Am 29.05.2012 20:11, schrieb Roland Gruber:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Matthias,
>
> On 29.05.2012 18:19, Matthias Kahlert wrote:
>> When I login with Ldap search with suffix "ou=Users,dc=pt,dc=local"
>> and UID "admin" I can not modify the directory. I always get "Was
>> unable to create DN: uid.... Insufficient access" etc. But
>> lamdeamon check now works.
>>
>> I can login to linux as user "admin" with ssh and samba ok (it is
>> not in /etc/passwd, so it must be a valid ldap-user.)
>>
>> Ldap is configured with cn=config which gives me a hard time
>> finding out whats going on. I suspect some acl issue but don't know
>> where to look....
>
> looks like ACLs need to be changed to allow your new user more access
> rights. This is configured in a file equal or similar to:
>
> /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
Hi Roland,
thanks for the quick response,
> root@Apollon:/etc/ldap/slapd.d/cn=config# ls -la
> total 36
> drwxr-x--- 3 openldap openldap 4096 May 29 16:25 .
> drwxr-xr-x 3 openldap openldap 4096 May 21 19:06 ..
> -rw------- 1 openldap openldap 436 May 21 19:06 cn=module{0}.ldif
> drwxr-x--- 2 openldap openldap 4096 May 28 19:58 cn=schema
> -rw------- 1 openldap openldap 378 May 21 19:06 cn=schema.ldif
> -rw------- 1 openldap openldap 396 May 21 19:06 olcBackend={0}hdb.ldif
> -rw------- 1 openldap openldap 654 May 28 20:06 olcDatabase={0}config.ldif
> -rw------- 1 openldap openldap 657 May 21 19:06 olcDatabase={-1}frontend.ldif
> -rw------- 1 openldap openldap 1174 May 29 16:25 olcDatabase={1}hdb.ldif
so the closest i have to the above is:
> root@Apollon:/etc/ldap/slapd.d/cn=config# cat olcDatabase={1}hdb.ldif
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> # CRC32 7406601c
> dn: olcDatabase={1}hdb
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: {1}hdb
> olcDbDirectory: /var/lib/ldap
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
> s auth by dn="cn=admin,dc=nodomain" write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to * by self write by dn="cn=admin,dc=nodomain" write by * read
> olcLastMod: TRUE
> olcDbCheckpoint: 512 30
> olcDbConfig: {0}set_cachesize 0 2097152 0
> olcDbConfig: {1}set_lk_max_objects 1500
> olcDbConfig: {2}set_lk_max_locks 1500
> olcDbConfig: {3}set_lk_max_lockers 1500
> structuralObjectClass: olcHdbConfig
> entryUUID: 1b261c54-37b3-1031-95f6-ff2a3edb767f
> creatorsName: cn=config
> createTimestamp: 20120521170652Z
> olcSuffix: dc=pt,dc=local
> olcRootDN: cn=admin,ou=Users,dc=pt,dc=local
> olcRootPW:: e1NTSEF9UU9mUWM...............etc.........=
> olcDbIndex: uid pres,eq
> olcDbIndex: cn,sn,mail pres,eq,approx,sub
> olcDbIndex: objectClass eq
> entryCSN: 20120529142511.717367Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20120529142511Z
The "cn=admin,dc=nodomain" dont seem to match my setup, but i still dont
understand, why it works with fixed list login. it doesnt match then either.
And i dont know how this got there, how to change it, etc.
(cn=config is a nightmare for a part-time admin....)
--
Matthias
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
