Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit : > On Mar 8, 2014, at 6:29 AM, Stéphane Guedon <steph...@22decembre.eu> wrote: > > Notably, the user fails to auth and do login (with openbsd login > > system AND webpages) eventhough password is correct according to > > ldap itself ! > > That's a lot more moving parts than just passwords in LDAP.
Yes, but passwords are the first things to change to secure your users/install. I am currently working on a little webpage in python to allow easy ldap management (add/remove users and groups, passwords update). > Have you > checked your configuration of all those moving parts? Looked at > logs? You don't even mention what else you're using, much less how > they've been configured or what their logs report. I am looking through logs and config since the beginning of the day... Actually, asking help on forums or mailing lists is always my last step in solving problems... here is my config : #### include schema/core.schema include schema/cosine.schema include schema/inetorgperson.schema include schema/misc.schema include schema/nis.schema include schema/openldap.schema loglevel 256 pidfile run/slapd.pid argsfile run/slapd.args allow bind_v2 password-hash {SHA} ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=22decembre,dc=eu" rootdn "cn=admin,dc=22decembre,dc=eu" access to dn.base="" by * read access to dn.base="cn=Subschema" by * read #access to attrs=userpassword # by self write # by anonymous auth # by * none #rootpw secret rootpw {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+ # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory data # Indices to maintain index objectClass eq index uid eq index uidNumber eq index gidNumber eq index memberUid eq index homeDirectory eq index loginShell eq index cn,gn,mail pres,eq,sub ###### I have tried to disable all acl (so default policy : everything readable). But still no possible to logon. Here is what I get when trying to using the login_ldap with debugging : # /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap Password: load_ssl_certs says: cacert none cacertdir none usercert none userkey none parse_server_line buf = localhost parse_server_line port == NULL, will use default parse_server_line mode == NULL, will use default host localhost, port 389, version 3 setting cert info clearing ssl set connect success! set version to 3 defaults: basedn ou=users,dc=22decembre,dc=eu binddn none bindpw none set timeout sec 60, usec 60000 set noref 0 set keepcreds 0 bind success! usearch: ufilter (&(objectclass=posixAccount)(uid=stephane)) scope: sub 0: search (ou=users,dc=22decembre,dc=eu, (&(objectclass=posixAccount) (uid=stephane))) 1: msgid 0, type 64 1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu 1: msgid 1, type 65 1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu userdn uid=stephane,ou=users,dc=22decembre,dc=eu user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu reject > I am using ypldap from base and login_ldap from ports; your mileage > may vary. > > By the way, anybody use the light ldapd daemon included in base ? > > can we update password with it ? > > I use it. It does not currently support the modify password extended > operation (what ldappasswd relies on). I am working on a patch for > it but I haven't finished it and it requires a bit more refactoring > than just processing one new request. Ok, so I think I will check ldapd from time to time... > -- > Matthew Weigel [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]