Re: Invalid credentials

[Dan Lowe <dan@tangledhelix.com>]

Previously, Mathew Hennessy wrote:
>
> access to attr=userPassword,ntPassword,lmPassword
>        by self write
>        by sockname=127.0.0.1 read
>        by peername=127.0.0.1 read
>        by anonymous auth
>        by * none

> ldapsearch -x -h eddie -W -D "uid=hennessy,ou=people,o=netomat.net" 
> uid=hennessy

Are you expecting the sockname/peername to match and grant read access?  If
so, I think the problem is that you're telling slapd to allow access from
127.0.0.1, but then telling ldapsearch (and, I assume, your other tools) to
connect to "eddie".  If "eddie" is the main interface on the local host
(for example, 1.2.3.4), that's not enough.  slapd will get a connection
from 1.2.3.4 to 1.2.3.4, rather than 127.0.0.1 -> 127.0.0.1.  Does it work
any differently if you specify "-h localhost" or "-h 127.0.0.1" ?

> May 29 14:36:49 eddie slapd[24499]: => acl_mask: to all values by "", (=n)
> May 29 14:36:49 eddie slapd[24499]: <= check a_dn_pat: self
> May 29 14:36:49 eddie slapd[24499]: <= check a_sockname_path: 127.0.0.1
> May 29 14:36:49 eddie slapd[24499]: <= check a_peername_path: 127.0.0.1
> May 29 14:36:49 eddie slapd[24499]: <= check a_dn_pat: anonymous
> May 29 14:36:49 eddie slapd[24499]: <= acl_mask: [4] applying auth (=x) 

Notice how it skipped right over the two 127.0.0.1 directives and they did
not match.  I'd say either redefine the ACL to use both 127.0.0.1 and
eddie's IP, or tell your tools to connect to 127.0.0.1/localhost.

 -dan

-- 
Solving a problem simply means representing it so as to make the solution
transparent.		-Herbert Simon, "The Sciences of the Artificial"