[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch problem

To: "Darouichi, Aziz" <adarouic@post03.curry.edu>
Subject: Re: ldapsearch problem
From: Prentice Bisbal <prentice@ias.edu>
Date: Tue, 26 Oct 2010 16:59:06 -0400
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <2398337E30371A47B556742B49C7805B37920745E8@EXCCRMBX01.Currynet.local>
References: <2398337E30371A47B556742B49C7805B37920745E7@EXCCRMBX01.Currynet.local> <4CC72356.1060506@ias.edu> <2398337E30371A47B556742B49C7805B37920745E8@EXCCRMBX01.Currynet.local>
User-agent: Thunderbird 2.0.0.24 (X11/20101022)

Add this access control to your slapd.conf:

access to attrs=userPassword
        by dn="cn=company,dc=company dc=edu" read

That should allow to read the userPassword

--
Prentice

Darouichi, Aziz wrote:
> Yes, Those are the rootdn for company LDAP.   And if I run ldapsearch -h olddir -x -D "cn=company,dc=company dc=edu" -w "Password" uid=foo   
> 
> or ldapsearch -h newdir -x -D "cn=company,dc=company dc=edu" -w "Password" uid=foo
> 
> 
> I get same error message in output file
> 
> -----Original Message-----
> From: Prentice Bisbal [mailto:prentice@ias.edu] 
> Sent: Tuesday, October 26, 2010 2:52 PM
> To: Darouichi, Aziz; openldap-technical@openldap.org
> Subject: Re: ldapsearch problem
> 
> Is the DN "cn=company,dc=company dc=edu" the root DN for your LDAP
> server, if not, it shouldn't be able to read the userPassword attribute.
> That attribute is usually not readable by anyone other than the rootdn
> for security reasons. Anyone can auth, but "auth" is not the same as "read"
> 
> You either need to search for userPassword using the same dn specified
> as the rootdn in your slapd.conf file, or explicitly give
> "cn=company,dc=company dc=edu" read access to userPassword.
> 
> Prentice
> 
> 
> 
> Darouichi, Aziz wrote:
>> Hi All,
>>  
>>  
>> I inherited openldap-2.2.13-12.el4. that was built by a vendor few years
>> ago, This is running in a production. I built a new
>>  
>> openldap-2.3.43-12.el5_5.2.   I run a backup of production  LDIF file.
>> Imported to the new openldap-2.3.43-12.el5_5.2.  deleted all files from
>> /var/lib/ldap except alock and DB_CONFIG file after I stopped services.
>> I run  slapadd –v –c –l backup_filename.ldif –f /etc/openldap/slapd.conf
>>> import.log
>>  
>> After the import is done I changed owner to be ldap. I started services.
>> Now when I run a search for users passwords
>>  
>> ldapsearch -x -D "cn=company,dc=company dc=edu" -w “Password”
>> userPassword > file.txt
>>  
>>  
>> This is the output in file.txt  :
>>  
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: userPassword
>> #
>>  
>> # search result
>> search: 2
>> result: 32 No such object
>>  
>> # numResponses: 1
>>  
>>  
>> If I run same in production server I get user’s passwords.
>>  
>>  
>> Thanks
>>  
> 
>

References:
- ldapsearch problem
  - From: "Darouichi, Aziz" <adarouic@post03.curry.edu>
- Re: ldapsearch problem
  - From: Prentice Bisbal <prentice@ias.edu>
- RE: ldapsearch problem
  - From: "Darouichi, Aziz" <adarouic@post03.curry.edu>

Prev by Date: AIX as openldap client
Next by Date: Re: LDAP Backup and Restore
Index(es):
- Chronological
- Thread