subject:"Re\: pam_ldap issues"

Re: pam_ldap issues

2007-07-04 Thread Thierry Lacoste

On Wednesday 04 July 2007 09:35, Eric Masson wrote:
> Thierry Lacoste <[EMAIL PROTECTED]> writes:
>
> Hello,
>
> > I have a very similar setting on 6.1
> > Maybe you have an ACL problem (see below).
> > What does the following command give?
> > ldapsearch -x -D "cn=testuser,ou=people,dc=interne,dc=example,dc=org" -W
>
> The command asks for an ldap password that I type but, the result is :
> ldap_bind: Invalid credentials (49).
>
> I've double checked the password and reinitialized the ldap database,
> but no change atm.
Simplify your slapd.conf as much as possible.
When the above ldapsearch works throw in changes step by step.
In particular you should probably start with ACLs like these:

access to attrs=userPassword
   by anonymous auth
   by self write
   by * none

access to * by * read

Add "loglevel 128" to your slapd.conf to log access control list processing.

BTW what does ldapsearch -x -D "cn=Manager, dc=interne, dc=example, dc=org" -W
give?

Regards,
Thierry

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pam_ldap issues

2007-07-04 Thread Eric Masson

Eric Masson <[EMAIL PROTECTED]> writes:

Follow up to myself, sorry

> The command asks for an ldap password that I type but, the result is :
> ldap_bind: Invalid credentials (49).
>
> I've double checked the password and reinitialized the ldap database,
> but no change atm.

I've rebuilt all ports, with no success until I created the
/etc/pam.d/ldap file as stated in pam_ldap's pkg-message.

It works fine now, and pam_mkhomedir creates home directory on first
login.

Sorry for the noise.

-- 
 MW >Tss... Un cybermaquereau. On aura tout vu !
 JdC> Pourquoi pas ? Il doit bien exister des cybermorues.
 -+- in :  - Les joies du cybersexe -+-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pam_ldap issues

2007-07-04 Thread Eric Masson

Thierry Lacoste <[EMAIL PROTECTED]> writes:

Hello,

> I have a very similar setting on 6.1
> Maybe you have an ACL problem (see below).
> What does the following command give?
> ldapsearch -x -D "cn=testuser,ou=people,dc=interne,dc=example,dc=org" -W

The command asks for an ldap password that I type but, the result is :
ldap_bind: Invalid credentials (49).

I've double checked the password and reinitialized the ldap database,
but no change atm.

-- 
 BC> désolé, mais j'ai pas pû m'empecher.
 On a vu, mais bon, vraiment fallait pas, vous ne manquiez pas encore
 assez.
 -+- RM in  : En période de manque -+-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pam_ldap issues

2007-07-03 Thread Thierry Lacoste

I have a very similar setting on 6.1
Maybe you have an ACL problem (see below).
What does the following command give?
ldapsearch -x -D "cn=testuser,ou=people,dc=interne,dc=example,dc=org" -W

> 
> base dc=interne,dc=example,dc=org
> uri ldap://127.0.0.1:389/
>
> logdir /var/log/ldap
> #debug 256
>
> timeout 5
> bind_timeout 5
> bind_policy soft
>
> rootbinddn cn=Manager,dc=interne,dc=example,dc=org
BTW I think you can remove this one
>
> nss_base_passwd ou=people,dc=interne,dc=example,dc=org?one
> nss_base_group ou=groups,dc=interne,dc=example,dc=org?one
> 

>
> 
> include   /usr/local/etc/openldap/schema/core.schema
> include   /usr/local/etc/openldap/schema/cosine.schema
> include   /usr/local/etc/openldap/schema/inetorgperson.schema
> include   /usr/local/etc/openldap/schema/nis.schema
> include   /usr/local/etc/openldap/schema/samba.schema
>
> pidfile   /var/run/openldap/slapd.pid
> argsfile  /var/run/openldap/slapd.args
>
> modulepath/usr/local/libexec/openldap
> moduleloadback_bdb
>
> access to dn.base=""
>   by self write
>   by * auth
>
> access to attrs=userPassword
>   by self write
>   by * auth
Replace this one with
by anonymous auth
>
> access to attrs=shadowLastChange
>   by self write
>   by * auth
>
> access to *
>   by * read
>   by anonymous auth
I think you sould also remove all the other above lines containing auth.
>
> schemacheck   on
> idletimeout   30
> backend   bdb
> database  bdb
>
> suffix"dc=interne, dc=example, dc=org"
> rootdn"cn=Manager, dc=interne, dc=example, dc=org"
>
> rootpwpassword
>
> checkpoint1024 5
> cachesize 1
>
> directory /var/db/openldap-data
>
> # Indices to maintain
> index objectClass eq
> index cn  pres,sub,eq
> index sn  pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber   eq
> index gidNumber   eq
> index memberUID   eq
> index sambaSIDeq
> index sambaPrimaryGroupSIDeq
> index sambaDomainName eq
> index default sub
> 

HTH,
Thierry.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: pam_ldap issues

Re: pam_ldap issues

Re: pam_ldap issues

Re: pam_ldap issues

4 matches

Site Navigation

Mail list logo

Footer information