[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind using a user other than organizationalRole user



On Tuesday, 6 April 2010 19:28:27 Marcelo de Moraes Serpa wrote:
> Hello list,
> 
> I have a local OpenLDAP server with a couple of users. I'm using it for
> development purposes, here's the ldif:
> 
> #Top level - the organization
> dn: dc=site, dc=com
> dc: site
> description: OneLogin LLC
> objectClass: dcObject
> objectClass: organization
> o: OneLogin LLC
> 
> #Top level - manager
> dn: cn=Manager, dc=site, dc=com
> objectClass: organizationalRole
> cn: Manager
> 
> #Second level - organizational units
> dn: ou=people, dc=site, dc=com
> ou: people
> description: All people in the organization
> objectClass: organizationalunit
> 
> dn: ou=groups, dc=site, dc=com
> ou: groups
> description: All groups in the organization
> objectClass: organizationalunit
> 
> #Third level - people
> dn: uid=celoserpa, ou=people, dc=site, dc=com
> objectclass: pilotPerson
> objectclass: uidObject
> uid: celoserpa
> cn: Marcelo de Moraes Serpa
> sn: de Moraes Serpa
> userPassword: secret_12345
> mail: marcelo@site.com
> 
> So far, so good. I can bind with "cn=Manager,dc=site,dc=com" and the
> 12345678 password (the local server password, setup on slapd.conf).

Hashed or clear?

> However, I would like to bind with any user in under the people OU. In this
> case, I'd like to bind with:
>   dn: uid=celoserpa, ou=people, dc=site, dc=com
>   userPassword: secret_12345
> 
> But I'm getting a (49) - Invalid Credentials error everytime. I have tried
> through CLI tools (such as ldapadd, ldapwhoami, etc) and also ruby/ldap.

Can you supply your ldapwhoami commandline, and the exact error message.

>  The bind with these credentials fails with a invalid credentials error.
> 
> I was suspecting that maybe OpenLDAP doesn't compare against userPassword?

No. It could be that your build doesn't allow cleartext values for 
userPassword, you could try with a hashed value (created with slappasswd), or 
verify that your build allows cleartext (configure option:
 --enable-cleartext
).

> Or maybe some ACL configuration I am missing that is somehow affecting the
> read access to userPassword for the specific DN.

If it is not that your build doesn't allow cleartext, then it's probably ACLs, 
but since you didn't include your ACL configuration this can't be answered 
definitively. And, it is actually "auth" access that is sufficient.

> I'm really lost here, any suggestion appreciated!

Can't provide more help without more information.

Regards,
Buchan