[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange things in LDAP

To: Igor Loncarevic <anubis@ho.com>
Subject: Re: Strange things in LDAP
From: Turbo Fredriksson <turbo@bayour.com>
Date: 18 Jun 2001 08:57:16 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: Igor Loncarevic's message of "Sun, 17 Jun 2001 15:56:55 +0200"
Organization: LDAP/Kerberos expert wannabe
References: <3B2CB727.67ACDE23@ho.com>
User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

Quoting Igor Loncarevic <anubis@ho.com>:

> anubis@topaz anubis]$ ldappasswd -A -S -h ldap.domain.org -x -D
> "dc=domain,dc=org" igor
[...]
> Additional info: only authenicated users may change passwords

"dc=domain,dc=org" is not a 'user object'... It's a search base...
You have not authenticated. Read up on the '-D' switch. You also
need '-W' or '-w' switch...

> 2. Also, I cannot search LDAP base:

This can depend on a MULTIPLE of different things...

What does your ACL's look like?
What does your object look like?
[etc]

> 3. I cannot bind with superuser-ldap (Manager) account, I have invalid
> credentials:
> 
> $ ldapsearch -x -h ldap.domain.org -b 'dc=domain,dc=org' -D
> 'dc=Manager,dc=domain,dc=org' '(objectclass=*)' -w xyz

Hmm, does your manager object realy use the 'dc' object class!? Shouldn't
it be 'cn=Manager'?!

> Also, noone LDAP browser (gq, directory_search,...) doesn't work as
> predicted. ( connot broswe, search, change).

Probably because you're not authenticating propperly, or you have
anonymous search disabled (via ACL's).

> suffix          "dc=domain, dc=org"

Right! This is the search base, as said above...

> rootdn          "cn=Manager, dc=domain, dc=org"

As I thought, you should have used 'cn=Manager' above, but you
used 'dc=Manager'.

And if I'm not mistaken, remove the spaces after the ','..
(this was a problem in 1.2, don't know if it was fixed for 2.0).

> rootpw          {crypt}xyxcsxMxhjeti
> 
> access to attr=userPassword
>             by self write
>             by anonymous auth
>             by dn="cn=Admin,dc=domain,dc=org" write
>             by * none

Eh!? 'cn=Admin'? Either you have 'cn=Admin' in both places
(in both 'rootdn' and here) or you use 'cn=Manager'. Also make
sure that the object you're using really exists in the LDAP
database!

> access to *
>             by self write
>             by dn="cn=Admin,dc=domain,dc=org" write
>             by * read

Othervise the ACL's looks ok...

> Is cn=Manager same as cn=Admin?

No. "A can is a can, and not a bottle, and if you say can, don't
mean bottle" (that is, use as directed).

-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

References:
- Strange things in LDAP
  - From: Igor Loncarevic <anubis@ho.com>

Prev by Date: Re: FW: AW: referrals (not using ManageDsaIT correctly)
Next by Date: Re: access control help
Index(es):
- Chronological
- Thread