[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: openldap authentication problem

To: "Jonathan Higgins" <jhiggins@kennesaw.edu>, <openldap-software@OpenLDAP.org>
Subject: Re: openldap authentication problem
From: Vuko Brigljevic <Vuko.Brigljevic@cern.ch>
Date: Tue, 15 Mar 2005 16:23:18 +0100
Content-disposition: inline
In-reply-to: <s2319073.044@greatowl.kennesaw.edu>
References: <s2319073.044@greatowl.kennesaw.edu>
User-agent: KMail/1.5.1
Hello,

Sorry for the delayed reaction, I just got to finally
try out your suggestion:

On Friday 11 March 2005 18:34, Jonathan Higgins wrote:
> need to change one of your acls .. and add anonymous auth...
>
> access to attr=userPassword
> by ssf=128 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write
> by ssf=128 self write
> by anonymous auth
> by * none

That did it really, it now works again :) So I assume 
I had the "anonymous auth" in before and removed it by
mistake when editing the file.

I am however a bit confused about the meaning of the
"anonymous auth" line, as I am with acess control 
meanings altogether to be honest. What does the
"by anonymous auth" line actually allow? In which sense
is the user anonymous? I did check that it doesn't
actually allow anonymous login (which I wouldn't
want anyway) so it's not that.

Also is there a reason you didn't add a ssf factor
in the suggested line? I tried to add it and it
works as well.

If someone could point me to some explanation of 
access rights I would be most grateful. I've seen
the one in the openldap admin-guide but I must admit
that it's not really clear to me.

In any case, thanks for the help!

Vuko Brigljevic


===========================================================|
 Vuko Brigljevic                                           |
 Rudjer Boskovic Institute                                 |
 --------------------------------------------------------- |
 Mail Address: Bijenicka cesta 54, P.O.B. 180              |
               10002 Zagreb Croatia                        |
 Phone       : +385-1- 468 0204                            |
 www         : http://cern.ch/vuko                         |
===========================================================|
One Word to rule them all, One Explorer to find them,
One Windows to bring them all and in the darkness bind them


> >>> Vuko Brigljevic <Vuko.Brigljevic@cern.ch> 3/11/2005 9:56:05 AM >>>
>
> Hello,
>
> Since a few days, I am having authentication
> problems with my openldap server, with a recurring
> error in the logs:
>
> pam_ldap: error trying to bind as user
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
>
> The system:
> SuSE Linux 8.2
> openldap 2.1.12
> pam_ldap version 159
> nss_ldap version 203.7
>
> I am using all default versions coming with the
> distributions. Everything broke a few days ago
> and I am currently not able to login any more,
> but am always seeing an  "(Insufficient access)"
> message in the logs.
>
> I append my slapd.conf file, the ldap.conf
> file and the output of the full log (obtained
> with loglevel set to -1) from /var/log/messages
> of a failed login attempt.
>
> BTW, the system broke after restarting
> the ldap server. I was editing slapd.conf
> but as far as I am aware of, I left
> everything as it was before (when the
> system was running). It is very possible
> that I did change something but after
> looking for it for a few days I just
> can't see what it could be.
>
> Any idea as to what may be wrong?
>
> Thanks!
>
> Vuko
>
> slapd.conf:
> ===========
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
>
> include         /etc/openldap/schema/misc.schema
> include         /etc/openldap/schema/openldap.schema
> include         /etc/openldap/schema/samba.schema
>
>
> TLSCipherSuite         HIGH:MEDIUM:+SSLv2
>
> TLSCertificateFile    /etc/ldap-certs/server/server.crt
> TLSCertificateKeyFile /etc/ldap-certs/server/server.key
> TLSCACertificateFile  /etc/ldap-certs/ca/ca.crt
>
> database        ldbm
>
> suffix          "dc=myCompany,dc=MyDomain"
> rootdn          "uid=root,ou=People,dc=myCompany,dc=MyDomain"
> directory       /var/lib/ldap/
>
> index   objectClass,uid,uidNumber,gidNumber  eq
> index   cn,mail,surname,givenname            eq,subinitial
>
>
> access to dn=".*,ou=People,dc=myCompany,dc=MyDomain"
>   attr=userPassword
> by ssf=128 self write
> by ssf=128 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write
>
>
> access to dn=".*,dc=myCompany,dc=MyDomain"
> by ssf=128 self write
> by ssf=128 dn="uid=root,ou=People,dc=myCompany,dc=MyDomain" write
> by  * read
>
>
> access to dn=".*,dc=myCompany,dc=MyDomain"
> by  * read
>
>
>
> /etc/openldap/ldap.conf
> =======================
>
> # $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04
> 19:57:01
> kurt Exp $
> #
> # LDAP Defaults
> #
>
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
>
> base    dc=myCompany,dc=MyDomain
> uri     ldap://myserver.myCompany.MyDomain
>
> nss_base_passwd ou=People,dc=myCompany,dc=MyDomain
> nss_base_shadow ou=People,dc=myCompany,dc=MyDomain
> nss_base_group  ou=Group,dc=myCompany,dc=MyDomain
> host    myserver.myCompany.MyDomain
> ldap_version    3
> ssl     start_tls
> pam_password    crypt
>
> tls_cacert      /etc/openldap/ca/ca.crt
>
>
> extract from /var/log/messages
> ==============================
>
> >>> dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>
>
> daemon: activity on 1 descriptors
> <<< dnPrettyNormal: <uid=aUser,ou=People,dc=myCompany,dc=MyDomain>,
> <uid=aUser,ou=people,dc=myCompany,dc=MyDomain>
> daemon: select: listen=6 active_threads=1 tvp=NULL
> do_bind: version=3 dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
> method=128
> conn=4 op=3 BIND dn="uid=aUser,ou=People,dc=myCompany,dc=MyDomain"
> method=128
> ==> ldbm_back_bind: dn: uid=aUser,ou=People,dc=myCompany,dc=MyDomain
> dn2entry_r: dn: "uid=aUser,ou=people,dc=myCompany,dc=MyDomain"
> => dn2id( "uid=aUser,ou=people,dc=myCompany,dc=MyDomain" )
> ====>
> cache_find_entry_dn2id("uid=aUser,ou=people,dc=myCompany,dc=MyDomain"):
>
> 121 (1 tries)
> <= dn2id 121 (in cache)
> => id2entry_r( 121 )
> ====> cache_find_entry_id( 121 )
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (found) (1 tries)
> <= id2entry_r( 121 ) 0x81ca750 (cache)
> => access_allowed: auth access to
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" "userPassword"
> requested
> => dnpat: [1] .*,ou=People,dc=myCompany,dc=MyDomain nsub: 0
> => acl_get: [1] matched
> => acl_get: [1] check attr userPassword
> <= acl_get: [1] acl uid=aUser,ou=People,dc=myCompany,dc=MyDomain attr:
>
> userPassword
> => acl_mask: access to entry
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain",
> attr "userPassword" requested
> => acl_mask: to all values by "", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: uid=root,ou=People,dc=myCompany,dc=MyDomain
> => string_expand: pattern:
> uid=root,ou=People,dc=myCompany,dc=MyDomain
> => string_expand: expanded:
> uid=root,ou=People,dc=myCompany,dc=MyDomain
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: auth access denied by =n
> send_ldap_result: conn=4 op=3 p=3
> send_ldap_result: err=50 matched="" text=""
> send_ldap_response: msgid=4 tag=97 err=50
> pam_ldap: error trying to bind as user
> "uid=aUser,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
> conn=4 op=3 RESULT tag=97 err=50 text=
> ====> cache_return_entry_r( 121 ): returned (0)
Follow-Ups:
- Re: openldap authentication problem
  - From: Lee Jensen <lee_jensen@sento.com>
Prev by Date: Re: Migrating users from passwd to LDAP
Next by Date: Re: OpenLDAP starts, but...
Index(es):
- Chronological
- Thread