[Systems] LDAP access rights
Sascha Silbe
sascha-ml-reply-to-2010-3 at silbe.org
Sat Sep 11 06:36:43 EDT 2010
Excerpts from Bernie Innocenti's message of Fri Sep 10 22:17:59 +0200 2010:
> ACLs are obfuscated by the crap ldif format, but they are right there
> in /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif
D'oh, I forgot to adjust the find parameters when searching the config
database. I now got it to work. To change the configuration, I used:
ldapvi -D cn=admin,cn=config -b cn=config
with the sunjammer root password. Feel free to add this to some wiki
page. ;)
> olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by self write by * none
> olcAccess: {1}to dn.base="" by * read by anonymous read
> olcAccess: {2}to * by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by * read by anonymous read
I added the following rule between the old {0} and {1}:
olcAccess: {1}to attrs=tls-public-key by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by self manage by * none
To modify the key, I used
ldapvi -D uid=silbe,ou=People,dc=sugarlabs,dc=org -b uid=silbe,ou=People,dc=sugarlabs,dc=org
with my user password. Only "simple" authentication works, SASL fails:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
Maybe the password change problem has the same root cause? The error
message from passwd is:
passwd: Authentication information cannot be recovered
Sascha
--
http://sascha.silbe.org/
http://www.infra-silbe.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
Url : http://lists.sugarlabs.org/private/systems/attachments/20100911/42abe570/attachment.pgp
More information about the Systems
mailing list