[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap auth does not works after openldap upgrade



On Tue, Feb 15, 2011 at 02:52:19PM -0200, Leonardo Carneiro wrote:

> #######################################################################
> # Specific Directives for database #1, of type bdb:
> # Database specific directives apply to this databasse until another
> # 'database' directive occurs
> database        bdb
> 
> # The base of your directory in database #1
> suffix dc=dominio,dc=com,dc=br

OK so far, but this is your complete set of ACLs:

> # The userPassword by default can be changed
> # by the entry owning it if they are authenticated.
> # Others should not be able to see it, except the
> # admin entry below
> # These access lines apply to database #1 only
> #access to * by anonymous read
> #        by dn="cn=root,dc=dominio,dc=com,dc=br" write
> #        by anonymous auth
> #        by self write
> #        by * none
> 
> 
> # Ensure read access to the base for things like
> # supportedSASLMechanisms.  Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
> 
> ######### this last entry was commented. i uncommented to check if would
> change anything, but it haven't.
> 
> # The admin dn has full write access, everyone else
> # can read everything.
> #access to *
> #       by dn="cn=admin,dc=nodomain" write
> #        by * read
> 
> # For Netscape Roaming support, each user gets a roaming
> # profile for which they have write access to
> #access to dn=".*,ou=Roaming,o=morsnet"
> #        by dn="cn=admin,dc=nodomain" write
> #        by dnattr=owner write

... so all you have is anon access to the null DN.

The commented-out userPassword clause is getting close, but
does not actually control userPassword...

I suggest you add this after the 'access to dn.base="" by * read' line:

access to attrs="userPassword"
        by self =w
        by * auth

access to * by * read


Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------