#47850 "nsslapd-allow-anonymous-access: rootdse" makes login as "admin" fail at the first time
Closed: wontfix None Opened 9 years ago by nhosoi.

Hello Everyone,
Can't log in to directory admin console.

On directry server set

nsslapd-allow-anonymous-access: rootdse

but Netscape admin account can't get access to read of config.

For my prospective is blocker, admin group can't manage it.


Workaround steps:
To work around the problem, could you try these steps?
Stop the server.
Edit /etc/dirsrv/slapd-YOURSERVER/dse.ldif as follows:
nsslapd-allow-anonymous-access: on
Restart the server and login from the Console.
I think it's successful.
Stop the server. and set nsslapd-allow-anonymous-access back to rootdse.
Restart the server.
Please try to login from Console again. It's supposed to work.

Note: searching "uid=<admin>" to get its DN should be done somehow even if rootdse is set. If anon search is not available, we should prompt something else (e.g., directory manager?) to obtain the admin DN and store it? Or if it is available at the install time, we should pick it up and store it?

If anonymous access is turned off on the configuration DS instance, we MUST use some account to bind with in order to resolve user ID's into real DN's. The idea here is to create a new user, used only for searching the o=netscaperoot and the user suffix(es). Then this DN and its clear-text password are stored in adm.conf. This account info is then retrieved to do the user id lookup when logging into the console.

I don't like storing the password in clear-text, but I'm not sure there is an easy way around this. The file is owned by the admin server user, if someone can access this file, then they can do a lot more damage than just searching the server(which can also be refined with ACLs).

To ssh://git.fedorahosted.org/git/389/admin.git
100d11c..0ef82b0 master -> master

commit 0ef82b0123a7800402c9085353aafbd8a49a8fde
Author: Mark Reynolds mreynolds@redhat.com
Date: Tue Sep 2 14:30:26 2014 -0400

To ssh://git.fedorahosted.org/git/389/adminutil.git
069de33..83f800d master -> master

commit 83f800df5019b54c06b3c4cd1d5b64234f1f5d9d
Author: Mark Reynolds mreynolds@redhat.com
Date: Tue Sep 2 11:20:09 2014 -0400

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: 389-admin,console 1.1.36

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1181

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata