open ldap configuration on rhel3-u4
Nilesh Joshi
nileshnjoshi at gmail.com
Fri Aug 14 22:03:49 UTC 2009
Hi Rick,
I have generated cert again and started slapd.
Now I see following in logs:
conn=0 fd=9 ACCEPT from IP=127.0.0.1:36272 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128
It's same for below 2 commands:
1. ldapsearch -x -b "ou=people,dc=test,dc=com" -D
"cn=nilesh,ou=people,dc=test,dc=com" -w 'password' "uid=nilesh"
2. ldapsearch -x -b "ou=people,dc=test,dc=com" -D
"cn=nilesh,ou=people,dc=test,dc=com" -w password "uid=nilesh"
I tried adding 'allow bind_v2 bind_anon_cred bind_anon_dn' and restarted
openldap, the result is same.
It looks like error 49 is gone.
What else I need to do to fix this issue.
Thanks and Regards,
-Nilesh
On Fri, Aug 14, 2009 at 10:04 AM, Rick Stevens <ricks at nerd.com> wrote:
> Nilesh Joshi wrote:
>
>> Thanks Rick.
>>
>> I have checked using -w password. The exact command I tried was:
>>
>> ldapsearch -x -b "ou=people,dc=test,dc=com" -D
>> "cn=nilesh,ou=people,dc=test,dc=com" -w password '(uid=nilesh)'
>>
>
> Did you enclose the password in single quotes to mask its value?
>
> Also added:
>> access to attrs=userPassword
>> by anonymous auth
>> by self write
>> by * none
>>
>
> That may not be adequate. That simply allows a user to authenticate
> against the LDAP database. It does NOT allow a regular user to search
> the entire database. Let's get rid of the error 49 first, then we'll
> worry about the rest.
>
> However the result was same. I have confirmed that password is password for
>> now.
>>
>
> If you're using SASL, remember that all the passwords must be stored in
> cleartext. If the password you're going to use is in the LDAP database,
> it must be stored in cleartext--NOT some excrypted format such as
>
> {MD5} cypherstring
> {SSHA} cypherstring
>
> If the password is in the Cyrus SASL database, it too has to be in
> cleartext. This is one of the weaknesses of SASL.
>
> If you're going to use encrypted passwords in the database, you'll need
> to use SSL or KRB5 as the transport mechanism.
>
> I think, I am missing something in configuration. Can I use LDAP without
>> sasl and if yes, what I need to do?
>>
>
> You can, but it's not recommended. Try putting this line in slapd.conf:
>
> allow bind_v2 bind_anon_cred bind_anon_dn
>
> Oh, and by the way, we prefer bottom posting on the list.
>
> On Thu, Aug 13, 2009 at 6:16 PM, Rick Stevens <ricks at nerd.com> wrote:
>>
>> Nilesh Joshi wrote:
>>>
>>> Hi,
>>>>
>>>> I have installed openldap-2.0.27-23 on my server.
>>>>
>>>> I have configured certificate and path is mentioned in slapd.conf file.
>>>>
>>>> I am able to create root DN and also able to add user to it.
>>>>
>>>> When I search using cn=manager,dc=test,dc=com, it gives me correct
>>>> answers.
>>>> Howere, whenever I search using user id, I see error 49.
>>>>
>>>> ldapsearch -x -b "ou=people,dc=test,dc=com" -D
>>>> "cn=nilesh,ou=people,dc=test,dc=com" -W '(uid=nilesh)'
>>>>
>>>> In logs, I see:
>>>> conn=11 fd=10 ACCEPT from IP=192.168.1.2:53115 (IP=0.0.0.0:389)
>>>> conn=11 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128
>>>> conn=11 op=0 RESULT tag=97 err=49 text=
>>>> conn=11 fd=10 closed (connection lost)
>>>>
>>>> I would like to have openldap running without sasl.
>>>>
>>>> How should I configure the same? How can I fix this issue?
>>>>
>>>> Error 49 is "invalid credentials," meaning that you didn't hand the
>>> ldapsearch the right password for the user you're trying to bind as.
>>> Try it again, but rather than using the "-W" (interactive) flag, try:
>>>
>>> -w 'your-password-here'
>>>
>>> If the password has shell metacharacters in it, they may be being
>>> interpreted by the shell before being handed to the ldapsearch command.
>>> Using the -w and the password enclosed in single quotes prevents that.
>>>
>>> You also have to make sure that the user you're trying to bind as has
>>> access to the userPassword attribute in the slapd.conf file:
>>>
>>> access to attrs=userPassword
>>> by anonymous auth
>>> by self write
>>> by * none
>>>
>>> ----------------------------------------------------------------------
>>> - Rick Stevens, Systems Engineer ricks at nerd.com -
>>> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
>>> - -
>>> - I never drink water because of the disgusting things that fish do -
>>> - in it. -
>>> - -- WC. Fields -
>>> ----------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Redhat-install-list mailing list
>>> Redhat-install-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/redhat-install-list
>>> To Unsubscribe Go To ABOVE URL or send a message to:
>>> redhat-install-list-request at redhat.com
>>> Subject: unsubscribe
>>>
>>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Redhat-install-list mailing list
>> Redhat-install-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/redhat-install-list
>> To Unsubscribe Go To ABOVE URL or send a message to:
>> redhat-install-list-request at redhat.com
>> Subject: unsubscribe
>>
>
>
> --
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer ricks at nerd.com -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - Never test for an error condition you don't know how to handle. -
>
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-install-list/attachments/20090814/a7efc920/attachment.htm>
More information about the Redhat-install-list
mailing list