Re: ACL problem

[Il Neofita]

Hi
I delete everything and I did everything from scratch but I have the
same problem
I am using RH 5.4

I am posting my configuration
slapd.conf
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/pykota.schema

allow bind_v2
loglevel 128

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

access to dn.subtree="ou=PyKota,dc=test,dc=xx" by
dn="cn=pykotaadmin,dc=test,dc=xx" write
access to dn.subtree="ou=people,dc=test,dc=xx"
       by dn="cn=mmm,dc=test,dc=xx" manage
       by dn="cn=pykotaadmin,dc=test,dc=xx" manage
       by * read
access to dn.subtree="ou=Groups,dc=test,dc=xx" by
dn="cn=pykotaadmin,dc=test,dc=xx" write

access  to *
       by self         write
       by users        read
       by *            none

access to attrs=userPassword
         by self =w
         by anonymous auth

database        bdb
suffix          "dc=test,dc=xx"
rootdn          "cn=admin,dc=test,dc=xx"
rootpw          {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index pykotaUserName pres,eq,sub
index pykotaGroupName pres,eq,sub
index pykotaPrinterName pres,eq,sub
index pykotaBillingCode pres,eq,sub
index pykotaLastJobIdent eq


my ldif

# extended LDIF
#
# LDAPv3
# base <dc=test,dc=xx> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test.xx
dn: dc=test,dc=xx
objectClass: dcObject
objectClass: organization
o: Directory Server
dc:: dGVzdCA=

# admin, test.xx
dn: cn=admin,dc=test,dc=xx
objectClass: organizationalRole
objectClass: posixAccount
cn:: YWRtaW4g
gidNumber: 500
homeDirectory: /home/admin
uid: admin
uidNumber: 500

# mmm, test.xx
dn: cn=mmm,dc=test,dc=xx
cn:: bW1tIA==
sn: mmm
objectClass: person
objectClass: top
userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=

# people, test.xx
dn: ou=people,dc=test,dc=xx
objectClass: top
objectClass: organizationalUnit
ou: people
description: Fictional example organizational unit

# bjensen, people, test.xx
dn: uid=bjensen,ou=people,dc=test,dc=xx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Babs Jensen
sn: Jensen
givenName: Babs
uid: bjensen
ou: people
description: Fictional example person
telephoneNumber: 555-5557
userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5


And this is the log
Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access to
"cn=mmm,dc=test,dc=xx" "userPassword" requested
Dec 22 09:42:07 sim slapd[11187]: => dn: [1] ou=pykota,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: => dn: [2] ou=people,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: => dn: [3] ou=groups,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: => acl_get: [4] attr userPassword
Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state
(userPassword)
Dec 22 09:42:07 sim slapd[11187]: => acl_mask: access to entry
"cn=mmm,dc=test,dc=xx", attr "userPassword" requested
Dec 22 09:42:07 sim slapd[11187]: => acl_mask: to value by "", (=0)
Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: self
Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: users
Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: *
Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] applying none(=0) (stop)
Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] mask: none(=0)
Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access
denied by none(=0)


Thank you

On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik <sty...@turnovfree.net> wrote:
> Il Neofita wrote:
>> Hi
>
> Hello,
>
>> I am new and probably I am facing a very basic error
>>
>> I am tring to create an admin for a subset
>>
>> I create this ldif
>> dn: cn=mmmm,dc=test,dc=xx
>> cn: mmmm
>> sn: mmmm
>> objectClass: person
>> objectClass: top
>> userPassword: test
>>
>
> If you added it exactly like this-
> 1] delete dn: cn=mmmm,dc=test,dc=xx
> 2] use % slappasswd; to generate password HASH
> 3] add DN again
>
> --- SNIP ---
> slappasswd -s test
> {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
> --- SNIP ---
> --- SNIP ---
> dn: cn=mmmm,dc=test,dc=xx
> cn: mmmm
> sn: mmmm
> objectClass: person
> objectClass: top
> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
> --- SNIP ---
>
> Just a morning loto :)
>
> Regards,
> Zdenek
>
>> then on sladp.conf
>>
>> ...
>> access to dn.subtree="ou=people,dc=test,dc=xx"
>>         by dn="cn=mmmm,dc=test,dc=xx" write
>>         by * read
>> ...
>>
>> Restarted ldap
>>
>> ldapsearch -x  -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)'
>> ldap_bind: Invalid credentials (49)
>>
>> What am I do wrong?
>
>
> --
> Zdenek Styblik
> Net/Linux admin
> OS TurnovFree.net
> email: sty...@turnovfree.net
> jabber: sty...@jabber.turnovfree.net
>