[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Object not found

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Object not found
From: espeake@oreillyauto.com
Date: Wed, 28 Aug 2013 22:25:29 -0500
Cc: openldap-technical-bounces@openldap.org, openldap-technical@openldap.org
In-reply-to: <EB015F652BA1D5B8802F2360@[192.168.1.22]>
References: <OFAF489866.4ED71638-ON86257BD5.0047E68B-86257BD5.00488E2A@LocalDomain> <EB015F652BA1D5B8802F2360@[192.168.1.22]>

Okay so I have the access list figured out and everything looks good except
now the credentials for my user aren't working.  I get an error 49 (invalid
credentials)  I have reentered the password for the user.  There is one
other user that will not autenticate.  Both of thes users are in the ou
System.  The base admin account can login and get the informatio.  Here is
the new access list.

olcAccess: {0}to * by
dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by
dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by
dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by
dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by
dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write by *
break
olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by
group/groupOfUniqueNames/uniqueMember="cn=System
Administrators,ou=Groups,dc=oreillyauto,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=LDAP
Admin,ou=Groups,dc=oreillyauto,dc=com" write by * none break
olcAccess: {2}to attrs=userPassword by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com"
 write by anonymous auth by self write
olcAccess: {3}to attrs=uid by anonymous read by users read
olcAccess: {4}to attrs=ou,employeeNumber by users read
olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by
dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read
olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by
dnattr=owner write by dnattr=uniqueMember read by * none
olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com by self read
by
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com"
 read by * none
olcAccess: {8}to * by self read by users read

The two users that I need to work are:
 readOnlyUser
dn="uid=readOnlyUser,ou=System,dc=oreilly,dc=com
 and
ldapadmin			dn="uid=ldapadmin, ou=System,dc=oreulllyauto,dc=com

Here is the search and result:

root@tntest-ldap-3:/var/lib/ldap# ldapsearch  -Wx -D
"uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" -b
"dc=oreillyauto,dc=com" -H ldap://<ldap-server>.oreillyauto.com uid=espeake
uid dsplayName employeeNumber
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

any and all ideas are welcomed.
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts



From:	Quanah Gibson-Mount <quanah@zimbra.com>
To:	espeake@oreillyauto.com, openldap-technical@openldap.org
Date:	08/28/2013 11:35 AM
Subject:	Re: Object not found
Sent by:	openldap-technical-bounces@OpenLDAP.org



--On Wednesday, August 28, 2013 8:12 AM -0500 espeake@oreillyauto.com
wrote:

>
> I have a user name readonly that we use in our applications to get uid's.
> THis has worked in the past with our old LDAP solution.  We have moved to
> 2.4.31 on Ubuntu 12.04 with a n-way Multi master setup.
>
> The slap cat for this database looks like this.
>
> dn: olcDatabase={1}hdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=oreillyauto,dc=com
> olcAccess: {0}to attrs=userPassword by anonymous auth by * none
> olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by
> group/groupOfUniqueName
>  s/uniqueMember="cn=System
Administrators,ou=Groups,dc=oreillyauto,dc=com"
> wri
>  te by group/groupOfUniqueNames/uniqueMember="cn=LDAP
> Admin,ou=Groups,dc=oreil
>  lyauto,dc=com" write by * none break
> olcAccess: {2}to attrs=userPassword by
> group/groupOfUniqueNames/uniqueMember="
>  cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous auth
> by s
>  elf write

Hi,

You need to spend some time reading the manual pages and admin guide on
access rules for slapd.

It is immediately obvious that rule {2) will never evaluate because of rule

{0}.  Those shouldn't even be separate rule lines, they should be a single
rule.  I haven't looked further because that was so blatant, I'm guessing
you have any number of other issues in your access lines.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration


--
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
  Message id: 898DB600A44.A073B




This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

References:
- Object not found
  - From: espeake@oreillyauto.com
- Re: Object not found
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: The RootDN
Next by Date: Re: OpenLDAP Samba4
Index(es):
- Chronological
- Thread