Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit :
> On Mar 8, 2014, at 6:29 AM, Stéphane Guedon
<steph...@22decembre.eu> wrote:
> > Notably, the user fails to auth and do login (with openbsd login
> > system AND webpages) eventhough password is correct according to
> > ldap itself !
>
> That's a lot more moving parts than just passwords in LDAP.
Yes, but passwords are the first things to change to secure your
users/install.
I am currently working on a little webpage in python to allow easy
ldap management (add/remove users and groups, passwords update).
> Have you
> checked your configuration of all those moving parts? Looked at
> logs? You don't even mention what else you're using, much less how
> they've been configured or what their logs report.
I am looking through logs and config since the beginning of the day...
Actually, asking help on forums or mailing lists is always my last
step in solving problems...
here is my config :
####
include schema/core.schema
include schema/cosine.schema
include schema/inetorgperson.schema
include schema/misc.schema
include schema/nis.schema
include schema/openldap.schema
loglevel 256
pidfile run/slapd.pid
argsfile run/slapd.args
allow bind_v2
password-hash {SHA}
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=22decembre,dc=eu"
rootdn "cn=admin,dc=22decembre,dc=eu"
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
#access to attrs=userpassword
# by self write
# by anonymous auth
# by * none
#rootpw secret
rootpw {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory data
# Indices to maintain
index objectClass eq
index uid eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index homeDirectory eq
index loginShell eq
index cn,gn,mail pres,eq,sub
######
I have tried to disable all acl (so default policy : everything
readable). But still no possible to logon.
Here is what I get when trying to using the login_ldap with debugging
:
# /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap
Password:
load_ssl_certs says:
cacert none
cacertdir none
usercert none
userkey none
parse_server_line buf = localhost
parse_server_line port == NULL, will use default
parse_server_line mode == NULL, will use default
host localhost, port 389, version 3
setting cert info
clearing ssl set
connect success!
set version to 3
defaults:
basedn ou=users,dc=22decembre,dc=eu
binddn none
bindpw none
set timeout sec 60, usec 60000
set noref 0
set keepcreds 0
bind success!
usearch:
ufilter (&(objectclass=posixAccount)(uid=stephane))
scope: sub
0: search (ou=users,dc=22decembre,dc=eu, (&(objectclass=posixAccount)
(uid=stephane)))
1: msgid 0, type 64
1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu
1: msgid 1, type 65
1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu
userdn uid=stephane,ou=users,dc=22decembre,dc=eu
user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu
reject
> I am using ypldap from base and login_ldap from ports; your mileage
> may vary.
> > By the way, anybody use the light ldapd daemon included in base ?
> > can we update password with it ?
>
> I use it. It does not currently support the modify password extended
> operation (what ldappasswd relies on). I am working on a patch for
> it but I haven't finished it and it requires a bit more refactoring
> than just processing one new request.
Ok, so I think I will check ldapd from time to time...
> --
> Matthew Weigel
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
