[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: Object not found





From:	Quanah Gibson-Mount <quanah@zimbra.com>
To:	espeake@oreillyauto.com
Cc:	openldap-technical@openldap.org,
            openldap-technical-bounces@OpenLDAP.org, Ulrich Windl
            <Ulrich.Windl@rz.uni-regensburg.de>
Date:	08/30/2013 12:37 PM
Subject:	Re: Antw: Re: Object not found



--On Friday, August 30, 2013 10:55 AM -0500 espeake@oreillyauto.com wrote:

> Quanah,
>
> I tried this morning to change the password:
>
> ldappasswd -s <password> -Wx -D "uid=admin,dc=<domain>,dc=com"
> "uid=readOnlyUser,ou=system,dc=<domain>,dc=com"
>
> I confirmed that the hashed password changed.  I still get invalid
> credentials.  I am betting that there is some little simple thing that is
> holding this up.

Ok, so error (49) means one of two things:

a) Password is incorrect
b) No such object

No such object means either the entry you are attempting to bind as does
not exist in the LDAP DB, or ACLs prevent reading it, so it appears not to
exist.

My guess is this ACL is blocking access to the entry:

olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by
dn.subtree="ou=Users,dc=oreillyauto,dc=com" none by users read

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration
Wouldn't the following control grant the access first since it is the first
in the list.

olcAccess: {0}to *
    by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read
    by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read
    by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
    by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write
    by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write

I think it may be in how the password is presented.  When I do a ldapsearch
for the readOnlyUser, the account is found.  I decode the password that is
presented and the password in the encrypted {SSHA} matches what I see in my
ldap browser.  I am going to have my developers do some further testing
against this ldap instance.
--
This message has been scanned for viruses and dangerous content,
and is believed to be clean.
  Message id: 63BD3600DF4.A1731




This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.