0

"cn=kerberoskdc,cn=config,dc=example,dc=com"任何人都可以解释为什么 slapd在我实际要求 dn= 时请求其后端加载与可分辨名称相对应的数据'cn=user,dc=example,dc=com', 'user'

代码 :

require 'net/ldap'
con = Net::LDAP.new
con.host = 'localhost'
con.port = 389
con.auth 'cn=user,dc=example,dc=com', 'user'

if con.bind
  puts con.get_operation_result
else
  puts con.get_operation_result
end

slapd.conf:

include         /private/etc/openldap/schema/core.schema
include         /private/etc/openldap/schema/cosine.schema
include         /private/etc/openldap/schema/nis.schema
include         /private/etc/openldap/schema/inetorgperson.schema

pidfile         /private/var/db/openldap/run/slapd.pid
argsfile        /private/var/db/openldap/run/slapd.args

 modulepath     /usr/libexec/openldap
 moduleload     back_bdb.la

access to *
        by self write
        by * read
        by anonymous auth

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=admin,dc=example,dc=com"

rootpw          {SSHA}VPu01KnHRk2FZtTi52W6LNFqr4nJazyK

directory       /private/var/db/openldap/openldap-data

index   objectClass     eq

详细服务器消息:

 ... 
    5a41d4ae <<< dnPrettyNormal: <cn=user,dc=example,dc=com>, <cn=user,dc=example,dc=com>
    5a41d4ae conn=1000 op=0 BIND dn="cn=user,dc=example,dc=com" method=128
    5a41d4ae do_bind: version=3 dn="cn=user,dc=example,dc=com" method=128
    5a41d4ae ==> bdb_bind: dn: cn=user,dc=example,dc=com
    5a41d4ae bdb_dn2entry("cn=user,dc=example,dc=com")
    5a41d4ae => bdb_dn2id("dc=example,dc=com")
    5a41d4ae <= bdb_dn2id: got id=0x5
    5a41d4ae => bdb_dn2id("cn=user,dc=example,dc=com")
    5a41d4ae <= bdb_dn2id: got id=0x17
    5a41d4ae entry_decode: "cn=user,dc=example,dc=com"
    5a41d4ae <= entry_decode(cn=user,dc=example,dc=com)
    5a41d4ae => bdb_search
    5a41d4ae bdb_dn2entry("cn=kerberoskdc,cn=config,dc=example,dc=com")
    5a41d4ae => bdb_dn2id("cn=config,dc=example,dc=com")
    5a41d4ae <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
    5a41d4ae entry_decode: "dc=example,dc=com"
    5a41d4ae <= entry_decode(dc=example,dc=com)
    5a41d4ae => access_allowed: disclose access to "dc=example,dc=com" "entry" requested
    5a41d4ae => acl_get: [1] attr entry
    5a41d4ae => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
    5a41d4ae => acl_mask: to all values by "cn=kerberoskdc,cn=config,dc=example,dc=com", (=0) 
    5a41d4ae <= check a_dn_pat: self
    5a41d4ae <= check a_dn_pat: *
    5a41d4ae <= acl_mask: [2] applying read(=rscxd) (stop)
    5a41d4ae <= acl_mask: [2] mask: read(=rscxd)
    5a41d4ae => slap_access_allowed: disclose access granted by read(=rscxd)
    5a41d4ae => access_allowed: disclose access granted by read(=rscxd)
    5a41d4ae send_ldap_result: conn=-1 op=0 p=0
    5a41d4ae send_ldap_result: err=10 matched="dc=example,dc=com" text=""
    5a41d4ae Entry *odusers_copy_entry(Operation *): Unable to locate cn=kerberoskdc,cn=config,dc=example,dc=com (32)
    5a41d4ae odusers_copy_krbrealm: No entry associated with KerberosKDC cn=kerberoskdc,cn=config,dc=example,dc=com
    5a41d4ae odusers_krb_auth: could not retrieve krb realm while authing user
    5a41d4ae send_ldap_result: conn=1000 op=0 p=3
    5a41d4ae send_ldap_result: err=50 matched="" text=""
    5a41d4ae send_ldap_response: msgid=1 tag=97 err=50
    ....

终端输出:

fail
#<OpenStruct extended_response=nil, code=50, error_message="", matched_dn="", message="Insufficient Access Rights">
4

1 回答 1

0

这是一个适用于我在 OS X El Capitan 中的 Ruby on Rails 开发环境中使用的 OpenLDAP 服务器的解决方法。我在这里找到了答案。与其说是解决方案,不如说是一种解决方法。

  1. 在 slapd.conf 中将 'database hdb' 替换为 'database ldif'。
  2. 删除“模块加载 back_hdb.la”
  3. slapd 直到您删除任何其他数据库特定配置(例如索引)后才会运行。

这是我的 slapd.conf:

include   /usr/local/etc/openldap/schema/core.schema
include   /usr/local/etc/openldap/schema/cosine.schema
include   /usr/local/etc/openldap/schema/inetorgperson.schema


# NO SECURITY - no access clause
# defaults to anonymous access for read
# only rootdn can write

# NO REFERRALS

# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid

# enable a lot of logging - we might need it
# but generates huge logs
loglevel  -1 

# MODULELOAD definitions
# not required (comment out) before version 2.3
#moduleload back_hdb.la

# NO TLS-enabled connections

# backend definition not required

#######################################################################
# bdb database definitions
# 
# replace example and com below with a suitable domain
# 
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################

database ldif
suffix "dc=example, dc=com"

# root or superuser
rootdn "cn=matt, dc=example, dc=com"
rootpw {SSHA}d+/KMakRv0dLLXp4Qu0ezvfcdpHQA4pU
# The database directory MUST exist prior to running slapd AND 
# change path as necessary
directory /var/db/openldap/openldap-data

# Indices to maintain for this directory
# unique id so equality match only
#index  uid eq
# allows general searching on commonname, givenname and email
#index  cn,gn,mail eq,sub
# allows multiple variants on surname searching
#index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
#index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
#index default eq,sub
# indices missing - uses default eq,sub
#index telephonenumber

## other database parameters
## read more in slapd.conf reference section
#cachesize 10000
#checkpoint 128 15
于 2018-01-16T21:23:28.977 回答