Re: [Lam-public] Openldap Pro Trouble.
Brought to you by:
gruberroland
Menu
▾
▴
Re: [Lam-public] Openldap Pro Trouble.
|
From: Junaid S. <jun...@th...> - 2014-05-07 14:33:44
|
Hi Roland, I have managed to get the password self reset and Self services working fine now. I am not trying to use my ldap for apache authentication for nagios. I created a user for binding and gave it read access as well. But I am not able to get Apache to authenticate through my Ldap. Here's what I have in apache configuration, -------- ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/" <Directory "/usr/lib64/nagios/cgi-bin/"> # SSLRequireSSL Options ExecCGI AllowOverride None # Order allow,deny # Allow from all # Allow from 127.0.0.1 AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthName "LAM" AuthLDAPURL "ldaps://example.com:636/ou=Users,dc=example,dc=com?uid"SSL AuthLDAPBindDN uid=binduser,ou=Generalusers,ou=Users,dc=example,dc=com AuthLDAPBindPassword SECRET Require valid-user </Directory> Alias /nagios "/usr/share/nagios/html" <Directory "/usr/share/nagios/html"> # SSLRequireSSL Options None AllowOverride None # Order allow,deny Allow from all # Allow from 127.0.0.1 AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthName "LAM" AuthLDAPURL "ldaps://example.com:636/ou=Users,dc=example,dc=com?uid"SSL AuthLDAPBindDN uid=binduser,ou=Generalusers,ou=Users,dc=example,dc=com AuthLDAPBindPassword SECRET Require valid-user </Directory> ------------ I have added this in the /etc/openldap/slapd.conf file to add the bind user, ------------- ####################################################################### # database definitions ####################################################################### database bdb suffix "dc=example,dc=com" checkpoint 1024 15 rootdn "cn=Manager,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw SECRET defaultaccess none access to attr=userPassword by dn="cn=Manager,dc=example,dc=com" write by self write by * auth access to * by dn="cn=Manager,dc=example,dc=com" write by dn="uid=binduser,ou=Generalusers,ou=Users,dc=example,dc=com" read by users read by self write by * auth -------- I then created the user account binduser and restarted slapd. Here is the error I am seeing in the logs, --------- [Wed May 07 07:25:31 2014] [info] [client IPADDRESS [4158] auth_ldap authenticate: user tester authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server] --------- The user tester is inside the Admins,Users,example,com directory. What do you think I'm missing?Any ideas? Thanks, On Wed, Apr 30, 2014 at 1:18 AM, Roland Gruber <po...@ro...> wrote: > Hi Junaid, > > On 29.04.2014 07:24, Junaid Shah wrote: > > 2014-04-28 22:02:55: LDAP Account Manager (kui1ucm5i76bmmc68ohumteaj3 - > > 10.4.3.20) - ERROR: [uid=bhkwan,ou=Admins,ou=Users,dc=go,dc=cd] Unable to > > add attributes to DN: uid=student1,ou=Generalusers,ou=Users,dc=go,dc=cd > > (Insufficient access). > > looks like uid=bhkwan,ou=Admins,ou=Users,dc=go,dc=cd has not the right to > change the student entries. > You can setup ACLs in slapd.d to change that. > > LAM also allows to do all write operations with the bind user. There is an > option "Use for all operations": > > > https://www.ldap-account-manager.org/static/doc/manual/ch06s03.html#selfServiceBasicSettings > > > -- > > Best regards > > Roland > > > LDAP Account Manager > http://www.ldap-account-manager.org/ > > Want more? Get LDAP Account Manager Pro! > https://www.ldap-account-manager.org/lamcms/lamPro > > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. Get > unparalleled scalability from the best Selenium testing platform available. > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > Lam-public mailing list > Lam...@li... > https://lists.sourceforge.net/lists/listinfo/lam-public > > |
