Centos 6.3: Can't add Users
Johannes Graumann
johannes_graumann at web.de
Thu Aug 9 12:56:06 CEST 2012
Hello,
Jeroen van Meeuwen wrote:
> On Wednesday, August 08, 2012 07:17:12 PM Johannes Graumann wrote:
>> Jeroen van Meeuwen wrote:
>> > The logs indicate the search for effective rights is... uneffective.
>> >
>> > The lines that say so look as follows:
>> >> Executing command \
>> >> /usr/lib64/mozldap/ldapsearch -x -h localhost -p 389 \
>> >> -b "ou=People,${rootdn}" -D "cn=Directory Manager" \
>> >> -w "${password}" \
>> >> -J "1.3.6.1.4.1.42.2.27.9.5.2:true:dn:cn=Directory Manager" \
>> >> -s base "(objectclass=*)" "*"
>> >> Output;
>> >> array (
>> >
>> > Here we expect output.
>> >
>> >> );
>> >> Return code: 1
>> >
>> > I would like to ask you to send us the output of "sestatus", as (as
>> > stated in the documentation) SELinux may not be enforcing the targeted
>> > policy.
>>
>> Here's my sestatus output - I was assuminb that a completely disabled
>> selinux should work just fine ...
>>
>> > -bash-4.1# sestatus
>> > SELinux status: disabled
>>
>
> This is alright indeed.
>
> Can you check / confirm 1) you are indeed running a 64-bit version of
> CentOS, and 2) launching the aforementioned /usr/lib64/mozldap/ldapsearch
> command from the console does give you output?
Like so?
>-bash-4.1# uname -a
>Linux kolab.<MYDOMAIN>.org 3.2.0-3-amd64 #1 SMP Thu Jun 28 09:07:26 UTC
>2012 x86_64 x86_64 x86_64 GNU/Linux
But this should indicate the host OS (if I understand things correctly ...).
>-bash-4.1# arch
>x86_64
Is probably better?
> -bash-4.1# /usr/lib64/mozldap/ldapsearch -x -h localhost -p 389 -b
"ou=People,dc=MYDOMAIN,dc=org" -D "cn=Directory Manager" -w 'MYPASSWORD' -J
"1.3.6.1.4.1.42.2.27.9.5.2:true:dn:cn=Directory Manager" -s base
"(objectclass=*)" "*"
leads to:
> version: 1
> dn: ou=People,dc=MYDOMAIN,dc=org
> objectClass: top
> objectClass: organizationalunit
> ou: People
> aci: (targetattr ="userpassword || telephonenumber ||
facsimiletelephonenumber
> ")(version 3.0;acl "Allow self entry modification";allow (write)(userdn =
"l
> dap:///self");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Accounting)")
(version
> 3.0;acl "Accounting Managers Group Permissions";allow (write)(groupdn =
"ld
> ap:///cn=Accounting Managers,ou=groups,dc=MYDOMAIN,dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Human
Resources)")(ve
> rsion 3.0;acl "HR Group Permissions";allow (write)(groupdn =
"ldap:///cn=HR
> Managers,ou=groups,dc=MYDOMAIN,dc=org");)
> aci: (targetattr !="cn ||sn || uid")(targetfilter ="(ou=Product Testing)")
(ver
> sion 3.0;acl "QA Group Permissions";allow (write)(groupdn =
"ldap:///cn=QA M
> anagers,ou=groups,dc=MYDOMAIN,dc=org");)
> aci: (targetattr !="cn || sn || uid")(targetfilter ="(ou=Product
Development)"
> )(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn =
"l
> dap:///cn=PD Managers,ou=groups,dc=MYDOMAIN,dc=org");)
> entryLevelRights: vadn
> attributeLevelRights: objectClass:rscwo, aci:rscwo, ou:rscwo,
businessCategory
> :rscwo, description:rscwo, destinationIndicator:rscwo,
facsimileTelephoneNum
> ber:rscwo, internationalISDNNumber:rscwo, l:rscwo,
physicalDeliveryOfficeNam
> e:rscwo, postalAddress:rscwo, postalCode:rscwo, postOfficeBox:rscwo,
preferr
> edDeliveryMethod:rscwo, registeredAddress:rscwo, searchGuide:rscwo,
seeAlso:
> rscwo, st:rscwo, street:rscwo, telephoneNumber:rscwo,
teletexTerminalIdentif
> ier:rscwo, telexNumber:rscwo, userPassword:rscwo, x121Address:rscwo
This also works as user "apache" ...
Anything wrong here? Where else to look?
Thank you for your patience.
Joh
More information about the users
mailing list