open ldap configuration on rhel3-u4
Nilesh Joshi
nileshnjoshi at gmail.com
Fri Aug 14 22:37:48 UTC 2009
Hi,
I htink error 49 is not gone till now. It was not showing any output. I
restarted openladp and started getting same error:
My slapd.conf looks like below (removed commented lines):
-------------------------------------------------------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /usr/var/run/slapd.pid
argsfile /usr/var/run/slapd.args
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth
access to attrs=userPassword
by anonymous auth
by self write
by * none
TLSCACertificateFile /usr/var/openldap-data/cacert.pem
TLSCertificateFile /usr/var/openldap-data/servercrt.pem
TLSCertificateKeyFile /usr/var/openldap-data/serverkey.pem
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
rootpw XXXX
directory /usr/var/openldap-data/test.com
index objectClass eq
-----------------------------------------------------------------------------
I think need to concentrate on error=49 only.
What you say?
Regards,
-Nilesh
On Fri, Aug 14, 2009 at 3:25 PM, Rick Stevens <ricks at nerd.com> wrote:
> Nilesh Joshi wrote:
>
>> Hi Rick,
>>
>> I have generated cert again and started slapd.
>>
>> Now I see following in logs:
>> conn=0 fd=9 ACCEPT from IP=127.0.0.1:36272 (IP=0.0.0.0:389)
>> conn=0 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128
>> It's same for below 2 commands:
>> 1. ldapsearch -x -b "ou=people,dc=test,dc=com" -D
>> "cn=nilesh,ou=people,dc=test,dc=com" -w 'password' "uid=nilesh"
>> 2. ldapsearch -x -b "ou=people,dc=test,dc=com" -D
>> "cn=nilesh,ou=people,dc=test,dc=com" -w password "uid=nilesh"
>>
>> I tried adding 'allow bind_v2 bind_anon_cred bind_anon_dn' and restarted
>> openldap, the result is same.
>>
>> It looks like error 49 is gone.
>>
>
> Ok, if error 49 is gone, but you're not getting any data back, then
> user "nilesh" probably doesn't have read access to the database. If
> you have your slapd manual handy, read up on the "access" directives.
>
> If you want a user to see any and all of their info, then you need a
> directive such as:
>
> access to *
> by self read
> by * none
>
> in slapd.conf. That permits someone to read their own data. If you
> want to let them modify their data:
>
> access to *
> by self write
> by * none
>
> (note that "write" permission also includes all lower permissions such
> as auth, read, search, etc.)
>
> What else I need to do to fix this issue.
>>
>
> Looks like you're authenticating fine now, but you have to set up access
> rules to allow users to see things. Here's a good on-line reference
> book on how to manage an LDAP server:
>
> http://www.zytrax.dom/books/ldap
>
> Also, the OpenLDAP System Admin Guide should have been placed in
>
> /usr/share/doc/openldap-servers-version/guide.html
>
> (replace "version" with the appropriate version number) when you
> installed the OpenLDAP server RPM. You can view it by opening a browser
> and going to
>
> file:///usr/share/doc/opeenldap-servers-version/guide.html
>
>
>
>> Thanks and Regards,
>> -Nilesh
>>
>> On Fri, Aug 14, 2009 at 10:04 AM, Rick Stevens <ricks at nerd.com> wrote:
>>
>> Nilesh Joshi wrote:
>>>
>>> Thanks Rick.
>>>>
>>>> I have checked using -w password. The exact command I tried was:
>>>>
>>>> ldapsearch -x -b "ou=people,dc=test,dc=com" -D
>>>> "cn=nilesh,ou=people,dc=test,dc=com" -w password '(uid=nilesh)'
>>>>
>>>> Did you enclose the password in single quotes to mask its value?
>>>
>>> Also added:
>>>
>>>> access to attrs=userPassword
>>>> by anonymous auth
>>>> by self write
>>>> by * none
>>>>
>>>> That may not be adequate. That simply allows a user to authenticate
>>> against the LDAP database. It does NOT allow a regular user to search
>>> the entire database. Let's get rid of the error 49 first, then we'll
>>> worry about the rest.
>>>
>>> However the result was same. I have confirmed that password is password
>>> for
>>>
>>>> now.
>>>>
>>>> If you're using SASL, remember that all the passwords must be stored in
>>> cleartext. If the password you're going to use is in the LDAP database,
>>> it must be stored in cleartext--NOT some excrypted format such as
>>>
>>> {MD5} cypherstring
>>> {SSHA} cypherstring
>>>
>>> If the password is in the Cyrus SASL database, it too has to be in
>>> cleartext. This is one of the weaknesses of SASL.
>>>
>>> If you're going to use encrypted passwords in the database, you'll need
>>> to use SSL or KRB5 as the transport mechanism.
>>>
>>> I think, I am missing something in configuration. Can I use LDAP without
>>>
>>>> sasl and if yes, what I need to do?
>>>>
>>>> You can, but it's not recommended. Try putting this line in slapd.conf:
>>>
>>> allow bind_v2 bind_anon_cred bind_anon_dn
>>>
>>> Oh, and by the way, we prefer bottom posting on the list.
>>>
>>> On Thu, Aug 13, 2009 at 6:16 PM, Rick Stevens <ricks at nerd.com> wrote:
>>>
>>>> Nilesh Joshi wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>>> I have installed openldap-2.0.27-23 on my server.
>>>>>>
>>>>>> I have configured certificate and path is mentioned in slapd.conf
>>>>>> file.
>>>>>>
>>>>>> I am able to create root DN and also able to add user to it.
>>>>>>
>>>>>> When I search using cn=manager,dc=test,dc=com, it gives me correct
>>>>>> answers.
>>>>>> Howere, whenever I search using user id, I see error 49.
>>>>>>
>>>>>> ldapsearch -x -b "ou=people,dc=test,dc=com" -D
>>>>>> "cn=nilesh,ou=people,dc=test,dc=com" -W '(uid=nilesh)'
>>>>>>
>>>>>> In logs, I see:
>>>>>> conn=11 fd=10 ACCEPT from IP=192.168.1.2:53115 (IP=0.0.0.0:389)
>>>>>> conn=11 op=0 BIND dn="cn=nilesh,ou=people,dc=test,dc=com" method=128
>>>>>> conn=11 op=0 RESULT tag=97 err=49 text=
>>>>>> conn=11 fd=10 closed (connection lost)
>>>>>>
>>>>>> I would like to have openldap running without sasl.
>>>>>>
>>>>>> How should I configure the same? How can I fix this issue?
>>>>>>
>>>>>> Error 49 is "invalid credentials," meaning that you didn't hand the
>>>>>>
>>>>> ldapsearch the right password for the user you're trying to bind as.
>>>>> Try it again, but rather than using the "-W" (interactive) flag, try:
>>>>>
>>>>> -w 'your-password-here'
>>>>>
>>>>> If the password has shell metacharacters in it, they may be being
>>>>> interpreted by the shell before being handed to the ldapsearch command.
>>>>> Using the -w and the password enclosed in single quotes prevents that.
>>>>>
>>>>> You also have to make sure that the user you're trying to bind as has
>>>>> access to the userPassword attribute in the slapd.conf file:
>>>>>
>>>>> access to attrs=userPassword
>>>>> by anonymous auth
>>>>> by self write
>>>>> by * none
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> - Rick Stevens, Systems Engineer ricks at nerd.com -
>>>>> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
>>>>> - -
>>>>> - I never drink water because of the disgusting things that fish do -
>>>>> - in it. -
>>>>> - -- WC. Fields -
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Redhat-install-list mailing list
>>>>> Redhat-install-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/redhat-install-list
>>>>> To Unsubscribe Go To ABOVE URL or send a message to:
>>>>> redhat-install-list-request at redhat.com
>>>>> Subject: unsubscribe
>>>>>
>>>>>
>>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Redhat-install-list mailing list
>>>> Redhat-install-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/redhat-install-list
>>>> To Unsubscribe Go To ABOVE URL or send a message to:
>>>> redhat-install-list-request at redhat.com
>>>> Subject: unsubscribe
>>>>
>>>>
>>> --
>>> ----------------------------------------------------------------------
>>> - Rick Stevens, Systems Engineer ricks at nerd.com -
>>> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
>>> - -
>>> - Never test for an error condition you don't know how to handle. -
>>>
>>> ----------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Redhat-install-list mailing list
>>> Redhat-install-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/redhat-install-list
>>> To Unsubscribe Go To ABOVE URL or send a message to:
>>> redhat-install-list-request at redhat.com
>>> Subject: unsubscribe
>>>
>>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Redhat-install-list mailing list
>> Redhat-install-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/redhat-install-list
>> To Unsubscribe Go To ABOVE URL or send a message to:
>> redhat-install-list-request at redhat.com
>> Subject: unsubscribe
>>
>
>
> --
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer ricks at nerd.com -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - Brain: The organ with which we think that we think. -
>
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-install-list/attachments/20090814/878f5544/attachment.htm>
More information about the Redhat-install-list
mailing list