Open LDAP shows details with anonymous authentication only
Hi,
I am mailing this after a good amount of different searches on different errorlogs in this forums.
My Server environment :
OS RHEL4
OpenLDAP 2.2.13-4
Java clients from Windows machine.
I run the /usr/local/libexec/slapd -d 5 &.
I am able to do a ldapsearch easily and successfully on the server-host.
When I try to connect from a client named "ldapbrowser" I am unable to see the ldap db.
When I "bind anonymously" to my server from an external machine "(windows based) I am able to list the db contents.
The same ldapbrowser is listing the contents of active directory (seperate windows 2000 server machine) with a proper authentication as a normal user.
I am able to login to a linux client machine using this serverconfig , ofcourse without home directory , cos I have not listed the autofs in my ldap config
I am not running saslauthd, ncsd etc. Does LDAP server depend on saslauthd. If I want to run ldap without sasl what shud be my config?
I am sure that this is not a problem with Operating system, cos my ldapbrowser software lists the contents of ldapserver if I connect anonymously ie "anonymous bind"
slapd.conf : (I have trimmed unused and commented sections)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/*.schema
include /usr/local/etc/openldap/slapd.access.conf
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
defaultsearchbase "dc=sanofiinternal,dc=com"
database bdb
suffix "dc=sanofiinternal,dc=com"
rootdn "cn=sanofildapmanager,dc=ldapserver,dc=sanofiinternal,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
error message when querrying the server from a ldapbrowser:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
ldap_pvt_gethostbyname_a: host=ldapserver.sanofiinternal.com, r=0
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <sanofiuser5>
=> ldap_bv2dn(sanofiuser5,0)
<= ldap_bv2dn(sanofiuser5,0)=-4
bind: invalid dn (sanofiuser5)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=34 matched="" text="invalid DN"
send_ldap_response: msgid=1 tag=97 err=34
ber_flush: 24 bytes to sd 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
slapd.access.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
access to dn.regex=".*,dc=sanofiinternal,dc=com$" attrs=userPassword
by dn="cn=root,dc=sanofi,dc=com$" write
by self write
by * auth
access to dn.regex=".*,dc=sanofiinternal,dc=com$" attrs=mail
by dn="cn=root,dc=sanofi,dc=com$" write
by self write
by * read
access to dn.regex=".*,ou=users,dc=sanofiinternal,dc=com$"
by * read
access to dn.regex=".*,dc=sanofiinternal,dc=com$"
by self write
by * read
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++
Thankyou
Mahen
|