Linux - Server This forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
Click Here to receive this Complete Guide absolutely free.
#16
Member
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444
Rep:
Quote:
When I execute :
Without configuring ldap.conf you are asking OpenLDAP to search for information without telling it where to search.
Quote:
This ldapsearch gives results, no problem.
Can you change any confidential information and show us the output from ldapsearch when the "access to *" lines are not present?
#17
Member
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632
Original Poster
Rep:
Quote:
Originally Posted by
jamrock
Can you change any confidential information and show us the output from ldapsearch when the "access to *" lines are not present?
Code:
[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=101001,dc=mydomain,dc=local'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=101001,dc=mydomain,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# 101001, mydomain.local
dn: ou=101001,dc=mydomain,dc=local
ou: 101001
objectClass: organizationalUnit
objectClass: top
# U101001, 101001, mydomain.local
dn: cn=U101001,ou=101001,dc=mydomain,dc=local
cn: U101001
sn: U101001
userPassword:: dGVzdDEwMTAwMQ==
objectClass: inetOrgPerson
objectClass: top
# Company VC, 101001, mydomain.local
dn: cn=Company VC,ou=101001,dc=mydomain,dc=local
sn: Company VC
cn:: IEJlZHJpamYgVkM=
telephoneNumber: 3322959600
objectClass: inetOrgPerson
objectClass: top
# Company Y, 101001, mydomain.local
dn: cn=Company Y,ou=101001,dc=mydomain,dc=local
sn: Company Y
cn:: IEJlZHJpamYgWQ==
telephoneNumber: 3322980406
objectClass: inetOrgPerson
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
[root@asterisk16 ~]#
#18
Member
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444
Rep:
Okay cool...
#19
Member
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632
Original Poster
Rep:
OK I'm getting result with user U123456.
Next step was getting the ldap directory on my Snom IP-phone.
This is the search it performs :
conn=36 op=2 SRCH base="dc=mydomain,dc=local" scope=2 deref=0 filter="(&(telephoneNumber=*)(sn=b*))"
(so I press 'b' to get all companies starting with this letter, which should give 2 results...)
This is the ldap log :
Quote:
Dec 10 20:14:10 asterisk16 slapd[25338]: daemon: activity on 1 descriptor
I get no results on my Snom display...
#20
Member
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444
Rep:
Now this is an interesting challenge...
#21
Member
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632
Original Poster
Rep:
I'm still having issues :
Code:
defaultaccess none
access to *
by dn="cn=Manager,dc=mydomain,dc=local" write
by dn="cn=U123456,ou=123456,dc=mydomain,dc=local" read
access to dn.subtree="ou=101001,dc=mydomain,dc=local"
by dn.children="ou=101001,dc=mydomain,dc=local" read
When I comment out "defaultaccess none" there is no problem.
But when it is uncommented :
Code:
[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U123456,ou=123456,dc=mydomain,dc=local' -b 'ou=123456,dc=mydomain,dc=local'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
Code:
[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=101001,dc=mydomain,dc=local'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
#22
Member
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444
Rep:
I am not familiar with the command "defaultaccess none". It is not in my slapd.conf and I am not seeing it in the administrator's manual.
Quote:
access to *
Remember to pay special attention to the order in which your acl's are placed. When a user tries to log in, OpenLDAP will run through the list until a match is found. Once it finds a match, it will stop checking the acl's. Place the most restrictive acl's first.
By default the directory manager has full access so it is redundant to use
Quote:
by dn="cn=Manager,dc=mydomain,dc=local" write
In fact it will slow down processing.
Last edited by jamrock; 12-13-2010 at 10:09 AM .
#23
Member
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632
Original Poster
Rep:
I've added the following :
Code:
defaultaccess none
access to *
by dn="cn=Manager,dc=mydomain,dc=local" write
by dn="cn=U123456,ou=123456,dc=mydomain,dc=local" read
by * auth
access to dn.subtree="ou=101001,dc=mydomain,dc=local"
by dn.children="ou=101001,dc=mydomain,dc=local" read
by * auth
"by * auth" makes it work...
Is there so much difference in ldap versions ?
I'm using : openldap-servers-2.3.43-12.el5_5.3.i386
Last edited by jonaskellens; 12-16-2010 at 04:14 AM .
#24
Member
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444
Rep:
Quote:
Originally Posted by
jonaskellens
I've added the following :
Code:
defaultaccess none
access to *
by dn="cn=Manager,dc=voipcenter,dc=local" write
by dn="cn=U123456,ou=123456,dc=voipcenter,dc=local" read
by * auth
access to dn.subtree="ou=101001,dc=voipcenter,dc=local"
by dn.children="ou=101001,dc=voipcenter,dc=local" read
by * auth
"by * auth" makes it work...
Is there so much difference in ldap versions ?
I'm using : openldap-servers-2.3.43-12.el5_5.3.i386
Ooops... My bad...
You need auth if you want to authenticate. I haven't used that configuration in a while.
There were major changes in the acl's at one point. There were also some major changes to replication some time after. So yes, there can be significant changes between versions. You will notice that the manuals are version specific.
So... Are you good now?
#25
Member
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632
Original Poster
Rep:
Just one question :
by defining this :
Code:
access to *
by dn="cn=U123456,ou=123456,dc=mydomain,dc=local" read
by * auth
for every user I create in a OU, I lock down this user to this OU and also this user can only read other objects in this OU after authentication ?
Unfortunately, it does not work :
Code:
[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=101001,dc=mydomain,dc=local'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=101001,dc=mydomain,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
when I have in slapd.conf :
Code:
access to *
by dn="cn=U101001,ou=101001,dc=mydomain,dc=local" read
by * auth
Last edited by jonaskellens; 12-16-2010 at 06:51 AM .
#26
Member
Registered: Jan 2003
Location: Kingston, Jamaica
Posts: 444
Rep:
Try putting the auth before the read. OpenLDAP goes through the acl's line by line and exists when it finds the first match.
#27
Member
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632
Original Poster
Rep:
Quote:
Originally Posted by
jamrock
Try putting the auth before the read. OpenLDAP goes through the acl's line by line and exists when it finds the first match.
Does not work.
What's wrong with this :
Code:
database bdb
suffix "dc=mydomain,dc=local"
rootdn "cn=Manager,dc=mydomain,dc=local"
rootpw GuessThis
defaultaccess none
access to dn.one="ou=contacts,ou=101001,dc=mydomain,dc=local"
by * auth
by dn="cn=U101001,ou=101001,dc=mydomain,dc=local" read
Code:
[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U101001,ou=101001,dc=mydomain,dc=local' -b 'ou=contacts,ou=101001,dc=mydomain,dc=local'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
This also fails :
Code:
access to dn.one="ou=contacts,ou=101001,dc=mydomain,dc=local"
by dn.children="ou=myusers,ou=101001,dc=mydomain,dc=local" read
Code:
[root@asterisk16 ~]# ldapsearch -x -W -D 'cn=U101001,ou=myusers,ou=101001,dc=mydomain,dc=local' -b 'ou=contacts,ou=101001,dc=mydomain,dc=local'
Enter LDAP Password:
ldap_bind: Invalid credentials (4
Last edited by jonaskellens; 12-16-2010 at 09:17 AM .
All times are GMT -5. The time now is 03:09 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
