Hi All,
I am trying to set up openLDAP with Kerberos5 for authentication. I found and
followed the _excellent_ howto by Turbo Fredriksson at
http://www.bayour.com/LDAPv3-HOWTO.html and almost every thing is working. I
can browse, search, & modify the LDAP database using:
rootdn "cn=ldapadmin,dc=qm"
rootpw {KERBEROS} [EMAIL PROTECTED]
SASL is set up to use GSSAPI correctly, since the following password also works:
rootpw {SASL} ldapadmin
I am however having a couple of problems. First I cannot succsesfully bind as a
user other than the rootdn, and second I cannot bind with write access using
any auth method other than simple. I am not sure what I am doing wrong,
although I suspect that the issue is with my ACL. I would greatly appreciate
any help that is offered.
###############
## Shell Stuff ###
###############
[EMAIL PROTECTED]:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm
-f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
[EMAIL PROTECTED]:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -Y gssapi
-a -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
[EMAIL PROTECTED]:/etc/ldap/ldifs$ kinit silasb
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:/etc/ldap/ldifs$ ldapmodify -a -Y gssapi -H ldaps://ldap.qm
-f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
[EMAIL PROTECTED]:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm"
-a -Y gssapi -H ldaps://ldap.qm -f hoke.people.qm.ldif
SASL/GSSAPI authentication started
SASL username: [EMAIL PROTECTED]
SASL SSF: 56
SASL installing layers
adding new entry "uid=hoke, ou=people, dc=qm"
ldap_add: Insufficient access (50)
additional info: no write access to parent
[EMAIL PROTECTED]:/etc/ldap/ldifs$ ldapmodify -a -x -W -H ldaps://ldap.qm -f
hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[EMAIL PROTECTED]:/etc/ldap/ldifs$ ldapmodify -D "uid=silasb,ou=people,dc=qm"
-a -x -W -H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
[EMAIL PROTECTED]:/etc/ldap/ldifs$ ldapmodify -D "cn=ldapadmin,dc=qm" -a -x -W
-H ldaps://ldap.qm -f hoke.people.qm.ldif
Enter LDAP Password:
adding new entry "uid=hoke, ou=people, dc=qm"
#################
## End Shell Stuff ##
#################
This would suggest that the keberos authentication is working correctly, but my
openLDAP ACL's are screwed up. Quite possible as I am a new to openLDAP. Here
is my slapd.access file:
################
## slapd.access ##
################
olcAccess: to dn=".*,dc=qm"
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin" write
by dn="[EMAIL PROTECTED]" write
by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
by dn="uid=ldapadmin.+\+realm=QM" write
by dn="uid=silasb" write
by dn="[EMAIL PROTECTED]" write
by dn="uid=silasb.+\+realm=QM" write
by self write
by users read
# by * read
olcAccess: to dn.base=""
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin" write
by dn="[EMAIL PROTECTED]" write
by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
by dn="uid=ldapadmin.+\+realm=QM" write
by dn="uid=silasb" write
by dn="[EMAIL PROTECTED]" write
by dn="uid=silasb.+\+realm=QM" write
by self write
by * read
# The admin dn has full write access, everyone else
# can read everything.
olcAccess: to *
by dn="cn=ldapadmin,dc=qm" write
by dn="uid=ldapadmin" write
by dn="[EMAIL PROTECTED]" write
by dn="uid=ldapadmin,cn=gssapi,cn=auth" write
by dn="uid=ldapadmin.+\+realm=QM" write
by dn="uid=silasb" write
by dn="[EMAIL PROTECTED]" write
by dn="uid=silasb.+\+realm=QM" write
# by self write
by * read
