[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl_mask: no more <who> clauses, returning =n (stop)

To: openLDAP-List <openldap-software@OpenLDAP.org>
Subject: Re: acl_mask: no more <who> clauses, returning =n (stop)
From: Christian Guenther <chris@blaue-elise.net>
Date: 26 Jan 2002 12:54:40 +0100
Cc: Pierangelo Masarati <masarati@aero.polimi.it>
In-reply-to: <200201261104.g0QB4Qb03851@server.aero.polimi.it>
References: <200201261104.g0QB4Qb03851@server.aero.polimi.it>

Hi and Hallo

well, know I'm one step further. 

I changed my ACLs to the following:
defaultaccess read
access to attr=uid,uidNumber,gidNumber,userPassword,shadowPassword
 	by dn="cn=Manager,dc=blaue-elise,dc=net" write
 	by self write
 	by users read
 	by anonymous auth
access to * 
	by self write
	by users read

Now when I try to log in it still won't work, but, I can see something
on my client which is logged in /var/log/messages:

Jan 26 11:22:41 dorian login: pam_ldap: error trying to bind as user "uid=test,ou=User,ou=Account,dc=blaue-elise,dc=net" (Insufficient access)
Jan 26 11:52:36 dorian login: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Jan 26 11:58:26 dorian login: pam_ldap: error trying to bind as user
"uid=test,ou=User,ou=Account,dc=blaue-elise,dc=net" (Invalid
credentials)
Jan 26 12:00:11 dorian pam_console[2558]: getpwnam failed for test
Jan 26 12:06:30 dorian pam_console[2614]: getpwnam failed for test

This confuses me a bit, I have to confess. I know my password is stored
with crypt in the ldap-server. In my ldap.conf - on the client
pam_passwd is set to crypt as well.

What is wrong here?

	chris

Am Sam, 2002-01-26 um 12.04 schrieb Pierangelo Masarati:
> > The above message is returned whenever I try to authenticate from a RH
> > Linux 7.2 client to openldap 2.0.18 on RH Linux 7.2 Server.
> > 
> > My acl is as follows:
> > 
> > defaultaccess read
> > access to *
> > 	by dn="cn=Manager,dc=blaue-elise,dc=net" write
> 
> This rule catches EVERYTHING
> 
> > access to attr=uid,uidNumber,gidNumber,userPassword,shadowPassword
> > 	by dn="cn=Manager,dc=blaue-elise,dc=net" write
> > 	by self write
> > 	by * auth
> > 	by anonymous auth
> 
> This is never reached
> 
> Check the FAQ on how to write ACL rules.
> 
> Pierangelo
> 
-- 
 __    __  __     __  __ ___    ___                      
|  |  |  ||  \   |  ||  |\  \  /  /              chris Guenther
|  |  |  ||   \  |  ||  | \  \/  /               chris@blaue-elise.net
|  |  |  ||  . \ |  ||  |  >    <                Wuppertal / Germany
|  |__|  ||  |\ \|  ||  | /  /\  \  
 \______/ |__| \____||__|/__/  \__\ 

UNIX _IS_ user friendly, it's just selective about who its friends are
  
----------------------------------------------------------------------
  UNIX was not designed to stop you from doing stupid things, 
  because that would also stop you from doing clever things.
                                                         ...Doug Gwyn
----------------------------------------------------------------------

Follow-Ups:
- Re: acl_mask: no more <who> clauses, returning =n (stop)
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

References:
- Re: acl_mask: no more <who> clauses, returning =n (stop)
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Re: acl_mask: no more <who> clauses, returning =n (stop)
Next by Date: Re: acl_mask: no more <who> clauses, returning =n (stop)
Index(es):
- Chronological
- Thread