[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Useless ldapwhoami behavior?

Jaap Winius wrote:
> Hi all,
> The utility of the "ldapwhoami" tool is a mystery to me. As opposed to
> the usual Unix "whoami" command, which prints the effective userid,
> "ldapwhoami" doesn't seem to print the matching LDAP DN... at least not
> for me.

[originally intended reply]
I'll just shoot here, but isn't it because this command works only for
SASL-related stuff [authzid]? Thus some appropriate stuff like rewriting
[?] is needed in slapd.conf etc. etc. ?
I'm not familiar with SASL or this command, but that's what I've got
from man page.
[/originally ...]
None of it is probably true.

> My test setup includes an OpenLDAP server and a separate client. The
> server's slapd.conf includes these ACLs:
>    access to attrs=userPassword,shadowLastChange
>            by dn="cn=admin,dc=umrk,dc=nl" write
>            by anonymous auth
>            by self write
>            by * none

### ACL
## Users can change their own passwords. Other users can attempt to
authenticate, but
## can't read the userPassword value.
access to attrs=userPassword
     by ssf=128 self write
     by ssf=64 * auth

>    access to dn.base=""
>            by * read
>    access to *
>            by dn="cn=admin,dc=umrk,dc=nl" write
>            by * read

I have +'by anonymous auth' here.

> My LDAP DIT includes an account for a normal user with a password.
> Without any problem I can use this to login to the client host, but when
> I want to test, or verify, the account's LDAP DN, all I get is this:
>    ~$ ldapwhoami -x
>    anonymous
>    ~$ _

I get same result.

> Even stranger, if I supply the account's DN and password (although this
> would seem a useless thing to do, since it's the very same info I'm
> asking for), I get this error:
>    ~$ ldapwhoami -x -D "cn=testuser,dc=umrk,dc=nl" -w testpass
>    ldap_bind: Invalid credentials (49)
>    ~$ _

However, this works for me and returns the correct DN. We're using
nss-ldap and nscd.
About being -D "useless". No, it's not. LDAP is not all-knowing and it
can't tell if it is "cn=testuser,dc..." or "uid=testuser,dc..." or
"uid=testuser,ou=people,..." and so on so forth.
But it depends on how and with "what" % ldapwhoami; works with. Probably
somebody else will clarify this one (?).

> On the other hand, this does work if I supply the admin DN and password:
>    ~$ ldapwhoami -x -D "cn=admin,dc=umrk,dc=nl" -w adminpass
>    dn:cn=admin,dc=umrk,dc=nl
>    ~$ _
> The "ldapsearch" command is the same: I can get a response when binding
> anonymously ("-x"), as well as when binding as the admin user, but not
> when I use a normal user account, which results in the same error 49 as
> above.

It sounds to me you've mis-configured ACL somewhere. If you have only
these three ACL, how about to start over? Comment them out and add one
by one. I know it's not the straight solution, but-

> This behavior seems rather useless to me. Surely I've made a mistake
> somewhere. Can anyone say what it might be?
> Thanks,
> Jaap


Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net