Re: Problems with slapd and access rules

I am having problems with access control in slapd.conf.

If I leave all access control commented in slapd.conf, the ssh user can login and id works.

But if the users password expires though the use of the ppolicy directives, they are

prompted to change the password but cannot due to an Insufficient access error:

# ssh -l ldap1 localhost

ldap1@localhost's password:

You are required to change your LDAP password immediately.

Last login: Mon Jul 19 10:06:53 2010 from localhost

WARNING: Your password has expired.

You must change your password now and login again!

Changing password for user ldap1.

Enter login(LDAP) password:

New password:

Retype new password:

LDAP password information update failed: Insufficient access

passwd: Authentication token manipulation error

Connection to localhost closed.

These are the openldap components installed on the system:

# rpm -qa | grep ldap

compat-openldap-2.4.19_2.3.43-11.el6.i686

krb5-server-ldap-1.8.1-6.el6.i686

apr-util-ldap-1.3.9-3.el6.i686

mozldap-6.0.5-6.2.el6.i686

openldap-servers-2.4.19-11.el6.i686

python-ldap-2.3.10-1.el6.i686

openldap-clients-2.4.19-11.el6.i686

mozldap-devel-6.0.5-6.2.el6.i686

bind-dyndb-ldap-0.1.0-0.9.b.el6.i686

nss-pam-ldapd-0.7.5-3.el6.i686

pam_ldap-185-5.el6.i686

openldap-devel-2.4.19-11.el6.i686

openldap-2.4.19-11.el6.i686

This is a beta release of Red Hat Enterprise v6, but it would seem the Openldap components

should work regardless of the OS components. I am working with this version of Red Hat

to get some experience with the V2.4* Openldap stream, realizing that this is not the latest

version of openldap.

I have tried various access control in slapd.conf that worked quite well in V2.3* of openldap

and released versions of Red Hat OS but any attempt to comment any of the follow lines

from slapd.conf, results in a complete failure of the ldap client to talk to the server.

#access to attrs=userPassword

# by self write

# by anonymous auth

# by dn.base="cn=Manager,dc=osn,dc=cxo,dc=cpqcorp,dc=net" write

# by * none

# by * auth

I would like to understand the rules comfortably before moving to interactive rulesets

and slapd configuration so I am working with slapd.conf.

I have read through the attribute section of the v2.4 Admin guide and believe I understand

the concepts and syntax, but perhaps I am missing something.

I donf't know if Red Hat may have added something unique to this mix. When you run their

authconfig utility to get a base set of ldap configuration attributes, it no longer updates

/etc/ldap.conf but instead it updates /etc/pam_ldap.conf. It also attempts to configure

and start something called nslcd.conf and it's corresponding daemon, nslcd.

nslcd - local LDAP name service daemon. This daemon has it's own configuration file which

looks just like the contents of ldap.conf. If this daemon is not runing, it also appears

that the ldap service does not exist and id and ssh both fail.....id can't find the user and

ssh is denied login access as though the passwords are invalid.

I copied the contents of pam_ldap.conf to /etc/ldap.conf to see if that makes a difference:

/etc/ldap.conf:

base dc=osn,dc=cxo,dc=cpqcorp,dc=net

binddn cn=Manager,dc=osn,dc=cxo,dc=cpqcorp,dc=net

bindpw secret

ssl no

pam_lookup_policy yes

pam_password exop

uri ldap://16.112.240.253/

Is Red Hat doing something unique here ? Have they bypassed the client's /etc/ldap.conf file

in favor of this new nslcd daemon and pam_ldap.conf file ?

Strings on pam_ldap.so does show a reference to /etc/pam_ldap.conf but nothing for /etc/ldap.conf

I've tried reading through the various README and other docs supplied with this stuff but

nothing seems to indicate a major change in how the ldap client accesses the ldap server

in this version of Red Hat. Can anyone shed some light on this ?

Can I assume that generic openldap clients still expect to use /etc/ldap.conf as the one

and only ldap configuration file and nothing else ?

Al Licause