服务器 Gind.cn
  1. 服务器 Gind.cn
  3. LDAP密码信息更新失败:访问权限不足(50)
Intereting Posts
如何计划工作,当我不知道需要多长时间? 虚拟与物理服务器 Windows Update检查/下载新更新会挂起安装了TMG的Windows 2008 R2 Enterprise 用于NCPy / Scipy的HPC Python版本 Ubuntu 9/10上的Gnome无线networking 自动postgres备份 Juniper ScreenOS是否支持IPCOMP? SAS磁盘错误。 我应该尽快更换我的驱动器? Adaptec的“maxCache”和“Hybrid RAID”技术有什么区别? 在Apache VirtualHost中redirectURL? Amazon ELB使用什么algorithm来平衡负载? 将m3.large实例升级到c3.xlarge,而无需重新启动或对现有服务器进行任何更改 惠普智能configuration无法启动 3ware:尝试重build时启动电源重置 邮件服务器使用Postfix

LDAP密码信息更新失败:访问权限不足(50)

这个问题与此类似,除了在这种情况下,它不工作。 🙁

到目前为止,我把这个设置为ACL: 

access to attrs=userPassword,shadowLastChange,shadowMin,shadowMax,shadowWarning,loginShell,shadowLastChange by anonymous auth by self write by users read by * none access to * by self write by users read by * none

我能够以root身份更改密码: 

 [root@sl6 openldap]# ldappasswd -D 'cn=root,dc=monzell,dc=com' -W -S 'uid=monzell,ou=People,dc=monzell,dc=com' New password: Re-enter new password: Enter LDAP Password: [root@sl6 openldap]#

但不是像用户那样: 

 [root@sl6 openldap]# ldappasswd -D 'uid=monzell,ou=People,dc=monzell,dc=com' -W -S 'uid=monzell,ou=People,dc=monzell,dc=com' New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50)

这是我的用户模式,BTW: 

 # monzell, People, monzell.com dn: uid=monzell,ou=People,dc=monzell,dc=com uid: monzell cn: monzell objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 15192 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 501 homeDirectory: /home/users/monzell userPassword:: (REDACTED)

以及我的基地DN: 

 dn: dc=monzell,dc=com dc: monzell objectClass: top objectClass: domain dn: ou=People,dc=monzell,dc=com ou: People objectClass: top objectClass: organizationalUnit dn: ou=Group,dc=monzell,dc=com ou: Group objectClass: top objectClass: organizationalUnit

我运行科学的Linux 6.1,与OpenLDAP 2.4.23-15。

(顺便说一下,这里的设置基于页面)

ldappasswd的日志输出返回如下内容: 

 Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 fd=24 ACCEPT from IP=127.0.0.1:50252 (IP=0.0.0.0:389) Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=0 BIND dn="uid=monzell,ou=People,dc=monzell,dc=com" method=128 Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=0 BIND dn="uid=monzell,ou=People,dc=monzell,dc=com" mech=SIMPLE ssf=0 Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=0 RESULT tag=97 err=0 text= Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1 Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=1 PASSMOD id="uid=monzell,ou=People,dc=monzell,dc=com" new Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=1 RESULT oid= err=50 text= Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 op=2 UNBIND Aug 20 08:45:18 sl6 slapd[4634]: conn=1019 fd=24 closed

这里是conf文件: 

 include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/ssl/cert.crt TLSCertificateKeyFile /etc/openldap/ssl/private.key database bdb suffix "dc=monzell,dc=com" checkpoint 1024 15 rootdn "cn=root,dc=monzell,dc=com" rootpw <REDACTED directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitor access to attrs=userPassword by self write by users read by * none access to * by self write by users read by * none

编辑:现在这很有趣。 当我将日志级别设置为128时,我在日志文件中得到这个: 

 Aug 20 12:27:54 sl6 slapd[2692]: /etc/openldap/slapd.conf: line 139: warning: cannot assess the validity of the ACL scope within backend naming context Aug 20 12:27:54 sl6 slapd[2692]: /etc/openldap/slapd.conf: line 144: warning: cannot assess the validity of the ACL scope within backend naming context Aug 20 12:27:54 sl6 slapd[2693]: config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context Aug 20 12:27:54 sl6 slapd[2693]: slapd starting

编辑:当我试图重置密码,我看到这样的: 

 Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: result not in cache (userPassword) Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: auth access to "uid=monzell,ou=People,dc=monzell,dc=com" "userPassword" requested Aug 20 12:32:47 sl6 slapd[2868]: => slap_access_allowed: backend default auth access granted to "(anonymous)" Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: auth access granted by read(=rscxd) Aug 20 12:32:47 sl6 slapd[2868]: => access_allowed: backend default write access denied to "uid=monzell,ou=People,dc=monzell,dc=com"

我build议你启用LDAP日志,看看这个。 在基于Red Hat的发行版中,可以通过以下步骤来完成:

  1. 设置系统日志设施: 

     cat /etc/sysconfig/ldap SLAPD_OPTIONS="-l local4"

  2. /etc/syslog.conf为OpenLDAP指定一个日志文件: 

     # OpenLDAP log local4.* /var/log/ldap.log
  3. touch /var/log/ldap.log并重新启动syslogd

在其他发行版中,在第一步中,只需将-l local4添加到init脚本的start()函数中即可。

编辑

loglevel为128(ACL处理),然后重试。

编辑2

无法评估后端命名上下文中ACL范围的有效性

将ACL放在后端上下文之前: 

 access to attrs=userPassword by self write by users read by * none access to * by self write by users read by * none database bdb suffix "dc=monzell,dc=com" checkpoint 1024 15 rootdn "cn=root,dc=monzell,dc=com" rootpw <REDACTED directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub database monitor