[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap authentication problem

need to change one of your acls .. and add anonymous auth...

access to attr=userPassword
by ssf8 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write
by ssf8 self write
by anonymous auth
by * none

Jonathan Higgins
IT R&D Project Manager
Kennesaw State University

>>> Vuko Brigljevic <Vuko.Brigljevic@cern.ch> 3/11/2005 9:56:05 AM >>>


Since a few days, I am having authentication
problems with my openldap server, with a recurring
error in the logs:

pam_ldap: error trying to bind as user
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)

The system:
SuSE Linux 8.2
openldap 2.1.12
pam_ldap version 159
nss_ldap version 203.7

I am using all default versions coming with the
distributions. Everything broke a few days ago
and I am currently not able to login any more,
but am always seeing an  "(Insufficient access)"
message in the logs.

I append my slapd.conf file, the ldap.conf
file and the output of the full log (obtained
with loglevel set to -1) from /var/log/messages
of a failed login attempt.

BTW, the system broke after restarting
the ldap server. I was editing slapd.conf
but as far as I am aware of, I left
everything as it was before (when the
system was running). It is very possible
that I did change something but after
looking for it for a few days I just
can't see what it could be.

Any idea as to what may be wrong?



==========include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/samba.schema

TLSCipherSuite         HIGH:MEDIUM:+SSLv2

TLSCertificateFile    /etc/ldap-certs/server/server.crt
TLSCertificateKeyFile /etc/ldap-certs/server/server.key
TLSCACertificateFile  /etc/ldap-certs/ca/ca.crt

database        ldbm

suffix          "dc=myCompany,dc=MyDomain"
rootdn          "uid=root,ou=People,dc=myCompany,dc=MyDomain"
directory       /var/lib/ldap/

index   objectClass,uid,uidNumber,gidNumber  eq
index   cn,mail,surname,givenname            eq,subinitial

access to dn=".*,ou=People,dc=myCompany,dc=MyDomain"
by ssf8 self write
by ssf8 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write

access to dn=".*,dc=myCompany,dc=MyDomain"
by ssf8 self write
by ssf8 dn="uid=root,ou=People,dc=myCompany,dc=MyDomain" write
by  * read

access to dn=".*,dc=myCompany,dc=MyDomain"
by  * read

# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
kurt Exp $
# LDAP Defaults

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

base    dc=myCompany,dc=MyDomain
uri     ldap://myserver.myCompany.MyDomain

nss_base_passwd ou=People,dc=myCompany,dc=MyDomain
nss_base_shadow ou=People,dc=myCompany,dc=MyDomain
nss_base_group  ou=Group,dc=myCompany,dc=MyDomain
host    myserver.myCompany.MyDomain
ldap_version    3
ssl     start_tls
pam_password    crypt

tls_cacert      /etc/openldap/ca/ca.crt

extract from /var/log/messages
>>> dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>
daemon: activity on 1 descriptors
<<< dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>,
daemon: select: listen=6 active_threads=1 tvp=NULL
do_bind: version=3 dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
conn=4 op=3 BIND dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
==> ldbm_back_bind: dn: uid=aUser,ou=People,dc=myCompany,dc=MyDomain
dn2entry_r: dn: "uid=aUser,ou=people,dc=myCompany,dc=MyDomain"
=> dn2id( "uid=aUser,ou=people,dc=myCompany,dc=MyDomain" )

121 (1 tries)
<= dn2id 121 (in cache)
=> id2entry_r( 121 )
====> cache_find_entry_id( 121 )
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (found) (1 tries)
<= id2entry_r( 121 ) 0x81ca750 (cache)
=> access_allowed: auth access to
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" "userPassword"
=> dnpat: [1] .*,ou=People,dc=myCompany,dc=MyDomain nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=aUser,ou=People,dc=myCompany,dc=MyDomain attr:

=> acl_mask: access to entry
attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: uid=root,ou=People,dc=myCompany,dc=MyDomain
=> string_expand: pattern:
=> string_expand: expanded:
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: auth access denied by =n
send_ldap_result: conn=4 op=3 p=3
send_ldap_result: errP matched="" text=""
send_ldap_response: msgid=4 tag? errP
pam_ldap: error trying to bind as user
"uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
conn=4 op=3 RESULT tag? errP text====> cache_return_entry_r( 121 ): returned (0)

Vuko Brigljevic                                           |
Rudjer Boskovic Institute                                 |
--------------------------------------------------------- |
Mail Address: Bijenicka cesta 54, P.O.B. 180              |
               10002 Zagreb Croatia                        |
Phone       : +385-1- 468 0204                            |
www         : http://cern.ch/vuko                         |
One Word to rule them all, One Explorer to find them,
One Windows to bring them all and in the darkness bind them