Thank you for your reply
You are right the problem was the ACL's order
Thank you for the support
On Thu, Dec 24, 2009 at 2:56 AM, Zdenek Styblik <sty...@turnovfree.net> wrote:
> Il Neofita wrote:
>> Hi
>> I delete everything and I did everything from scratch but I have the
>> same problem
>> I am using RH 5.4
>>
>
> Hello,
>
> I have no idea what the problem might be. Yet, I've noticed you don't
> have HASH type prefix to your passwords, and it should be there.
>
> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
> XXX
> userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
>
> The next thing I can suggest is to strip all ACLs except the basic ones
> and build up, build up...
> I'd also move attrs=userPassword up in the tree, as ACL ends when the
> first match is found. Thus it's possible this ACL is never matched.
>
> Regards,
> Zdenek
>
>
>> I am posting my configuration
>> slapd.conf
>> include /etc/openldap/schema/core.schema
>> include /etc/openldap/schema/cosine.schema
>> include /etc/openldap/schema/inetorgperson.schema
>> include /etc/openldap/schema/nis.schema
>> include /etc/openldap/schema/misc.schema
>> include /etc/openldap/schema/openldap.schema
>> include /etc/openldap/schema/redhat/autofs.schema
>> include /etc/openldap/schema/pykota.schema
>>
>> allow bind_v2
>> loglevel 128
>>
>> pidfile /var/run/openldap/slapd.pid
>> argsfile /var/run/openldap/slapd.args
>>
>> access to dn.subtree="ou=PyKota,dc=test,dc=xx" by
>> dn="cn=pykotaadmin,dc=test,dc=xx" write
>> access to dn.subtree="ou=people,dc=test,dc=xx"
>> by dn="cn=mmm,dc=test,dc=xx" manage
>> by dn="cn=pykotaadmin,dc=test,dc=xx" manage
>> by * read
>> access to dn.subtree="ou=Groups,dc=test,dc=xx" by
>> dn="cn=pykotaadmin,dc=test,dc=xx" write
>>
>> access to *
>> by self write
>> by users read
>> by * none
>>
>> access to attrs=userPassword
>> by self =w
>> by anonymous auth
>>
>> database bdb
>> suffix "dc=test,dc=xx"
>> rootdn "cn=admin,dc=test,dc=xx"
>> rootpw {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF
>>
>> directory /var/lib/ldap
>>
>> index objectClass eq,pres
>> index ou,cn,mail,surname,givenname eq,pres,sub
>> index uidNumber,gidNumber,loginShell eq,pres
>> index uid,memberUid eq,pres,sub
>> index nisMapName,nisMapEntry eq,pres,sub
>> index pykotaUserName pres,eq,sub
>> index pykotaGroupName pres,eq,sub
>> index pykotaPrinterName pres,eq,sub
>> index pykotaBillingCode pres,eq,sub
>> index pykotaLastJobIdent eq
>>
>>
>> my ldif
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=test,dc=xx> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # test.xx
>> dn: dc=test,dc=xx
>> objectClass: dcObject
>> objectClass: organization
>> o: Directory Server
>> dc:: dGVzdCA=
>>
>> # admin, test.xx
>> dn: cn=admin,dc=test,dc=xx
>> objectClass: organizationalRole
>> objectClass: posixAccount
>> cn:: YWRtaW4g
>> gidNumber: 500
>> homeDirectory: /home/admin
>> uid: admin
>> uidNumber: 500
>>
>> # mmm, test.xx
>> dn: cn=mmm,dc=test,dc=xx
>> cn:: bW1tIA==
>> sn: mmm
>> objectClass: person
>> objectClass: top
>> userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
>>
>> # people, test.xx
>> dn: ou=people,dc=test,dc=xx
>> objectClass: top
>> objectClass: organizationalUnit
>> ou: people
>> description: Fictional example organizational unit
>>
>> # bjensen, people, test.xx
>> dn: uid=bjensen,ou=people,dc=test,dc=xx
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: inetOrgPerson
>> cn: Babs Jensen
>> sn: Jensen
>> givenName: Babs
>> uid: bjensen
>> ou: people
>> description: Fictional example person
>> telephoneNumber: 555-5557
>> userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 6
>> # numEntries: 5
>>
>>
>> And this is the log
>> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access to
>> "cn=mmm,dc=test,dc=xx" "userPassword" requested
>> Dec 22 09:42:07 sim slapd[11187]: => dn: [1] ou=pykota,dc=test,dc=xx
>> Dec 22 09:42:07 sim slapd[11187]: => dn: [2] ou=people,dc=test,dc=xx
>> Dec 22 09:42:07 sim slapd[11187]: => dn: [3] ou=groups,dc=test,dc=xx
>> Dec 22 09:42:07 sim slapd[11187]: => acl_get: [4] attr userPassword
>> Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state
>> (userPassword)
>> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: access to entry
>> "cn=mmm,dc=test,dc=xx", attr "userPassword" requested
>> Dec 22 09:42:07 sim slapd[11187]: => acl_mask: to value by "", (=0)
>> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: self
>> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: users
>> Dec 22 09:42:07 sim slapd[11187]: <= check a_dn_pat: *
>> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] applying none(=0) (stop)
>> Dec 22 09:42:07 sim slapd[11187]: <= acl_mask: [3] mask: none(=0)
>> Dec 22 09:42:07 sim slapd[11187]: => access_allowed: auth access
>> denied by none(=0)
>>
>>
>> Thank you
>>
>> On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik <sty...@turnovfree.net>
>> wrote:
>>> Il Neofita wrote:
>>>> Hi
>>> Hello,
>>>
>>>> I am new and probably I am facing a very basic error
>>>>
>>>> I am tring to create an admin for a subset
>>>>
>>>> I create this ldif
>>>> dn: cn=mmmm,dc=test,dc=xx
>>>> cn: mmmm
>>>> sn: mmmm
>>>> objectClass: person
>>>> objectClass: top
>>>> userPassword: test
>>>>
>>> If you added it exactly like this-
>>> 1] delete dn: cn=mmmm,dc=test,dc=xx
>>> 2] use % slappasswd; to generate password HASH
>>> 3] add DN again
>>>
>>> --- SNIP ---
>>> slappasswd -s test
>>> {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>>> --- SNIP ---
>>> --- SNIP ---
>>> dn: cn=mmmm,dc=test,dc=xx
>>> cn: mmmm
>>> sn: mmmm
>>> objectClass: person
>>> objectClass: top
>>> userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
>>> --- SNIP ---
>>>
>>> Just a morning loto :)
>>>
>>> Regards,
>>> Zdenek
>>>
>>>> then on sladp.conf
>>>>
>>>> ...
>>>> access to dn.subtree="ou=people,dc=test,dc=xx"
>>>> by dn="cn=mmmm,dc=test,dc=xx" write
>>>> by * read
>>>> ...
>>>>
>>>> Restarted ldap
>>>>
>>>> ldapsearch -x -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)'
>>>> ldap_bind: Invalid credentials (49)
>>>>
>>>> What am I do wrong?
>>>
>>> --
>>> Zdenek Styblik
>>> Net/Linux admin
>>> OS TurnovFree.net
>>> email: sty...@turnovfree.net
>>> jabber: sty...@jabber.turnovfree.net
>>>
>
>
> --
> Zdenek Styblik
> Net/Linux admin
> OS TurnovFree.net
> email: sty...@turnovfree.net
> jabber: sty...@jabber.turnovfree.net
>
