[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Upgrading to 2.1.8 breaks binding

Thanks so much!  That was the problem.  So please, how did you determine
that?  I looked through the CHANGES file and everywhere else I could
think of but found no mention of the (rather significant) change that
enable--crypt, which defaulted to auto in 2.0, had changed to a default
of 'no' in 2.1 (or somewhere along the line).  Did you uncover it by
troubleshooting or did you read it somewhere?  I'm still wrestling with
this upgrade and trying to find out what changes have been made that
might affect my new setup.

Thanks again,


-----Original Message-----
From: John Hogenmiller [mailto:john@pennswoods.net] 
Sent: Friday, November 01, 2002 9:24 AM
To: mdenk@whidbey.net
Cc: openldap-software@OpenLDAP.org
Subject: Re: Upgrading to 2.1.8 breaks binding

Are you storing encrypted password in your ldap database?  If so, did
--enable-crypt when you compiled?

> Since I upgraded from 2.0.25 to 2.1.8 I can no longer bind from
> authentication clients like radius to my openldap server. When I try,
> the error reported in my ldap log file is:
>   Conn=3 op=0 RESULT tag=97 err=49 text=
> It turns out that error 49, from ldap.h, means that the credentials
> invalid (LDAP_INVALID_CREDENTIALS).  I know I'm using the correct
> password of the entry I'm trying to bind as.  I've also tried to bind
> that entry to read its own entry using ldapsearch.  But version 2.1.8
> won't allow me to bind as this (or any other except Manager and Admin)
> entry.  However, version 2.0.25 did.  2.1.8 will only allow me to bind
> as cn=Manager,dc=example,dc=org or as cn=Admin,dc=example,dc=org.  It
> will not allow binding by any other entry in the database.
> I'm using virtually the same config file, the only change being that
> I've included "allow bind_v2" and I've changed ldbm to bdb as the
> backend database (I also upgraded the Berkeley db to version 4).
> My access list is as follows:
> access to attr=userPassword
> 	by self write
> 	by anonymous auth
> 	by dn="cn=Admin,dc=example,dc=org write
> 	by * none
> access to *
> 	by self write
> 	by dn="cn=Admin,dc=example,dc=org" write
> 	by * read
> Can anyone help me figure out what I need to do to recover the lost
> functionality?
> Thanks,
> Mike