[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AIX as openldap client

Hi Stef,

olcAccess: to dn.subtree="ou=People,dc=test,dc=intra"
   by dn="cn=admin,dc=example,dc=com" write
   by anonymous auth
   by self write
   by * auth
olcAccess: to attrs=userPassword,shadowLastChange
   by dn="cn=admin,dc=test,dc=intra" write
   by anonymous auth
   by * none

- I can see here that you somehow changed the olcRootDN in the first
ACL which doesn't fit to the baseDN defined
- I wouldn't use the 2nd ACL, because all neccessary is done in the
first one (as far as userPassword/shadow* is only used in the people

I'll show you one example from my tree:

olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=ldapadm,dc=example,dc=de" write  by anonymous auth by self
write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=ldapadm,dc=example,dc=de" write by * read

Please check if that is going to work for you.

Bye, Benjamin.

PS: I am doing anonymous binds for logins from the AIX LDAP-Clients to
the OpenLDAP-Server. Right now I am fiddling around with SSL und the

On Mon, Nov 15, 2010 at 13:27, Stef Coene <stef.coene@docum.org> wrote:
> On Monday 15 November 2010, Benjamin Griese wrote:
>> Hello,
>> I just wanted to point you to the official guides from IBM howto
>> configure your AIX ldap client, which worked fine for me, except für
>> sudo-ldap, but that's another topic.
>> Section 7: http://www.redbooks.ibm.com/redbooks/pdfs/sg247165.pdf
> I have read the redbook.
> What ldap server are you running?  I'm using ubuntu server 10.04.
> I think my problem is that I can not bind to the ldap server as a regular user
> with the ldapsearch command.  I can only bind as the admin specfied as
> olcRootDN with password olcRootPW.
> I attached the 2 ldif files I use to configure the ldap server.  I hope that
> someone can find en error in it ....
> I also noted that the  userPassword entry for cn=admin,dc=axi,dc=intra is not
> encrypted.  How can I generate an encrypted password?  Can this be a {SHA} or
> has it to be a {SSHA}?
> Stef
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________

To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
be is to do -- Sartre | Do be do be do -- Sinatra