设置凭据后立即打开 LDAP 无效凭据

OpenLDAP invalid credentials immediately after setting credentials

我无法在 OpenLDAP 中绑定非 root dn 的用户,即使我立即设置密码,我仍然得到 ldap_bind: Invalid credentials (49)

例如,如果我使用ldappasswd设置密码(使用root dn认证),然后立即使用ldapwhoami尝试认证,我得到以下错误:

leif@nixos ~ $ ldappasswd -x -D cn=Admin,dc=leifandersen,dc=net -W -s badpasswd cn=leiftest,ou=users,dc=leif,dc=net
Enter LDAP Password: 
leif@nixos ~ $ ldapwhoami -x -w badpasswd -D cn=leiftest,ou=users,dc=leifandersen,dc=pl
ldap_bind: Invalid credentials (49)

(请注意,在这种情况下,slapd 在 localhost 和端口 389 上是 运行,所以我似乎不需要指定这些。)

我正在使用 ppolicy,配置为:

# ppolicy, leifandersen.net
dn: cn=ppolicy,dc=leifandersen,dc=net
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: ppolicy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
pwdLockoutDuration: 30
pwdLockout: FALSE

并使用 nix 设置我的 OpenLDAP 初始配置,相关位(我认为)是:

"olcOverlay=ppolicy" = {
  attrs = {
    objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
    olcOverlay = "ppolicy";
    olcPPolicyDefault = "cn=ppolicy,dc=leif,dc=pl";
    olcPPolicyUseLockout = "FALSE";
    olcPPolicyHashCleartext = "TRUE";
  };
};

整个配置是:

services.openldap = {
  enable = true;
  settings = {
    attrs.olcLogLevel = [ "stats" ];
    children = {
      "cn=schema".includes = [
        "${pkgs.openldap}/etc/schema/core.ldif"
        "${pkgs.openldap}/etc/schema/cosine.ldif"
        "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        "${pkgs.openldap}/etc/schema/nis.ldif"
        "${pkgs.openldap}/etc/schema/ppolicy.ldif"
      ];
      "olcDatabase={-1}frontend" = {
        attrs = {
          objectClass = "olcDatabaseConfig";
          olcDatabase = "{-1}frontend";
          olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
        };
      };
      "olcDatabase={0}config" = {
        attrs = {
          objectClass = "olcDatabaseConfig";
          olcDatabase = "{0}config";
          olcAccess = [ "{0}to * by * none break" ];
        };
      };
      "olcDatabase={1}mdb" = {
        attrs = {
          objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
          olcDatabase = "{1}mdb";
          olcDbDirectory = "/var/db/ldap";
          olcDbIndex = [
          "objectClass eq"
            "cn pres,eq"
            "uid pres,eq"
            "sn pres,eq,subany"
          ];
          olcSuffix = "dc=leifandersen,dc=net";
          olcAccess = [ "{0}to * by * none break" ]; # read break for readable
          olcRootDN = "cn=Admin,dc=leifandersen,dc=net";
          olcRootPW = "{SSHA}<SOMEHASH>";
        };
        children = {
          "olcOverlay=ppolicy" = {
            attrs = {
              objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" ];
              olcOverlay = "ppolicy";
              olcPPolicyDefault = "cn=ppolicy,dc=leif,dc=pl";
              olcPPolicyUseLockout = "FALSE";
              olcPPolicyHashCleartext = "TRUE";
            };
          };
        };
      };
    };
  };
};

有谁知道为什么我会收到无效凭据错误?我的政策设置有问题吗? (我知道它没有它应该的那么严格,我放宽了要求,希望我能得到一些工作。如果这是一个糟糕的问题,我也很抱歉,我对 ldap 还是很陌生,我以前的搜索没有'提出任何答案。)

OpenLDAP 要求在身份验证绑定期间明确授予对必要属性(特别是 userPassword)的访问权限,以在身份验证之前的绑定状态(即匿名)进​​行身份验证。尝试更改行

          olcAccess = [ "{0}to * by * none break" ]; # read break for readable


          olcAccess = [
            "{0}to attr=userPassword by anonymous auth"
            "{1}to * by * none break"
          ]; # read break for readable

在“{1}mdb”部分,按照建议here