conf looks like below (removed commented lines):
-------------------------------------------------------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /usr/var/run/slapd.pid
argsfile /usr/var/run/slapd.args
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
access to attrs=userPassword
by anonymous auth
by self write
by * none
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
rootpw XXXX
directory /usr/var/openldap-data/test.com
index objectClass eq
-----------------------------------------------------------------------------
I think need to concentrate on error=49 only.
You have to be very careful about formatting. If this is an exact cut
and paste, you still have authentication issues.
A leading space in slapd.conf lines can be used to continue previous
directives if they can take multiple values such as the "access" directive can. In the above, you have "access to attrs=userPassword"
as a subdirective of the previous "access" directive.
Re-edit your config file and make it look like this:I suspect that's where things are getting weird. Personally, I prefer
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /usr/var/run/slapd.pid
argsfile /usr/var/run/slapd.args
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
access to attrs=userPassword
by anonymous auth
by self write
by * none
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
rootpw XXXX
directory /usr/var/openldap-data/test.com
index objectClass eq
to indent my access directives, so the above bit would look like:
------------------------------------------------------------------------------
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to *
by self write
by users read
by anonymous auth
access to attrs=userPassword
by anonymous auth
by self write
by * none
But that's just me.
Unless you specify "-Z" to your ldapsearch command, TLS/SSL is not being
used, so you're using simple SASL authentication...and again the
passwords in the database MUST BE IN CLEARTEXT IF YOU USE SASL. Most
Linux systems will use an MD5 encryption and that won't work with SASL.
You might also want to try adding "-d 255" to the ldapsearch command.
That will spit out lots of debug info that may help you sort out just
exactly where the thing's dying.- Do you know where _your_ towel is? -
What you say?
Regards,
-Nilesh
On Fri, Aug 14, 2009 at 3:25 PM, Rick Stevens <ricks@xxxxxxxx> wrote:
Nilesh Joshi wrote:
Hi Rick,Ok, if error 49 is gone, but you're not getting any data back, then
I have generated cert again and started slapd.
Now I see following in logs:
conn=0 fd=9 ACCEPT from IP=127.0.0.1:36272 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128
It's same for below 2 commands:
1. ldapsearch -x -b "ou=people,dc=test,dc=com" -D
"cn=nilesh,ou=people,dc=test,dc=com" -w 'password' "uid=nilesh"
2. ldapsearch -x -b "ou=people,dc=test,dc=com" -D
"cn=nilesh,ou=people,dc=test,dc=com" -w password "uid=nilesh"
I tried adding 'allow bind_v2 bind_anon_cred bind_anon_dn' and restarted
openldap, the result is same.
It looks like error 49 is gone.
user "nilesh" probably doesn't have read access to the database. If
you have your slapd manual handy, read up on the "access" directives.
If you want a user to see any and all of their info, then you need a
directive such as:
access to *
by self read
by * none
in slapd.conf. That permits someone to read their own data. If you
want to let them modify their data:
access to *
by self write
by * none
(note that "write" permission also includes all lower permissions such
as auth, read, search, etc.)
What else I need to do to fix this issue.
Looks like you're authenticating fine now, but you have to set up access
rules to allow users to see things. Here's a good on-line reference
book on how to manage an LDAP server:
http://www.zytrax.dom/books/ldap
Also, the OpenLDAP System Admin Guide should have been placed in
/usr/share/doc/openldap-servers-version/guide.html
(replace "version" with the appropriate version number) when you
installed the OpenLDAP server RPM. You can view it by opening a browser
and going to
file:///usr/share/doc/opeenldap-servers-version/guide.html
Thanks and Regards,
-Nilesh
On Fri, Aug 14, 2009 at 10:04 AM, Rick Stevens <ricks@xxxxxxxx> wrote:
Nilesh Joshi wrote:
Thanks Rick.------------------------------------------------------------------------
I have checked using -w password. The exact command I tried was:Also added:
ldapsearch -x -b "ou=people,dc=test,dc=com" -D
"cn=nilesh,ou=people,dc=test,dc=com" -w password '(uid=nilesh)'
Did you enclose the password in single quotes to mask its value?
access to attrs=userPasswordagainst the LDAP database. It does NOT allow a regular user to search
by anonymous auth
by self write
by * none
That may not be adequate. That simply allows a user to authenticate
the entire database. Let's get rid of the error 49 first, then we'll
worry about the rest.
However the result was same. I have confirmed that password is password
for
now.cleartext. If the password you're going to use is in the LDAP database,
If you're using SASL, remember that all the passwords must be stored in
it must be stored in cleartext--NOT some excrypted format such as
{MD5} cypherstring
{SSHA} cypherstring
If the password is in the Cyrus SASL database, it too has to be in
cleartext. This is one of the weaknesses of SASL.
If you're going to use encrypted passwords in the database, you'll need
to use SSL or KRB5 as the transport mechanism.
I think, I am missing something in configuration. Can I use LDAP without
sasl and if yes, what I need to do?allow bind_v2 bind_anon_cred bind_anon_dn
You can, but it's not recommended. Try putting this line in slapd.conf:
Oh, and by the way, we prefer bottom posting on the list.
On Thu, Aug 13, 2009 at 6:16 PM, Rick Stevens <ricks@xxxxxxxx> wrote:
Nilesh Joshi wrote:--
Hi,------------------------------------------------------------------------
I have installed openldap-2.0.27-23 on my server.ldapsearch the right password for the user you're trying to bind as.
I have configured certificate and path is mentioned in slapd.conf
file.
I am able to create root DN and also able to add user to it.
When I search using cn=manager,dc=test,dc=com, it gives me correct
answers.
Howere, whenever I search using user id, I see error 49.
ldapsearch -x -b "ou=people,dc=test,dc=com" -D
"cn=nilesh,ou=people,dc=test,dc=com" -W '(uid=nilesh)'
In logs, I see:
conn=11 fd=10 ACCEPT from IP=192.168.1.2:53115 (IP=0.0.0.0:389)
conn=11 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128
conn=11 op=0 RESULT tag=97 err=49 text=
conn=11 fd=10 closed (connection lost)
I would like to have openldap running without sasl.
How should I configure the same? How can I fix this issue?
Error 49 is "invalid credentials," meaning that you didn't hand the
Try it again, but rather than using the "-W" (interactive) flag, try:
-w 'your-password-here'
If the password has shell metacharacters in it, they may be being
interpreted by the shell before being handed to the ldapsearch command.
Using the -w and the password enclosed in single quotes prevents that.
You also have to make sure that the user you're trying to bind as has
access to the userPassword attribute in the slapd.conf file:
access to attrs=userPassword
by anonymous auth
by self write
by * none
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@xxxxxxxx -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- I never drink water because of the disgusting things that fish do -
- in it. -
- -- WC. Fields -
----------------------------------------------------------------------
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@xxxxxxxx -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Never test for an error condition you don't know how to handle. -
----------------------------------------------------------------------
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
--
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@xxxxxxxx -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Brain: The organ with which we think that we think. -
----------------------------------------------------------------------
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
------------------------------------------------------------------------
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
--
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@xxxxxxxx -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
----------------------------------------------------------------------
_______________________________________________
Redhat-install-list mailing list
Redhat-install-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@xxxxxxxxxx
Subject: unsubscribe
_______________________________________________ Redhat-install-list mailing list Redhat-install-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/redhat-install-list To Unsubscribe Go To ABOVE URL or send a message to: redhat-install-list-request@xxxxxxxxxx Subject: unsubscribe