[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap-2.4.33 bind problem

To: "Darouichi, Aziz" <adarouic@post03.curry.edu>
Subject: Re: Openldap-2.4.33 bind problem
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Fri, 19 Jul 2013 09:08:35 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=RGmvLxZ5S+bshSRGhx92xhiWnEExdNVvxlzuEEtKH5s=; b=fcVCWwvoKjfKvK0EKSppMrfMjNji08Da59wovKq87Q/P6iOfHgc/lRd5jtjpLwR9O9 3BOqG7mn+Gw5zHuh1+fQpYCMcF+deRgT4gOIF48WnmaZhsganHkiQmw3nBZyM2UyJ8Xi j4bCuv0xI/QYKRFac1vlTHuberSjsq/nuEW1ytmxjmVYwezp+LPOKos9AACWxkS0w+iO O7LSvC/jjCq/1HhYeoO2Fr41TJ94ognE+5jy1D05DXK+yNnytFk1VTGzwXtJVtZCiUKP mh2s44QiTxRKGo6lTH5Y5sPU3ansWS6p4kz+7uYhrqP3puaHXoqHOhXMkT2J6i+0v2Tp 5wxw==
In-reply-to: <2398337E30371A47B556742B49C7805B644A88E9A7@EXCCRMBX01.Currynet.local>
References: <2398337E30371A47B556742B49C7805B644A88E9A7@EXCCRMBX01.Currynet.local>

2013/7/18 Darouichi, Aziz <adarouic@post03.curry.edu>:
> Hi all,
>
>
>
>
>
> I am trying to bind openldap-2.4.33 to vendor SSO using simple bind and I am
> getting invalid credentials. I have reset the rootdn password more than once
> to make sure there were no typos, and I am still getting same Invalid
> Credentials error.
>
>
>
> This is a copy of my slapd.conf
>
> # See slapd.conf(5) for details on configuration options.
>
> # This file should NOT be world readable.
>
> #
>
> include         /opt/local/etc/openldap/schema/core.schema
>
> include         /opt/local/etc/openldap/schema/ppolicy.schema
>
> # Define global ACLs to disable default read access.
>
> include     /opt/local/etc/openldap/schema/cosine.schema
>
> include         /opt/local/etc/openldap/schema/nis.schema
>
> include     /opt/local/etc/openldap/schema/inetorgperson.schema
>
>
>
> # Do not enable referrals until AFTER you have a working directory
>
> # service AND an understanding of referrals.
>
> #referral       ldap://root.openldap.org
>
>
>
> pidfile         /opt/local/var/run/slapd.pid
>
> argsfile        /opt/local/var/run/slapd.args
>
> sizelimit  unlimited
>
> #serverID 1
>
>
>
> allow bind_v2
>
> loglevel sync
>
>
>
> "/opt/local/etc/openldap/slapd.conf" 180L, 5417C
>
> #
>
> # See slapd.conf(5) for details on configuration options.
>
> # This file should NOT be world readable.
>
> #
>
> include         /opt/local/etc/openldap/schema/core.schema
>
> include         /opt/local/etc/openldap/schema/ppolicy.schema
>
> # Define global ACLs to disable default read access.
>
> include     /opt/local/etc/openldap/schema/cosine.schema
>
> include         /opt/local/etc/openldap/schema/nis.schema
>
> include     /opt/local/etc/openldap/schema/inetorgperson.schema
>
>
>
> # Do not enable referrals until AFTER you have a working directory
>
> # service AND an understanding of referrals.
>
> #referral       ldap://root.openldap.org
>
>
>
>
>
>
>
>
>
> # Load dynamic backend modules:
>
> # modulepath    /opt/local/libexec/openldap
>
> # moduleload    back_bdb.la
>
> # moduleload    back_hdb.la
>
> # moduleload    back_ldap.la
>
> #modulepath  /usr/lib/openldap
>
> #moduleload accesslog.la
>
> moduleload auditlog.la
>
> #moduleload denyop.la
>
> #moduleload dyngroup.la
>
> moduleload dynlist.la
>
> #moduleload lastmod.la
>
> #moduleload pcache.la
>
> moduleload ppolicy.la
>
> #moduleload refint.la
>
> #moduleload retcode.la
>
> #moduleload rwm.la
>
> #moduleload smbk5pwd.la
>
> moduleload syncprov.la
>
> moduleload  syncprov
>
> #moduleload translucent.la
>
> moduleload unique.la
>
> moduleload valsort.la
>
>
>
> # Sample security restrictions
>
> #       Require integrity protection (prevent hijacking)
>
> #       Require 112-bit (3DES or better) encryption for updates
>
> #       Require 63-bit encryption for simple bind
>
> # security ssf=1 update_ssf=112 simple_bind=64
>
>
>
> # Sample access control policy:
>
> #       Root DSE: allow anyone to read it
>
> #       Subschema (sub)entry DSE: allow anyone to read it
>
> #       Other DSEs:
>
> #               Allow self write access
>
> #               Allow authenticated users read access
>
> #               Allow anonymous users to authenticate
>
> #       Directives needed to implement policy:
>
> # access to dn.base="" by * read
>
> # access to dn.base="cn=Subschema" by * read
>
> # access to *
>
> #       by self write
>
> #       by users read
>
> #       by anonymous auth
>
> #
>
> # if no access controls are present, the default policy
>
> # allows anyone and everyone to read anything but restricts
>
> # updates to rootdn.  (e.g., "access to * by * read")
>
> #
>
> # rootdn can always read and write EVERYTHING!
>
> # CA singed Certificate and server cert entries:
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
>
> TLSCACertificateFile /opt/local/etc/openldap/cacert.pem
>
> TLSCertificateFile /opt/local/etc/openldap/ldap-tls.curry.edu.cert.pem
>
> TLSCertificateKeyFile /opt/local/etc/openldap/ldap-tls.curry.edu.key.pem
>
>
>
> # Clinet verification not required
>
>
>
> #TLSVerifyClient never
>
>
>
>
>
> #######################################################################
>
> # BDB database definitions
>
> #######################################################################
>
>
>
> database        bdb
>
> suffix          "dc=curry,dc=edu"
>
> rootdn          "cn=ldap,dc=curry,dc=edu"
>
> # Cleartext passwords, especially for the rootdn, should
>
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
>
> # Use of strong authentication encouraged.
>
> rootpw {SSHA}gMePUFraA8Fjn63t8FzpYHbp+6g8N6Mz
>
>
>
>
>
>
>
>
>
> #access to *
>
> #     by dn.base="cn=ldap,dc=curry,dc=edu" read
>
> #     by * break
>
>
>
> # The database directory MUST exist prior to running slapd AND
>
> # should only be accessible by the slapd and slap tools.
>
> # Mode 700 recommended.
>
> directory       /opt/local/var/openldap-data
>
>
>
>
>
>
>
> syncrepl rid=006
>
>   provider=ldap://192.168.60.42
>
> tls_cert=/etc/pki/tls/certs/ldap-tls.curry.edu.cert.pem
>
>   tls_key=/etc/pki/tls/private/ldap-tls.curry.edu.key.pem
>
>   tls_cacert=/etc/pki/tls/certs/cacert.pem
>
>   tls_reqcert=demand
>
>   searchbase="dc=curry,dc=edu"
>
>   schemachecking=on
>
>   timelimit=unlimited
>
>   sizelimit=unlimited
>
>   type=refreshAndPersist
>
>   retry="60 +"
>
>
>
> # Index to maintain
>
> index entryUUID                         eq
>
> index objectClass                       eq,pres
>
> index ou,cn,mail,surname,givenname      eq,pres,sub
>
> index uidNumber,gidNumber,loginShell    eq,pres
>
> index uid,memberUid                     eq,pres
>
> index nisMapName,nisMapEntry            eq,pres,sub
>
>
>
>
>
> #mirrormode TRUE
>
> mirrormode on
>
> # define the provider to use the syncprov overlay
>
> # (last directives in database section)
>
>
>
> overlay syncprov
>
> # contextCSN saved to database every 100 updates or ten minutes
>
> syncprov-checkpoint 100 1
>
> syncprov-sessionlog 100
>
> #################################################################################
>
> #                         Password Policy
> #
>
> ################################################################################
>
> #################################################################################
>
> # This implies the password policy should be for the entire base DN
>
> #ppolicy_default
>
> overlay ppolicy
>
> ppolicy_default "cn=default,ou=policies,dc=curry,dc=edu"
>
>
>
> # This implies the passwords should not be in clear text and this directive
> takes no parameters
>
> ppolicy_hash_cleartex


Seems you have no access control at all. Set at least the auth right
on userPassword if you want users to authenticate.


Clément.

References:
- Openldap-2.4.33 bind problem
  - From: "Darouichi, Aziz" <adarouic@post03.curry.edu>

Prev by Date: Antw: Q: Multi-Master setup
Next by Date: Re: Antw: Q: Multi-Master setup
Index(es):
- Chronological
- Thread