Centos 6.3: Can't add Users

Johannes Graumann johannes_graumann at web.de
Thu Aug 9 12:56:06 CEST 2012


Hello,

Jeroen van Meeuwen wrote:
> On Wednesday, August 08, 2012 07:17:12 PM Johannes Graumann wrote:
>> Jeroen van Meeuwen wrote:
>> > The logs indicate the search for effective rights is... uneffective.
>> > 
>> > The lines that say so look as follows:
>> >> Executing command \
>> >> /usr/lib64/mozldap/ldapsearch -x -h localhost -p 389 \
>> >> -b "ou=People,${rootdn}" -D "cn=Directory Manager" \
>> >> -w "${password}" \
>> >> -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:cn=Directory Manager" \
>> >> -s base "(objectclass=*)" "*"
>> >> Output;
>> >> array (
>> > 
>> > Here we expect output.
>> > 
>> >> );
>> >> Return code: 1
>> > 
>> > I would like to ask you to send us the output of "sestatus", as (as
>> > stated in the documentation) SELinux may not be enforcing the targeted
>> > policy.
>> 
>> Here's my sestatus output - I was assuminb that a completely disabled
>> selinux should work just fine ...
>> 
>> > -bash-4.1# sestatus
>> > SELinux status:                 disabled
>> 
> 
> This is alright indeed.
> 
> Can you check / confirm 1) you are indeed running a 64-bit version of
> CentOS, and 2) launching the aforementioned /usr/lib64/mozldap/ldapsearch
> command from the console does give you output?

Like so?

>-bash-4.1# uname -a
>Linux kolab.<MYDOMAIN>.org 3.2.0-3-amd64 #1 SMP Thu Jun 28 09:07:26 UTC 
>2012 x86_64 x86_64 x86_64 GNU/Linux
But this should indicate the host OS (if I understand things correctly ...).

>-bash-4.1# arch
>x86_64
Is probably better?

> -bash-4.1# /usr/lib64/mozldap/ldapsearch -x -h localhost -p 389 -b 
"ou=People,dc=MYDOMAIN,dc=org" -D "cn=Directory Manager" -w 'MYPASSWORD' -J 
"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:cn=Directory Manager" -s base 
"(objectclass=*)" "*"

leads to:

> version: 1
> dn: ou=People,dc=MYDOMAIN,dc=org
> objectClass: top
> objectClass: organizationalunit
> ou: People
> aci: (targetattr ="userpassword || telephonenumber || 
facsimiletelephonenumber
>  ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = 
"l
>  dap:///self");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")
(version
>   3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn = 
"ld
>  ap:///cn=Accounting Managers,ou=groups,dc=MYDOMAIN,dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human 
Resources)")(ve
>  rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn = 
"ldap:///cn=HR 
>  Managers,ou=groups,dc=MYDOMAIN,dc=org");)
> aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")
(ver
>  sion 3.0;acl "QA Group Permissions";allow (write)(groupdn = 
"ldap:///cn=QA M
>  anagers,ou=groups,dc=MYDOMAIN,dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product 
Development)"
>  )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = 
"l
>  dap:///cn=PD Managers,ou=groups,dc=MYDOMAIN,dc=org");)
> entryLevelRights: vadn
> attributeLevelRights: objectClass:rscwo, aci:rscwo, ou:rscwo, 
businessCategory
>  :rscwo, description:rscwo, destinationIndicator:rscwo, 
facsimileTelephoneNum
>  ber:rscwo, internationalISDNNumber:rscwo, l:rscwo, 
physicalDeliveryOfficeNam
>  e:rscwo, postalAddress:rscwo, postalCode:rscwo, postOfficeBox:rscwo, 
preferr
>  edDeliveryMethod:rscwo, registeredAddress:rscwo, searchGuide:rscwo, 
seeAlso:
>  rscwo, st:rscwo, street:rscwo, telephoneNumber:rscwo, 
teletexTerminalIdentif
>  ier:rscwo, telexNumber:rscwo, userPassword:rscwo, x121Address:rscwo

This also works as user "apache" ...

Anything wrong here? Where else to look?

Thank you for your patience.

Joh




More information about the users mailing list