[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AIX as openldap client

To: Stef Coene <stef.coene@docum.org>
Subject: Re: AIX as openldap client
From: Benjamin Griese <der.darude@gmail.com>
Date: Mon, 15 Nov 2010 14:15:37 +0100
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Y8wS7P/HSdOYgFbKB+SPZz3kRpAabwLeO5/K0+g6DFs=; b=K7M5GsEYWziYFxWB+aVLwMxaxC+N31TJfAfxQ0GrdUW6tP/T5EspIvL2Iyrfh8+B+5 hL8fz5QoBpqHwJo2oEsyg2BS5U9883QchTGtqVigdG+RFQx6Q83A2gsaIjhCF0Px6V/M Qwe2EJ7E3SlNz8KMWwoctcALYbpexitSuFEtQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=JdapaTNGSe6/lArwwEMEvxxcHjxfmTmIflN5M3Rxx3gd+W5LQHhA/YxdMHrNipV8GE GcAuom7aFjh9zxDv5vCuJ1Im0oGAmHwJo3/jyI7jNe+nWm/YtVVy/2auohHtbdFiXgEY 1E3RLCcChRrRMbpiLdor4QhDSOAZ0iFF6i1cs=
In-reply-to: <201011151327.40167.stef.coene@docum.org>
References: <201010262150.53658.stef.coene@docum.org> <201011151045.26460.stef.coene@docum.org> <AANLkTikgv-Jz5KjX3o7HNgMOps3hLstt9g+WOZ_0c3NT@mail.gmail.com> <201011151327.40167.stef.coene@docum.org>

Hi Stef,

olcAccess: to dn.subtree="ou=People,dc=test,dc=intra"
attrs=userPassword,shadowLastChange
   by dn="cn=admin,dc=example,dc=com" write
   by anonymous auth
   by self write
   by * auth
olcAccess: to attrs=userPassword,shadowLastChange
   by dn="cn=admin,dc=test,dc=intra" write
   by anonymous auth
   by * none

- I can see here that you somehow changed the olcRootDN in the first
ACL which doesn't fit to the baseDN defined
- I wouldn't use the 2nd ACL, because all neccessary is done in the
first one (as far as userPassword/shadow* is only used in the people
subtree)

I'll show you one example from my tree:

olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=ldapadm,dc=example,dc=de" write  by anonymous auth by self
write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=ldapadm,dc=example,dc=de" write by * read

Please check if that is going to work for you.

Bye, Benjamin.

PS: I am doing anonymous binds for logins from the AIX LDAP-Clients to
the OpenLDAP-Server. Right now I am fiddling around with SSL und the
keydatabases.

On Mon, Nov 15, 2010 at 13:27, Stef Coene <stef.coene@docum.org> wrote:
> On Monday 15 November 2010, Benjamin Griese wrote:
>> Hello,
>>
>> I just wanted to point you to the official guides from IBM howto
>> configure your AIX ldap client, which worked fine for me, except für
>> sudo-ldap, but that's another topic.
>>
>> Section 7: http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
> I have read the redbook.
> What ldap server are you running?  I'm using ubuntu server 10.04.
>
> I think my problem is that I can not bind to the ldap server as a regular user
> with the ldapsearch command.  I can only bind as the admin specfied as
> olcRootDN with password olcRootPW.
>
> I attached the 2 ldif files I use to configure the ldap server.  I hope that
> someone can find en error in it ....
>
> I also noted that the  userPassword entry for cn=admin,dc=axi,dc=intra is not
> encrypted.  How can I generate an encrypted password?  Can this be a {SHA} or
> has it to be a {SSHA}?
>
>
> Stef
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________



-- 
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
be is to do -- Sartre | Do be do be do -- Sinatra

References:
- Re: AIX as openldap client
  - From: Stef Coene <stef.coene@docum.org>
- Re: AIX as openldap client
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: AIX as openldap client
  - From: Stef Coene <stef.coene@docum.org>

Prev by Date: RE: Pass-Through authentication
Next by Date: Re: Pass-Through authentication
Index(es):
- Chronological
- Thread