[Systems] LDAP access rights

[Bernie Innocenti]

On Sat, 2010-09-11 at 12:36 +0200, Sascha Silbe wrote:
> Excerpts from Bernie Innocenti's message of Fri Sep 10 22:17:59 +0200 2010:
> 
> > ACLs are obfuscated by the crap ldif format, but they are right there
> > in /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif
> 
> D'oh, I forgot to adjust the find parameters when searching the config
> database. I now got it to work. To change the configuration, I used:
> 
> ldapvi -D cn=admin,cn=config -b cn=config
> 
> with the sunjammer root password. Feel free to add this to some wiki
> page. ;)

Wow, that's fantastic. Why doesn't it simply work as root without -D?



> I added the following rule between the old {0} and {1}:
>
> olcAccess: {1}to attrs=tls-public-key by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by self manage by * none

Ok

> 
> To modify the key, I used
> 
> ldapvi -D uid=silbe,ou=People,dc=sugarlabs,dc=org -b uid=silbe,ou=People,dc=sugarlabs,dc=org

If we configure things to use a second, unprivileged ldapi socket also
for users, the -D should become superfluous because the user can be
derived automatically from your login. 

At least, this is how it works at Develer. The hard part was passingtwo
ldapi sockets to slapd because the Fedora initscript was too dumb.


> with my user password. Only "simple" authentication works, SASL fails:
>
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database

I never got SASL to work on any LDAP installation. I always use -x
(simple auth) with ldap{add,search,modify}.


> Maybe the password change problem has the same root cause? The error
> message from passwd is:
> 
> passwd: Authentication information cannot be recovered

Hmm... I wish pam_ldap could log debug output somewhere.

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/