服务器 Gind.cn
  1. 服务器 Gind.cn
  3. ldap_modify:更改密码时访问不足(50)
Intereting Posts
如何将vhd转换为wim文件? Nginx服务器返回404除了索引之外的所有php页面 微软在线服务的经验,托pipe交stream Ubuntu 12.04LTS是否有OpenSSL的心跳修复? 服务haproxy错误 某些SCpipe弦乐队发送电子邮件活动正在发送2封电子邮件 如何在afs中获得真正的呼叫者访问权限? 亚马逊Cloudfront与S3桶 – 2个来源 XenServer 6.2上的RHEL克隆(Centos,Scientific,CERN)networking安装 与Forest不同的域名 为什么不能通过我的防火墙vyatta允许SMTP? 错误:连接到监视器时退出内部错误进程:支持的机器是: 将der私钥转换为pem时出错 OpenVPN连接,但在设备上获取无效的IP 如何在Active Directory中自动化RFC2307属性?

ldap_modify:更改密码时访问不足(50)

我正尝试在CentOS 6.7上安装全新的OpenLDAP安装(类似于RHEL 6.7)来修改LDAPpipe理员密码。

我创build了一个名为change_ldap_password.ldif的文件: 

 # Hash your password: # slappasswd -h {SSHA} -s "my_password" # I also tried {1}hdb instead of {0}config dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}YP8q2haCD1POSzQC3GAuBdrfaHh+/Y49

当我以root身份运行以下命令时,出现访问错误: 

 # ldapmodify -x -W -D "cn=admin,dc=my_domain,dc=com" -f ./change_ldap_password.ldif Enter LDAP Password: modifying entry "olcDatabase={0}config,cn=config" ldap_modify: Insufficient access (50)

这是ldapwhoami的输出: 

 # ldapwhoami -x -W -D "cn=admin,dc=my_domain,dc=com" Enter LDAP Password: dn:cn=admin,dc=my_domain,dc=com

下面是在cn = config中对olcRoot进行grepping的结果: 

 # grep -R olcRoot /etc/openldap/slapd.d/cn=config /etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootDN: cn=admin,dc=my_domain,dc=com /etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootPW:: ...

这是ldapmodify的debugging信息: 

 # ldapmodify -x -W -D "cn=admin,dc=my_domain,dc=com" -f ./change_ldap_password.ldif -d1 ldap_create Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP localhost:389 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 4 tm: -1 async: 0 attempting to connect: connect errno: 111 ldap_close_socket: 4 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 4 ldap_connect_to_path: Trying /var/run/ldapi ldap_connect_timeout: fd: 4 tm: -1 async: 0 ldap_ndelay_on: 4 ldap_close_socket: 4 ldap_int_open_connection ldap_connect_to_host: TCP localhost:636 ldap_new_socket: 4 ldap_prepare_socket: 4 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 4 tm: -1 async: 0 attempting to connect: connect success TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/openldap/certs prefix . TLS: certificate [CN=my_server.my_domain.com] is valid TLS certificate verification: subject: CN=my_server.my_domain.com, issuer: CN=my_server.my_domain.com, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 50 bytes to sd 4 ldap_result ld 0x184a340 msgid 1 wait4msg ld 0x184a340 msgid 1 (infinite timeout) wait4msg continue ld 0x184a340 msgid 1 all 1 ** ld 0x184a340 Connections: * host: (null) port: 636 (default) refcnt: 2 status: Connected last used: Fri Oct 30 14:04:24 2015 ** ld 0x184a340 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x184a340 request count 1 (abandoned 0) ** ld 0x184a340 Response Queue: Empty ld 0x184a340 response count 0 ldap_chkResponseList ld 0x184a340 msgid 1 all 1 ldap_chkResponseList returns ld 0x184a340 NULL ldap_int_select read1msg: ld 0x184a340 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x184a340 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x184a340 0 new referrals read1msg: mark request completed, ld 0x184a340 msgid 1 request done: ld 0x184a340 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree modifying entry "olcDatabase={0}config,cn=config" ldap_modify_ext ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 102 bytes to sd 4 ldap_result ld 0x184a340 msgid 2 wait4msg ld 0x184a340 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x184a340 msgid 2 all 1 ** ld 0x184a340 Connections: * host: (null) port: 636 (default) refcnt: 2 status: Connected last used: Fri Oct 30 14:04:24 2015 ** ld 0x184a340 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x184a340 request count 1 (abandoned 0) ** ld 0x184a340 Response Queue: Empty ld 0x184a340 response count 0 ldap_chkResponseList ld 0x184a340 msgid 2 all 1 ldap_chkResponseList returns ld 0x184a340 NULL ldap_int_select read1msg: ld 0x184a340 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 12 contents: read1msg: ld 0x184a340 msgid 2 message type modify ber_scanf fmt ({eAA) ber: read1msg: ld 0x184a340 0 new referrals read1msg: mark request completed, ld 0x184a340 msgid 2 request done: ld 0x184a340 msgid 2 res_errno: 50, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_err2string ldap_modify: Insufficient access (50) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 4 ldap_free_connection: actually freed

如果input了错误的密码,错误将从“无效的访问”更改为“无效的凭据”: 

 ldap_bind: Invalid credentials (49)

我看到了这个ServerFault问题 ,但是这个问题是关于具有有限特权的用户,而不是pipe理员或根。

如何通过ldap_modify: Insufficient access (50)错误?

为什么root身份识别为LDAPpipe理员无法访问更改密码?

如果这是推荐的解决scheme,我很好重新安装slapd。 我想解决这个错误,然后继续前进。

编辑 :去ldapi:///上的cn = config提供以下错误: 

 # ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /var/run/ldapi ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_close_socket: 3 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

我想我在/etc/openldap/ldap.conf定义了ldapi://但是我不确定ldapi:/// 

 # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=my_domain,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 URI ldap:// ldapi:// ldaps:// #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs

编辑2 :我得到相同的ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)停止防火墙( service iptables stop )后, ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)错误,所以防火墙不是问题。

为了pipe理'cn = config'数据库,你需要'cn = config'pipe理员,而不是数据库的pipe理员。 在debian中,这样的pipe理员是SASL TLS External的根。 尝试 

 sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'

一旦你确认了上述的作品,你可以更改密码。 首先,哈希值: 

 slappasswd -h {SSHA} -s "my_password"

然后,将哈希值粘贴到一个ldif文件中,比如./change_ldap_password.ldif

 dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}cZbRoOhRew8MBiWGSEOiFX0XqbAQwXUr

最后,应用ldif文件: 

 sudo ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./change_ldap_password.ldif

不鼓励用ldapmodify更改密码。 如果用户存在(这不是这种情况), ldappasswd是更好的。