[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Slave/Replica server authentication/authorization question

Hash: SHA1

|> ~From my understanding the following rules should allow for users |> to authenticate as themselves or anonymously: |> |> access to attrs=userPassword ~ by self write ~ by anonymous |> auth |> |> and the following allows anonymous queries of the database: |> |> access to * ~ by * read | | | I think you misunderstand what "auth" means. I think you need | "compare" for your anonymous line at a minimum, otherwise there is | no access to the userpassword entry that the incoming connection | can use to determine if the password supplied is correct or not. | | Please see: | | <http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control> | | | So I checked out the link you provided, and found this: ~ access to attr=userPassword ~ by self write ~ by anonymous auth ~ by dn.base="cn=Admin,dc=example,dc=com" write ~ by * none Which with the exception of the dn.base and by * none is exactly what I currently have in my replica's slapd.conf. So, according to all the information I've found the syntax is correct. The problem does get wierder though, when I enter an ACL then my Linux boxes can nothing works. If I remove all ACL's the Linux baxes authenticate fine but I can't bind with the ldapserch -x -D ... -W .

Quite strange.  All db files are in /var/lib/ldap and are owned by
user and group ldap which is who slapd runs as.  Very interesting...

- --
Aaron M. Hirsch
Atos Origin - Cellnet
11146 Thompson Ave.
Lenexa, KS 66219
Work:(913) 312-4717
Fax:(913) 312-4701
Mobile:(913) 284-9094
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org