On Tue, 2005-03-01 at 09:01 +0800, Doug Campbell wrote: > > Doug Campbell: > > > > [...] > > > > >>> smbldap_open: cannot access LDAP when not root... > > > > [...] > > > > >> As which user (Unix) is slapd (presume this is OpenLDAP)running? > > >> Do you have an 'ldap admin dn' entry in smb.conf with rights > > to all LDAP > > >> ACLs? > > >> > > >> > > >> I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and > > >> didn't with 3.0.7, either. > > > > > > My smb.conf file does have the ldap admin dn entry. The > > relevant section > > > of my smb.conf file is as follows: > > > > [...] > > > > Again, as which Unix user is slapd running? Who is the owner of your DB > > files, config files, etc.? What are the permissions on them? Have you > > certificates (i.e. the CA cert) or anything that smbd has to try to read > > that can only be read by root? Is "cn=Manager,dc=swro,dc=local" a proxy > > user in your DIT, or the rootdn user in slapd.conf (it's better to make a > > proxy user in the DIT and comment out the rootdn). Can a normal user run > > ldapsearch, for example, without being root?Etc. ;) > > Sorry, I forgot to put some of these answers in last time :( > > slapd appears to be running as user ldap when I run ps aux > > I enabled it to start automatically on boot up using the chkconfig utility > in FC3. > > All config files are owned by root and have root as their group with the one > exception of slapd.conf which has ldap as it's group > > The DB files are owned by ldap and the group is ldap. > > I don't have any certificates to deal with as I am not using SSL/TLS. I > actually tried to do this as a learning exercise but couldn't get it to work > based on the documentation I read. > > "cn=Manager,dc=swro,dc=local" is the rootdn user in slapd.conf > > I wanted to have a proxy user but again when I tried using the example > slapd.conf files for ACLs they never worked even though I followed the > examples as given. > > if I just type ldapsearch at the console, it will prompt me for a password. > I don't know what password it is asking though. I tried all that I have > used and there is still no luck. The error I get is "user not found: no > secret in database". If instead I type ldapsearch -x. It displays > information from my ldap store. If I now switch users to a non-root user > and execute the same two commands, I also get the same two results. > > Does that give a better idea of what might be wrong in my setup? ---- LDAP is probably a mistake if user cannot comprehend basic ldap usage.
You need to get a mastery on ldapadd/ldapmodify/ldapsearch functions before you commit your user db for the system - how in the world do you expect to troubleshoot? ldapsearch -x -h localhost -W - D 'cn=Manager,dc=swro,dc=local' '(uid=*)' enter the password you used when you created your slapd.conf don't know what password you used to when you created slapd.conf? I definitely wouldn't/shouldn't/couldn't know that when you figure that out... smbpasswd -w PASSWD_THAT_YOU_USED_IN_SLAPD.CONF probably shouldn't be using root-bind-dn user/password for samba but since that would entail understanding what LDAP ACL's and general security are about - it's your call. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
