[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: simple bind ldapsearch invalid credentials

To: openldap-software@OpenLDAP.org
Subject: Re: simple bind ldapsearch invalid credentials
From: cornelius kölbel <cornelius.koelbel@gmx.de>
Date: Tue, 08 Aug 2006 12:52:54 +0200
In-reply-to: <200608081033.38768.bgmilne@staff.telkomsa.net>
References: <44D7B5E9.7090506@gmx.de> <200608081033.38768.bgmilne@staff.telkomsa.net>
User-agent: Thunderbird 1.5.0.5 (X11/20060719)

Hello,
thanks for your hint.
indeed it was the anonymous auth access to userPassword.

But I still got problems setting up the adding of addresses...

I tried severeal acl's with dn.subtree and dn.base
--snip--
access  to attr=userPassword
        by self         write
        by anonymous    auth
        by *            none
access  to *
        by self         write
        by users        read
        by *            none
access to dn="ou=cornelius,ou=adressen,dc=az,dc=local" by
dn="cn=corny,ou=users,dc=az,dc=local" write
access to dn="ou=franziska,ou=adressen,dc=az,dc=local" by
dn="cn=corny,ou=users,dc=az,dc=local" read
--snip--
for the user cn=corny to add addresses like cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local below
ou=cornelius,ou=adressen,dc=az,dc=local.

I don't like the text "write access denied by read(=rscx)".
But I do not know how to fix this.

Kind regards
Cornelius


--snip--


Aug  8 12:44:00 schnuck slapd[10000]: do_add: dn (cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local)
Aug  8 12:44:00 schnuck slapd[10000]: conn=1 op=2 ADD dn="cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local"
Aug  8 12:44:00 schnuck slapd[10000]: bdb_dn2entry("cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local")
Aug  8 12:44:00 schnuck slapd[10000]: => bdb_dn2id( "cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local" )
Aug  8 12:44:00 schnuck slapd[10000]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30989)
Aug  8 12:44:00 schnuck slapd[10000]: bdb_referrals: op=104
target="cn=test tester,ou=cornelius,ou=adressen,dc=az,dc=local"
matched="ou=cornelius,ou=adress
en,dc=az,dc=local"
Aug  8 12:44:00 schnuck slapd[10000]: ==> bdb_add: cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_required entry (cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local), objectClass "inetOrgPerson"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "objectClass"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "cn"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "displayName"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "givenName"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "sn"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "uid"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
"structuralObjectClass"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "entryUUID"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "creatorsName"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
"createTimestamp"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "entryCSN"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type "modifiersName"
Aug  8 12:44:00 schnuck slapd[10000]: oc_check_allowed type
"modifyTimestamp"
Aug  8 12:44:00 schnuck slapd[10000]: bdb_dn2entry("cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local")
Aug  8 12:44:00 schnuck slapd[10000]: => bdb_dn2id( "cn=test
tester,ou=cornelius,ou=adressen,dc=az,dc=local" )
Aug  8 12:44:00 schnuck slapd[10000]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30989)
Aug  8 12:44:00 schnuck slapd[10000]: => access_allowed: write access to
"ou=cornelius,ou=adressen,dc=az,dc=local" "children" requested
Aug  8 12:44:00 schnuck slapd[10000]: => acl_get: [2] attr children
Aug  8 12:44:00 schnuck slapd[10000]: => acl_mask: access to entry
"ou=cornelius,ou=adressen,dc=az,dc=local", attr "children" requested
Aug  8 12:44:00 schnuck slapd[10000]: => acl_mask: to all values by
"cn=corny,ou=users,dc=az,dc=local", (=n)
Aug  8 12:44:00 schnuck slapd[10000]: <= check a_dn_pat: self
Aug  8 12:44:00 schnuck slapd[10000]: <= check a_dn_pat: users
Aug  8 12:44:00 schnuck slapd[10000]: <= acl_mask: [2] applying
read(=rscx) (stop)
Aug  8 12:44:00 schnuck slapd[10000]: <= acl_mask: [2] mask: read(=rscx)
Aug  8 12:44:00 schnuck slapd[10000]: => access_allowed: write access
denied by read(=rscx)
Aug  8 12:44:00 schnuck slapd[10000]: bdb_add: no write access to parent
Aug  8 12:44:00 schnuck slapd[10000]: send_ldap_result: conn=1 op=2 p=3
Aug  8 12:44:00 schnuck slapd[10000]: send_ldap_result: err=50
matched="" text="no write access to parent"
Aug  8 12:44:00 schnuck slapd[10000]: send_ldap_response: msgid=3
tag=105 err=50
Aug  8 12:44:00 schnuck slapd[10000]: conn=1 op=2 RESULT tag=105 err=50
text=no write access to parent
Aug  8 12:44:00 schnuck slapd[10000]: daemon: activity on 1 descriptors
Aug  8 12:44:00 schnuck slapd[10000]: daemon: activity on:

Buchan Milne schrieb:
> On Monday 07 August 2006 23:51, Cornelius Koelbel wrote:
>   
>> Hello,
>>
>> i set up openldap 2.2.29 on FC4.
>> I guess everything is right, I can access and modify everyting with the
>> manager.
>> I setup an object
>> 	cn=corny,ou=users,dc=az,dc=local
>>
>> as follows:
>>
>> 	dn: cn=corny,ou=users,dc=az,dc=local
>> 	objectClass: top
>> 	objectClass: person
>> 	cn: corny
>> 	sn: corny
>>
>> I want to have this person access to a subtree of the ldap.
>> 	access to dn="ou=cornelius,ou=adressen,dc=az,dc=local"
>> 		by dn="cn=corny,ou=users,dc=az,dc=local" write
>> But for now, I configured everything:
>> 	access to *
>> 		by dn="cn=corny,ou=users,dc=az,dc=local" write
>>     
>
> Is this your complete ACL set, or a subset ? If it is complete, you are 
> definitely missing an ACL giving anonymous auth access to userPassword 
> (required for simple bind to work).
>
>   
>> Now I set a password and try to connect:
>>
>> corny@schnuck:[/data/down]> ldappasswd  -x -D
>> "cn=Manager,dc=az,dc=local" -W -S  "cn=corny,ou=users,dc=az,dc=local"
>> New password:
>> Re-enter new password:
>> Enter LDAP Password:
>> Result: Success (0)
>>
>> everything seems fine, but now:
>>
>> corny@schnuck:[/data/down]> ldapsearch   -D
>> 'cn=corny,ou=users,dc=az,dc=local' -W  -x -b 'dc=az,dc=local'
>> Enter LDAP Password:
>> ldap_bind: Invalid credentials (49)
>>
>>     
>
> 1)Test just the authentication bit with ldapwhoami
> 2)Bump the log level up to include ACL processing (384 might be a reasonable 
> value).
>
>   
>> Whats wrong, where can I start to search?
>>     
>
> Most likely you don't have an ACL allowing anonymous auth access to the 
> userPassword attribute. Logs of the ACL processing will most likely indicate 
> this. If it is not the case, they will help track it down.
>
> Regards,
> Buchan
>
>   


--
Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
und ist - aktuelle Virenscanner vorausgesetzt - sauber.
MailScanner dankt transtec Computer für die freundliche Unterstützung.

Follow-Ups:
- Re: simple bind ldapsearch invalid credentials
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- simple bind ldapsearch invalid credentials
  - From: Cornelius Koelbel <cornelius.koelbel@gmx.de>
- Re: simple bind ldapsearch invalid credentials
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: simple bind ldapsearch invalid credentials
Next by Date: Re: simple bind ldapsearch invalid credentials
Index(es):
- Chronological
- Thread