I migrated OpenLDAP setup to newer version (2.4), and now can only bind to it with "root" account - cn=admin,dc=mydomain,dc=com. Authentication for any other users just fails with error 49 (Invalid credentials). Even if create new user from scratch at the same level as root account (e.g. cn=user2,dc=mydomain,dc=com), and freshly set password for it with ldappasswd, I still cannot bind with that new account.
Relevant (?) configuration in /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif looks like this:
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
Slapd gives the following messages when I attempt to bind with non-admin account:
5ab4a590 => access_allowed: result not in cache (userPassword)
5ab4a590 => access_allowed: auth access to "cn=user2,dc=mydomain,dc=com" "userPassword" requested
5ab4a590 => acl_get: [1] attr userPassword
5ab4a590 => acl_mask: access to entry "cn=user2,dc=mydomain,dc=com", attr "userPassword" requested
5ab4a590 => acl_mask: to value by "", (=0)
5ab4a590 <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
5ab4a590 <= check a_dn_pat: *
5ab4a590 <= acl_mask: [2] applying none(=0) (stop)
5ab4a590 <= acl_mask: [2] mask: none(=0)
5ab4a590 => slap_access_allowed: auth access denied by none(=0)
5ab4a590 => access_allowed: no more rules
What am I missing ?
