[gull] problem de connexion ldap

Vuko Brigljevic Vuko.Brigljevic at cern.ch
Fri Mar 4 09:51:02 CET 2005 

J'ai un probleme de connexion avec mon serveur ldap que j'utilise
pour l'authentication en connexion avec pam. Je n'arrive plus a me
logger apres qu'il ait fonctionne sans probleme pendant de longs mois.

Chaque essai est bloque avec le message "(Insufficient access)"
(voir log exhaustif au bas de ce message).

Aujourd'hui, pour ajouter de nouveaux utilisateurs, j'ai
"decommente" la commande "rootpw" dans slapd.conf,
puis je l'ai recommentee apres l'avoir fait mais
depuis rien ne va plus, et je n'arrive pas a voir
ce que j'ai pu changer d'autre.

Quelqu'un voit-il une possible raison a mon
probleme. Si dessous, les extraits les plus
significatifs de mon ficher slapd.conf et
de /var/log/messages (avec mon nom d'institution
et de domaine changes):

Merci,

Vuko


slapd.conf:


TLSCipherSuite         HIGH:MEDIUM:+SSLv2

TLSCertificateFile    /etc/ldap-certs/server/server.crt
TLSCertificateKeyFile /etc/ldap-certs/server/server.key
TLSCACertificateFile  /etc/ldap-certs/ca/ca.crt

database        ldbm

suffix          "dc=irb,dc=hr"
rootdn          "uid=root,ou=People,dc=irb,dc=hr"
# rootpw          secret
directory       /var/lib/ldap/
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber  eq
index   cn,mail,surname,givenname            eq,subinitial


access to dn=".*,ou=People,dc=myCompany,dc=MyDomain" 
  attr=userPassword
 by ssf=128 self write
 by ssf=128 dn="uid=root,ou=People,dc=myCompany,dcMyDomain" write

# ssf=128

access to dn=".*,dc=myCompany,dc=MyDomain"
 by  self write
 by  dn="uid=root,ou=People,dc=myCompany,dc=MyDomain" write
 by  * read



extrait de /var/log/messages:


(...)
 >>> dnPrettyNormal: <uid=vuko,ou=People,dc=myCompany,dc=MyDomain>
 daemon: activity on 1 descriptors
 <<< dnPrettyNormal: <uid=vuko,ou=People,dc=myCompany,dc=MyDomain>, 
<uid=vuko,ou=people,dc=myCompany,dc=MyDomain>
 daemon: select: listen=6 active_threads=1 tvp=NULL
 do_bind: version=3 dn="uid=vuko,ou=People,dc=myCompany,dc=MyDomain" 
method=128
 conn=4 op=3 BIND dn="uid=vuko,ou=People,dc=myCompany,dc=MyDomain" method=128
 ==> ldbm_back_bind: dn: uid=vuko,ou=People,dc=myCompany,dc=MyDomain
 dn2entry_r: dn: "uid=vuko,ou=people,dc=myCompany,dc=MyDomain"
 => dn2id( "uid=vuko,ou=people,dc=myCompany,dc=MyDomain" )
 ====> cache_find_entry_dn2id("uid=vuko,ou=people,dc=myCompany,dc=MyDomain"): 
121 (1 tries)
 <= dn2id 121 (in cache)
 => id2entry_r( 121 )
 ====> cache_find_entry_id( 121 ) 
"uid=vuko,ou=People,dc=myCompany,dc=MyDomain" (found) (1 tries)
 <= id2entry_r( 121 ) 0x81ca750 (cache)
 => access_allowed: auth access to 
"uid=vuko,ou=People,dc=myCompany,dc=MyDomain" "userPassword" requested
 => dnpat: [1] .*,ou=People,dc=myCompany,dc=MyDomain nsub: 0
 => acl_get: [1] matched
 => acl_get: [1] check attr userPassword
 <= acl_get: [1] acl uid=vuko,ou=People,dc=myCompany,dc=MyDomain attr: 
userPassword
 => acl_mask: access to entry "uid=vuko,ou=People,dc=myCompany,dc=MyDomain", 
attr "userPassword" requested
 => acl_mask: to all values by "", (=n)
 <= check a_dn_pat: self
 <= check a_dn_pat: uid=root,ou=People,dc=myCompany,dc=MyDomain
 => string_expand: pattern:  uid=root,ou=People,dc=myCompany,dc=MyDomain
 => string_expand: expanded: uid=root,ou=People,dc=myCompany,dc=MyDomain
 => regex_matches: string:
 => regex_matches: rc: 1 no matches
 <= acl_mask: no more <who> clauses, returning =n (stop)
 => access_allowed: auth access denied by =n
 send_ldap_result: conn=4 op=3 p=3
 send_ldap_result: err=50 matched="" text=""
 send_ldap_response: msgid=4 tag=97 err=50
pam_ldap: error trying to bind as user 
"uid=vuko,ou=People,dc=myCompany,dc=MyDomain" (Insufficient access)
 conn=4 op=3 RESULT tag=97 err=50 text=
 ====> cache_return_entry_r( 121 ): returned (0)

-- 
===========================================================|
 Vuko Brigljevic                                           |
 Rudjer Boskovic Institute                                 |
 --------------------------------------------------------- |
 Mail Address: Bijenicka cesta 54, P.O.B. 180              |
               10002 Zagreb Croatia                        |
 Phone       : +385-1- 468 0204                            |
 www         : http://cern.ch/vuko                         |
===========================================================|
One Word to rule them all, One Explorer to find them,
One Windows to bring them all and in the darkness bind them

More information about the gull mailing list