Rob Becker wrote:
Hi List,
Please help! I'm starting to get VERY frustrated with this.
I am having troubles with an OpenLDAP 2.3.22 system. I am "upgrading"
from OpenLDAP 2.2.6.
The slapd server is complaining about unrecognized control:
1.3.6.1.4.1.42.2.27.8.5.1.
That's just a warning message, it has no effect since the control is not
marked critical. In the log you attached below, the only actual error is
an incorrect password in the Bind attempt.
After doing some research and posting on some
incorrect mailing lists I have found out that this has to do with the
Password Policy module and requires to be configured in the slapd.conf. I
noticed that the default slapd.conf file I was using included the
ppolicy.schema, but no modules were loaded. Since I was unsure of the use
of ppolicy.schema I commented it out from slapd.conf. This changed
nothing.
Why would one version throw this error and the other version not?
Current slapd.conf file:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
#include /usr/local/etc/openldap/schema/ppolicy.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by anonymous auth
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#######################################################################
# BDB database definitions
#######################################################################
allow bind_v2 bind_anon_dn
database bdb
suffix "dc=motogroup,dc=com"
rootdn "cn=Administrator,dc=motogroup,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}JZ6/Ojy0YGqXdnEnhLHgqw==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
Old slapd.conf file (working):
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/nis.schema
#include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/sudo.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attr=userPassword,userPKCS12
by self write
by * auth
access to attr=shadowLastChange
by self write
by * read
access to *
by * read
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /usr/share/ssl/certs/ldap.pem
TLSCertificateKeyFile /usr/share/ssl/certs/ldap.pem
allow bind_v2 bind_anon_dn
database bdb
suffix "dc=motogroup,dc=com"
rootdn "cn=Administrator,dc=motogroup,dc=com"
rootpw "{crypt}DA5U3tdjldJ0M"
directory /var/lib/ldap
checkpoint 1024 5
cachesize 10000
loglevel 256
replogfile /var/lib/ldap/replog
replica uri=ldap://linuxadm03:389
binddn="cn=Administrator, dc=motogroup, dc=com"
bindmethod=simple credentials="admin10nt"
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
Error messages:
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 fd=20 ACCEPT from
IP=10.101.25.2:33144 (IP=0.0.0.0:389)
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=0 BIND dn="" method=128
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=0 RESULT tag=97 err=0
text=
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=1 SRCH
base="dc=motogroup,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=testu))"
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=2 BIND
dn="uid=testu,ou=people,dc=motogroup,dc=com" method=128
Jun 1 08:05:30 linuxadm03 slapd[8939]: slap_global_control: unrecognized
control: 1.3.6.1.4.1.42.2.27.8.5.1
Jun 1 08:05:30 linuxadm03 slapd[8939]: conn=475 op=2 RESULT tag=97 err=49
text=
Account Info:
# testu, people, motogroup.com
dn: uid=testu,ou=people,dc=motogroup,dc=com
givenName: Test
sn: User
cn: Test User
mail: [EMAIL PROTECTED]
uid: testu
uidNumber: 2001
gidNumber: 3000
homeDirectory: /home/testu
loginShell: /bin/bash
shadowInactive: -1
shadowMax: 99999
shadowLastChange: 13047
shadowWarning: 7
shadowMin: -1
shadowExpire: -1
shadowFlag: 0
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
