[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Secret not in database

To: Seau Yeen Su <seauyeen@mgrc.com.my>
Subject: Re: Secret not in database
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 10 Aug 2009 13:37:13 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <bc1a031a0908092355l278a1a87v2132ac6f999965b9@mail.gmail.com>
References: <bc1a031a0908060052j6a100e48x41d3c6a6ffe7f538@mail.gmail.com> <4A7ABAAB.7030801@stroeder.com> <bc1a031a0908092355l278a1a87v2132ac6f999965b9@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17

Seau Yeen Su wrote:
> authz-regexp uid=(.*),cn=digest-md5,cn=auth
> cn=Manager,dc=synamatixdev,dc=com

Without trying myself this IMO maps *every* user authenticated by SASL bind
with DIGEST-MD5 to account cn=Manager,dc=synamatixdev,dc=com. If that's a
privileged account this is very dangerous!

I had overlooked the malformed HTTP URLs in your authz-regexp. You should try
something like this (all in one line):

authz-regexp
"uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5|ntlm|plain|login|gssapi),cn=auth"
  "ldap:///ou=schulung,dc=stroeder,dc=local??sub?(uid=$1)"

Add users with attribute 'uid' set and clear-text password in attribute
'userPassword' and you're done.

> However, when i tried to add my users using ldfi format, i encounter
> some problems.
> 
> First, it's the schema issue. When i included inetorgperson schema, it
> keeps on throwing messages about certain audio, homePhone objectClass
> structural object not existing. So, i removed all those objects ldap
> complains and i managed to start my slapd.

You should not tweak schema files installed by OpenLDAP's 'make install'. You
should rather import them in the right order because some depend on others.

> After that, when i tried to add my user with the ldif format as below:
> 
> dn: ou=people,dc=synamatixdev,dc=com
> ou: people
> objectClass: organizationalunit
> objectClass: inetorgperson
> 
> dn: uid=user1,ou=people,dc=synamatixdev,dc=com
> uid: user1
> cn: Mary
> cn: Mary Terry
> objectClass: inetorgperson
> objectClass: account
> objectClass: top
> objectClass: shadowAccount
> sn: Terry
> userPassword: user123
> 
> I receive the error message below when i tried to add with slapadd:
> str2entry: invalid value for attributeType objectClass #1 (syntax
> 1.3.6.1.4.1.1466.115.121.1.38)

That means that one of the object classes used is not present in the schema,
here 'account' I guess. Also not that 'inetOrgPerson' and 'account' are both
STRUCTURAL with different inheritance chain and therefore cannot be used
together. Simply use this one:

------------------------------ snip ------------------------------
dn: uid=user1,ou=people,dc=synamatixdev,dc=com
uid: user1
cn: Mary
cn: Mary Terry
objectClass: top
objectClass: inetorgperson
sn: Terry
userPassword: user123

------------------------------ snip ------------------------------

> I am not very sure about the objectClass allowed for OpenLdap 2.3.27.
> Why does it say there's invalid value for attributeType? PLease help,
> thanks!

Maybe you did not include the schema file where the object class used in your
entry is defined.

Ciao, Michael.

References:
- Secret not in database
  - From: Seau Yeen Su <seauyeen@mgrc.com.my>
- Re: Secret not in database
  - From: Michael Ströder <michael@stroeder.com>
- Re: Secret not in database
  - From: Seau Yeen Su <seauyeen@mgrc.com.my>

Prev by Date: Re: LDAP stopping without apparent reason
Next by Date: Re: Secret not in database
Index(es):
- Chronological
- Thread