[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: no entries where found with ldapsearch

tor, 19.02.2004 kl. 21.10 skrev Andreas Dondera:


I'll comment only on the relevant bits and cut out the rest.

> I've read the tutorial from Markus Amersbacher on subnet.at and other.

You've been exemplarily thorough and you've only made a single mistake.

> My Server based on Debian Woody with Openldap 2.0.
> Something already runs fine, but I don't know what ;-) I've adapted the
> slapd.conf (see below), libnss-ldap.conf, libpam-ldap.conf and several
> files in /etc/pam.d/ to my needs. At the moment I get the following when 
> I change my password:
> Enter login(LDAP) password: 
> New password: 
> Re-enter new password: 
> LDAP password information changed for donde
> passwd: password updated successfully

You haven't shown it, but it looks like you've defined manager as binddn
or rootbinddn in libpam-ldap.conf, together with with his password.


> access to attribute=userPassword
>         by dn="cn=manager,dc=fhoevp,dc=de" write
>         by anonymous auth
>         by * none
> access to *
>         by dn="cn=manager,dc=fhoevp,dc=de" write
>           by dn="cn=nss,dc=fhoevp,dc=de" read
>           by * auth

It isn't uid donde who is changing his password. It's cn=manager - just
look at the above 2 ACLs again. When you did your ldapsearch, you did it
anonymously. Your ACLs prohibit reading your whole DIT by everyone
except manager and nss ("auth" does not mean "read"). If you want to
read your DIT (for everything except the userPassword attribute) and
using the above ACLs, you'll have to bind as cn=nss:

ldapsearch -x -b 'dc=fhoevp,dc=de' -s sub -D \
"cn=nss,dc=fhoevp,dc=de" -W  'uid=donde' # ('man ldapsearch'!)

To see the userPassword attribute, you'll have to bind as manager.

Once you understand what this does, you'll be able to change the above
ACLs to suit what *you* want to do, not what the writer of a HOWTO says.

NB: The version of Openldap you are using is an old one. To ensure
compatibility when you upgrade, get rid of spaces between rDNs in your
ldif file:

dn: cn=manager, dc=fhoevp,dc=de # no!
dn: cn=manager,dc=fhoevp,dc=de # yes!

> P.S. Excuse my english ;-)

Some native English people write much worse English than you ;)




mail: billy - at - billy.demon.nl