open ldap configuration on rhel3-u4

Rick Stevens ricks at nerd.com
Fri Aug 14 17:04:15 UTC 2009 

Nilesh Joshi wrote:
> Thanks Rick.
> 
> I have checked using -w password. The exact command I tried was:
> 
> ldapsearch -x -b "ou=people,dc=test,dc=com" -D
> "cn=nilesh,ou=people,dc=test,dc=com" -w password '(uid=nilesh)'

Did you enclose the password in single quotes to mask its value?

> Also added:
>        access to attrs=userPassword
>                by anonymous auth
>                by self write
>                by * none

That may not be adequate.  That simply allows a user to authenticate
against the LDAP database.  It does NOT allow a regular user to search
the entire database.  Let's get rid of the error 49 first, then we'll
worry about the rest.

> However the result was same. I have confirmed that password is password for
> now.

If you're using SASL, remember that all the passwords must be stored in 
cleartext.  If the password you're going to use is in the LDAP database,
it must be stored in cleartext--NOT some excrypted format such as

	{MD5} cypherstring
	{SSHA} cypherstring

If the password is in the Cyrus SASL database, it too has to be in
cleartext.  This is one of the weaknesses of SASL.

If you're going to use encrypted passwords in the database, you'll need
to use SSL or KRB5 as the transport mechanism.

> I think, I am missing something in configuration. Can I use LDAP without
> sasl and if yes, what I need to do?

You can, but it's not recommended.  Try putting this line in slapd.conf:

	allow bind_v2 bind_anon_cred bind_anon_dn

Oh, and by the way, we prefer bottom posting on the list.

> On Thu, Aug 13, 2009 at 6:16 PM, Rick Stevens <ricks at nerd.com> wrote:
> 
>>  Nilesh Joshi wrote:
>>
>>> Hi,
>>>
>>> I have installed openldap-2.0.27-23 on my server.
>>>
>>> I have configured certificate and path is mentioned in slapd.conf file.
>>>
>>> I am able to create root DN and also able to add user to it.
>>>
>>> When I search using cn=manager,dc=test,dc=com, it gives me correct
>>> answers.
>>> Howere, whenever I search using user id, I see error 49.
>>>
>>> ldapsearch -x -b "ou=people,dc=test,dc=com" -D
>>> "cn=nilesh,ou=people,dc=test,dc=com" -W '(uid=nilesh)'
>>>
>>> In logs, I see:
>>> conn=11 fd=10 ACCEPT from IP=192.168.1.2:53115 (IP=0.0.0.0:389)
>>> conn=11 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128
>>> conn=11 op=0 RESULT tag=97 err=49 text=
>>> conn=11 fd=10 closed (connection lost)
>>>
>>> I would like to have openldap running without sasl.
>>>
>>> How should I configure the same? How can I fix this issue?
>>>
>> Error 49 is "invalid credentials," meaning that you didn't hand the
>> ldapsearch the right password for the user you're trying to bind as.
>> Try it again, but rather than using the "-W" (interactive) flag, try:
>>
>>        -w 'your-password-here'
>>
>> If the password has shell metacharacters in it, they may be being
>> interpreted by the shell before being handed to the ldapsearch command.
>> Using the -w and the password enclosed in single quotes prevents that.
>>
>> You also have to make sure that the user you're trying to bind as has
>> access to the userPassword attribute in the slapd.conf file:
>>
>>        access to attrs=userPassword
>>                by anonymous auth
>>                by self write
>>                by * none
>>
>> ----------------------------------------------------------------------
>> - Rick Stevens, Systems Engineer                      ricks at nerd.com -
>> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
>> -                                                                    -
>> - I never drink water because of the disgusting things that fish do  -
>> -                                  in it.                            -
>> -                                                      -- WC. Fields -
>> ----------------------------------------------------------------------
>>
>> _______________________________________________
>> Redhat-install-list mailing list
>> Redhat-install-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/redhat-install-list
>> To Unsubscribe Go To ABOVE URL or send a message to:
>> redhat-install-list-request at redhat.com
>> Subject: unsubscribe
>>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe


-- 
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-   Never test for an error condition you don't know how to handle.  -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list