[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Secret not in database

Seau Yeen Su wrote:
> authz-regexp uid=(.*),cn=digest-md5,cn=auth
> cn=Manager,dc=synamatixdev,dc=com

Without trying myself this IMO maps *every* user authenticated by SASL bind
with DIGEST-MD5 to account cn=Manager,dc=synamatixdev,dc=com. If that's a
privileged account this is very dangerous!

I had overlooked the malformed HTTP URLs in your authz-regexp. You should try
something like this (all in one line):


Add users with attribute 'uid' set and clear-text password in attribute
'userPassword' and you're done.

> However, when i tried to add my users using ldfi format, i encounter
> some problems.
> First, it's the schema issue. When i included inetorgperson schema, it
> keeps on throwing messages about certain audio, homePhone objectClass
> structural object not existing. So, i removed all those objects ldap
> complains and i managed to start my slapd.

You should not tweak schema files installed by OpenLDAP's 'make install'. You
should rather import them in the right order because some depend on others.

> After that, when i tried to add my user with the ldif format as below:
> dn: ou=people,dc=synamatixdev,dc=com
> ou: people
> objectClass: organizationalunit
> objectClass: inetorgperson
> dn: uid=user1,ou=people,dc=synamatixdev,dc=com
> uid: user1
> cn: Mary
> cn: Mary Terry
> objectClass: inetorgperson
> objectClass: account
> objectClass: top
> objectClass: shadowAccount
> sn: Terry
> userPassword: user123
> I receive the error message below when i tried to add with slapadd:
> str2entry: invalid value for attributeType objectClass #1 (syntax

That means that one of the object classes used is not present in the schema,
here 'account' I guess. Also not that 'inetOrgPerson' and 'account' are both
STRUCTURAL with different inheritance chain and therefore cannot be used
together. Simply use this one:

------------------------------ snip ------------------------------
dn: uid=user1,ou=people,dc=synamatixdev,dc=com
uid: user1
cn: Mary
cn: Mary Terry
objectClass: top
objectClass: inetorgperson
sn: Terry
userPassword: user123

------------------------------ snip ------------------------------

> I am not very sure about the objectClass allowed for OpenLdap 2.3.27.
> Why does it say there's invalid value for attributeType? PLease help,
> thanks!

Maybe you did not include the schema file where the object class used in your
entry is defined.

Ciao, Michael.