<div>Hi,</div>
<div> </div>
<div>I htink error 49 is not gone till now. It was not showing any output. I restarted openladp and started getting same error:</div>
<div>My slapd.conf looks like below (removed commented lines):</div>
<div>-------------------------------------------------------------------------</div>
<div>include         /etc/openldap/schema/core.schema<br>include         /etc/openldap/schema/cosine.schema<br>include         /etc/openldap/schema/inetorgperson.schema</div>
<div>pidfile         /usr/var/run/slapd.pid<br>argsfile        /usr/var/run/slapd.args</div>
<div> access to dn.base="" by * read<br> access to dn.base="cn=Subschema" by * read<br> access to *<br>        by self write<br>        by users read<br>        by anonymous auth<br>       access to attrs=userPassword<br>
               by anonymous auth<br>               by self write<br>               by * none</div>
<div><br>TLSCACertificateFile /usr/var/openldap-data/cacert.pem<br>TLSCertificateFile /usr/var/openldap-data/servercrt.pem<br>TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem</div>
<div> </div>
<div>database        bdb<br>suffix          "dc=test,dc=com"<br>rootdn          "cn=Manager,dc=test,dc=com"<br>rootpw          XXXX</div>
<div>directory       /usr/var/openldap-data/<a href="http://test.com">test.com</a></div>
<div>index   objectClass     eq<br>-----------------------------------------------------------------------------</div>
<div> </div>
<div>I think need to c<font size="3"><font face="Calibri">oncentrate </font></font>on error=49 only.</div>
<div><br>What you say?</div>
<div> </div>
<div>Regards,</div>
<div>-Nilesh<br></div>
<div class="gmail_quote">On Fri, Aug 14, 2009 at 3:25 PM, Rick Stevens <span dir="ltr"><<a href="mailto:ricks@nerd.com">ricks@nerd.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div class="im">Nilesh Joshi wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi Rick,<br><br>I have generated cert again and started slapd.<br><br>Now I see following in logs:<br>conn=0 fd=9 ACCEPT from IP=<a href="http://127.0.0.1:36272/" target="_blank">127.0.0.1:36272</a> (IP=<a href="http://0.0.0.0:389/" target="_blank">0.0.0.0:389</a>)<br>
conn=0 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128<br>It's same for below 2 commands:<br>1. ldapsearch -x -b "ou=people,dc=test,dc=com" -D<br>"cn=nilesh,ou=people,dc=test,dc=com" -w 'password' "uid=nilesh"<br>
2. ldapsearch -x -b "ou=people,dc=test,dc=com" -D<br>"cn=nilesh,ou=people,dc=test,dc=com" -w password "uid=nilesh"<br><br>I tried adding 'allow bind_v2 bind_anon_cred bind_anon_dn' and restarted<br>
openldap, the result is same.<br><br>It looks like error 49 is gone.<br></blockquote><br></div>Ok, if error 49 is gone, but you're not getting any data back, then<br>user "nilesh" probably doesn't have read access to the database.  If<br>
you have your slapd manual handy, read up on the "access" directives.<br><br>If you want a user to see any and all of their info, then you need a<br>directive such as:<br><br>       access to *<br>           by self read<br>
           by * none<br><br>in slapd.conf.  That permits someone to read their own data.  If you<br>want to let them modify their data:<br><br>       access to * 
<div class="im"><br>           by self write<br>           by * none<br><br></div>(note that "write" permission also includes all lower permissions such<br>as auth, read, search, etc.) 
<div class="im"><br><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">What else I need to do to fix this issue.<br></blockquote><br></div>Looks like you're authenticating fine now, but you have to set up access<br>
rules to allow users to see things.  Here's a good on-line reference<br>book on how to manage an LDAP server:<br><br>       <a href="http://www.zytrax.dom/books/ldap" target="_blank">http://www.zytrax.dom/books/ldap</a><br>
<br>Also, the OpenLDAP System Admin Guide should have been placed in<br><br>       /usr/share/doc/openldap-servers-version/guide.html<br><br>(replace "version" with the appropriate version number) when you<br>installed the OpenLDAP server RPM.  You can view it by opening a browser<br>
and going to<br><br>       file:///usr/share/doc/opeenldap-servers-version/guide.html 
<div>
<div></div>
<div class="h5"><br><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>Thanks and Regards,<br>-Nilesh<br><br>On Fri, Aug 14, 2009 at 10:04 AM, Rick Stevens <<a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Nilesh Joshi wrote:<br><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Thanks Rick.<br><br>I have checked using -w password. The exact command I tried was:<br><br>ldapsearch -x -b "ou=people,dc=test,dc=com" -D<br>
"cn=nilesh,ou=people,dc=test,dc=com" -w password '(uid=nilesh)'<br><br></blockquote>Did you enclose the password in single quotes to mask its value?<br><br>Also added:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">     access to attrs=userPassword<br>             by anonymous auth<br>             by self write<br>             by * none<br>
<br></blockquote>That may not be adequate.  That simply allows a user to authenticate<br>against the LDAP database.  It does NOT allow a regular user to search<br>the entire database.  Let's get rid of the error 49 first, then we'll<br>
worry about the rest.<br><br>However the result was same. I have confirmed that password is password for<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">now.<br><br></blockquote>If you're using SASL, remember that all the passwords must be stored in<br>cleartext.  If the password you're going to use is in the LDAP database,<br>
it must be stored in cleartext--NOT some excrypted format such as<br><br>      {MD5} cypherstring<br>      {SSHA} cypherstring<br><br>If the password is in the Cyrus SASL database, it too has to be in<br>cleartext.  This is one of the weaknesses of SASL.<br>
<br>If you're going to use encrypted passwords in the database, you'll need<br>to use SSL or KRB5 as the transport mechanism.<br><br>I think, I am missing something in configuration. Can I use LDAP without<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">sasl and if yes, what I need to do?<br><br></blockquote>You can, but it's not recommended.  Try putting this line in slapd.conf:<br>
<br>      allow bind_v2 bind_anon_cred bind_anon_dn<br><br>Oh, and by the way, we prefer bottom posting on the list.<br><br> On Thu, Aug 13, 2009 at 6:16 PM, Rick Stevens <<a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a>> wrote:<br>

<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> Nilesh Joshi wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi,<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">I have installed openldap-2.0.27-23 on my server.<br><br>I have configured certificate and path is mentioned in slapd.conf file.<br>
<br>I am able to create root DN and also able to add user to it.<br><br>When I search using cn=manager,dc=test,dc=com, it gives me correct<br>answers.<br>Howere, whenever I search using user id, I see error 49.<br><br>ldapsearch -x -b "ou=people,dc=test,dc=com" -D<br>
"cn=nilesh,ou=people,dc=test,dc=com" -W '(uid=nilesh)'<br><br>In logs, I see:<br>conn=11 fd=10 ACCEPT from IP=<a href="http://192.168.1.2:53115/" target="_blank">192.168.1.2:53115</a> (IP=<a href="http://0.0.0.0:389/" target="_blank">0.0.0.0:389</a>)<br>
conn=11 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128<br>conn=11 op=0 RESULT tag=97 err=49 text=<br>conn=11 fd=10 closed (connection lost)<br><br>I would like to have openldap running without sasl.<br>
<br>How should I configure the same? How can I fix this issue?<br><br>Error 49 is "invalid credentials," meaning that you didn't hand the<br></blockquote>ldapsearch the right password for the user you're trying to bind as.<br>
Try it again, but rather than using the "-W" (interactive) flag, try:<br><br>     -w 'your-password-here'<br><br>If the password has shell metacharacters in it, they may be being<br>interpreted by the shell before being handed to the ldapsearch command.<br>
Using the -w and the password enclosed in single quotes prevents that.<br><br>You also have to make sure that the user you're trying to bind as has<br>access to the userPassword attribute in the slapd.conf file:<br><br>
     access to attrs=userPassword<br>             by anonymous auth<br>             by self write<br>             by * none<br><br>----------------------------------------------------------------------<br>- Rick Stevens, Systems Engineer                      <a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a> -<br>
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -<br>-                                                                    -<br>- I never drink water because of the disgusting things that fish do  -<br>
-                                  in it.                            -<br>-                                                      -- WC. Fields -<br>----------------------------------------------------------------------<br>
<br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br>
To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br>Subject: unsubscribe<br><br><br></blockquote>------------------------------------------------------------------------<br>
<br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br>
To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br>Subject: unsubscribe<br><br></blockquote><br>--<br>
----------------------------------------------------------------------<br>- Rick Stevens, Systems Engineer                      <a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a> -<br>- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -<br>
-                                                                    -<br>-   Never test for an error condition you don't know how to handle.  -<br><br>----------------------------------------------------------------------<br>
<br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br>
To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br>Subject: unsubscribe<br><br></blockquote><br><br>
------------------------------------------------------------------------<br><br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br>To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br>
Subject: unsubscribe<br></blockquote><br><br>-- <br>----------------------------------------------------------------------<br>- Rick Stevens, Systems Engineer                      <a href="mailto:ricks@nerd.com" target="_blank">ricks@nerd.com</a> -<br>
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -<br>-                                                                    -<br></div></div>-        Brain:  The organ with which we think that we think.        - 
<div>
<div></div>
<div class="h5"><br>----------------------------------------------------------------------<br><br>_______________________________________________<br>Redhat-install-list mailing list<br><a href="mailto:Redhat-install-list@redhat.com" target="_blank">Redhat-install-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/redhat-install-list" target="_blank">https://www.redhat.com/mailman/listinfo/redhat-install-list</a><br>To Unsubscribe Go To ABOVE URL or send a message to:<br><a href="mailto:redhat-install-list-request@redhat.com" target="_blank">redhat-install-list-request@redhat.com</a><br>
Subject: unsubscribe<br></div></div></blockquote></div><br>