After searching,It just came out with the error:
"Mail id invalid or not unique,can't resolve to directory authorisation entry".
Vineeta
Vineeta wrote:
> Hi,
> I understand that bind operation has to be performed prior to any data being
> fetched.Now,i tried the foll:
> In my slapd.conf file,i have put
> rootdn "cn=admin, o=xxx Limited, c=IN"
> rootpw secret
>
> Now,in my ldap.conf file,i only have the foll. two lines:
> binddn cn=admin, o=xxx Limited,c=IN
> bindpw secret
>
> I have Openldap version 1.2.7-2
> Now,in the slapd.conf file,i have provided the foll. ACL's :
> access to *
> by dn=".*, o=xxx Limited, c=IN" read
> by * search
>
> Now,when i start ldap,and try accessing info from netscape's address book as
> follows:
> After clicking on login with username & password,i get a dialog box asking to
> enter E-mail and password,i enter:
> E-mail:[EMAIL PROTECTED]
> password:yyy's password
>
> But,it goes into an infinite loop searching...I waited for at least 3-4 minutes.
> In debug mode,it searches thru' all the entries and says "access granted by
> clause #2".
> I recently installed pam_ldap
> But,not too sure if it's working.How do i check that?
> Also,do i need any other packages for authorisation?
>
> Cheers,
> Vineeta
>
> Pierangelo Masarati wrote:
>
> > Vineeta wrote:
> >
> > > sorry,that was a typing error.
> > > But what i want is that users should get authenticated by some password
> > > mechanism and then,gain access to the directory server while preventing
> > > anonymous login.
> >
> > The ACLs are right; I'm not sure what you mean to do with your client.
> > If you are talking about accessing a directory server for purposes other
> > than authenticating a user with pam, this is not the right mailing list.
> >
> > If you want the pam_ldap stuff to work with very strict ACLs, you need
> > to make pam_ldap search your entry, i.e. everyone needs search access
> > to the attribtes used by the pam_ldap module (OpenLDAP 1.x):
> >
> > access to attrs=uid
> > by dn=".*,ou=People,dc=my,dc=org" read
> > by * search
> >
> > access to *
> > by dn=".*,ou=People,dc=my,dc=org" read
> > by * none
> >
> > (uid is the default user id attribute); a better choice is to make
> > the pam_ldap module bind itself as an application with some
> > administrative-like privileges. Suppose you have an entry
> >
> > dn: cn=pam,ou=Admin,dc=my,dc=org
> > objectClass: top
> > objectClass: simpleSecurityObject
> > userPassword: secret
> >
> > and you add in your /etc/ldap.conf file the entries
> >
> > binddn cn=pam,ou=Admin,dc=my,dc=org
> > bindpw secret
> >
> > then the ACls
> >
> > access to attrs=uid
> > by dn="cn=pam,ou=Admin,dc=my,dc=org" search
> > by dn=".*,ou=People,dc=my,dc=org" read
> > by * none
> >
> > access to *
> > by dn=".*,ou=People,dc=my,dc=org" read
> > by * none
> >
> > then pam_ldap will be allowed to search for uid, authenticated
> > users will be allowed to read everything and unauthenticated
> > users will be bounced with no results at all.
> >
> > If you are trying, for instance, to browse a directory server with netscape's
> > address book, then you need to set the "login with name and password"
> > button in the directory definition dialog box, then you'll be prompted for
> > email and password, then you'll be authenticated against the directory server
> > and you'll be allowed to access attributes protected by ACLs as
> >
> > access to attrs=mail
> > by dn=".*,ou=People,dc=my,dc=org" read
> > by * search
> >
> > access to attrs=cn,sn,telephonenumber
> > by dn=".*,ou=People,dc=my,dc=org" read
> > by * none
> >
> > (mail must be searchable by everyone to let netscape find your entry)
> > or, if you're using OpenLDAP 2.0,
> >
> > access to attrs=mail
> > by users read
> > by * auth
> >
> > access to attrs=cn,sn,telephonenumber
> > by users read
> > by * none
> >
> > (see their FAQ at http://www.openldap.org)
> >
> > If you're writing your own application, what you need to do
> > before accessing data is a bind operation (man ldap_bind(3)).
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
