Re: [nssldap] id: cannot find name for user ID #

[Adam Williams <awilliam [at] mdah.state.ms.us>]

Buchan Milne wrote:

So, you have two DNs, and one password. Where is the other password? It needs

to go in /etc/ldap.secret (yes, in the clear, but the permissions can be 
stricter than /etc/ldap.conf). The rootbinddn, if present, is used, in 
conjunction with the password from /etc/ldap.secret, when nss_ldap is invoked 
by a process running as root.

This is covered in the nss_ldap man page.

  

Right, bad idea to use your rootdn in a world-readable config file. You may 
want to consider creating a dedicated DN (commonly referred to as a proxy 
DN), or use a method to provide each server with individual access to the 
LDAP server (e.g. SASL-GSSAPI - Kerberos) sufficient to search/list users.

It is not necessary to expose the majority of your directory contents (unless 
you want to save the most effort at the greatest risk and avoid using a 
binddn at all).

  

In OpenLDAP 2.2 or later (IIRC), you are probably missing the .subtree 
qualifier (to dn.subtree=), which would also have fixed your problem.

Regards,
Buchan
  

Yes I have manager's password in /etc/ldap.secret with permission 600. 

ok so if I set up a proxy user named proxy, that user will need an account in openldap like any other linux shell user?  so if I create proxy, my ACL would be?

access to dn.subtree="ou=People,dc=mdah,dc=state,dc=ms,dc=us" attrs=uid,uidNumber,gidNumber,gecos,homeDirectory,loginShell,memberUid,userPassword,sambaLMPassword,sambaNTPassword
    by self write
    by dn="uid=proxy,ou=People,dc=mdah,dc=ms,dc=us" read
    by anonymous auth
    by * none

and of course, uid=proxy,ou=People,dc=mdah,dc=ms,dc=us becomes by binddn and its bindpw in /etc/ldap.conf