Background
I have a super simple openldap server with basically nothing in it except the admin user, a couple OU's, and a user.
I can login and auth against it with the admin user cn=admin,dc=example,dc=com however any users I add cannot bind to it for authentication.
Here is a Tree View of the Directory, to make it clear to see:
Originally I was trying to auth against it for use with OpenVPN, the logs I got there was Incorrect password supplied for LDAP DN "uid=myuser,ou=users,dc=example,dc=com"
However I knew that the password was correct, which has led me down this path of now being stuck….
This server is using cn=config configuration, not using a config file!
Here is the (what I think is relevant) snipped from slapcat -b cn=config output:
As you can see, I've been blindly adding olcAccess entries to try and resolve.
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0} to * by * auth
olcAccess: {1} to * by anonymous auth
olcAccess: {2}to * by self auth
olcAccess: {3}to * by * read
olcAccess: {4}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {5}to dn.base="" by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW:: <<hidden>>
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
structuralObjectClass: olcMdbConfig
entryUUID: 03eab422-8c94-1038-90ce-9fb3bcaac9c4
creatorsName: cn=admin,cn=config
createTimestamp: 20181205044311Z
entryCSN: 20181206111241.430739Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20181206111241Z
I have olcAccess: {0} to * by * auth as the TOP entry {0} – Afaik that should allow auth to anyone/anything right??
I'm using Apache Directory Studio to help interact with the server, here is screenshot of validating the password:
And here is trying a "bind" action test:
Everything works perfectly fine from user cn=admin,dc=example,dc=com.
What I'm trying to do is just add some basic users like this: uid=myuser,ou=users,dc=example,dc=com and allow them to authenticate themselves in the directory. I really don't need anything special like roles/etc all users are going to be on the same level and split into groups that external services will filter through to auth them.
These users I'm adding are "posixAccount" object class.
Any info is appreciated, I've found many other SE posts and old forum posts with similar issues but everything I've found just states to add the olcAccess which I'm either doing wrong or arent' working for me.
I've attempted to restart the server after making olcAccess entries so check that one off the list.
Best Answer
So the ACL was a red herring.
Apparently LDAP cares how you hash the user password, the admin account has SSHA. The new users I was creating I was using a SHA512 hash on the password. Once I reset the user passwords using SSHA hashing the binding started working. Ugh.
I'll do some reading, but if anyone knows how I can convert my users to using SHA512 or SSHA-512 hashing I would appreciate it. For now I'll leave it as is.
Also, for anyone else facing something similar regarding ACL's. I have it working now by just applying
olcAccess: {0}to * by * readas the onlyolcAccessrule and it seems to be ok.