[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: test my LDAP server ONLY using ssh?

First and foremost - thanks for the replies...

On Thu, 2003-01-23 at 11:24, Tony Earnshaw wrote:

> 
> > I've edited my /etc/pam.d/sshd (it's gone through several iterations)
> > file so it looks like this (right now):
> 
> Does it work?
> 

Well, I can't log in via ssh, so I'd say 'no', but I don't know if it's
due to an error in the specified file, or if I screwed something else
up, which is why there was so much info in the original post.  

> > Jan 22 15:33:47 current slapd[4074]: conn=29 op=0 BIND dn="" method=128 
> 
> This is an anonymous bind. Is that what you want to find things with?
> Difficult to know without knowing what your ACLs look like.

Do you mean that SSHD is binding to the server anonoymously?  So *me*
and, separately, the *sshd* daemon have to bind to the ldap server?  I
suppose this makes some sense when you see the log entries that show a
connection essentially coming in from the local host.  What's
recommended procedure here?  I added 'binddn' to my /etc/ldap.conf file,
so now 'BIND dn=""' has an actual DN to bind with, but I don't know the
proper syntax for ldap.conf to get this working.  What I got after doing
this was 
=================================================================
Jan 23 12:03:28 current slapd[5973]: conn=2 fd=12 ACCEPT from
IP=128.112.6.64:39105 (IP=0.0.0.0:389) 

Jan 23 12:03:28 current slapd[6078]: conn=2 op=0 BIND
dn="cn=daproot,dc=cs,dc=princeton,dc=edu" method=128 

Jan 23 12:03:28 current slapd[6078]: conn=2 op=0 RESULT tag=97 err=53
text=unwilling to allow anonymous bind with non-empty DN 

Jan 23 12:03:28 current slapd[6078]: conn=2 op=1 UNBIND 

Jan 23 12:03:28 current slapd[6078]: conn=2 fd=12 closed 
=====================================================================

Now I googled for that 'non-empty DN' bit, and it returned NOTHING.  A
search of this mailing list returned one thread, which provided a
*little* help.

"The fast solution:
Put the following line into slapd.conf:
allow bind_v2 bind_anon_dn"

But this doesn't explain why the error occurs.  The error apparently
occurs because there's some sort of default set somewhere to bind
anonymously, so I put "disallow bind_anon" in my /etc/ldap.conf file. 
The hope is that since it doesn't allow anon binds with a non-empty dn,
it will now be forced to use the non-empty dn to perform a
'non-anonymous' bind.  Now I get only slightly different, and,
unbelievably, LESS useful log messages...

====================================================================
Jan 23 12:21:45 current slapd[6222]: conn=0 fd=12 ACCEPT from
IP=128.112.6.64:39111 (IP=0.0.0.0:389) 

Jan 23 12:21:45 current slapd[6251]: conn=0 op=0 BIND
dn="cn=daproot,dc=cs,dc=princeton,dc=edu" method=128 

Jan 23 12:21:45 current slapd[6251]: conn=0 op=0 RESULT tag=97 err=48
text= 

Jan 23 12:21:45 current slapd[6251]: conn=0 op=1 UNBIND 

Jan 23 12:21:45 current slapd[6251]: conn=0 fd=12 closed 
========================================================================

I only have a single ACL in my slapd.conf file.

=================================
access to *
        by * read
        by anonymous auth
        by users read
=================================

I feel like I'm the only person in the whole world who can't get this to
work.  I must've missed something completely crucial.  I just can't seem
to move forward!  When's it gonna click!?  ACK!

> 
> Get GQ, compile it for Red Hat - jump from www.biot.com :-)

I HATE GQ.  THERE'S NO DOCS and I can't even connect to my server with
it.  I hate it, I hate it, I hate it.  I'm tired of trying to figure out
the syntax it's looking for for the configuration fields.  I'm not up
for trying to figure out the magical incantations with a GUI when the
CLI tools are already known to work well. Not that I wouldn't LOVE a
tool to make this stuff easier, but I don't think GQ is for me -
personally.  My $.02