[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP question



I am trying to use openLDAP for authenticating Solaris users. I am able
to do an ldapsearch and retrieve my userid entry (index 69) but cannot
do an su to my id. My id is not in the passwd or shadow files. I have
installed PADL nss_ldap and pam_ldap modules. If I do a 'getent passwd'
I get all entries including those in LDAP and all looks fine. Here is
the debug output from the su attempt:

On client:

bash-2.03# su - pomalley
su: Unknown id: pomalley
bash-2.03# 

On LDAP Server (condensed):

           ..V.0.[..         
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1027, written=1027
  0000:  16 03 01 00 4a 02 00 00  46 03 01 3f fc 36 38 cf
....J...F..?.68.  
  0010:  67 ae 39 8b a3 de 38 47  7a 01 83 1f c3 f5 1e be
g.9...8Gz.......  
                           ...               
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS
trace: SSL_accept:error in SSLv3 read client certificate A
                     "..1.J            
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
  0000:  14 03 01 00 01                                     .....

tls_read: want=1, got=1
  0000:  01                                                 .

tls_read: want=5, got=5
  0000:  16 03 01 00 30                                     ....0

TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(17): unable to get TLS client DN error=49 id=4
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 17r
daemon: read activity on 17
connection_get(17)
connection_get(17): got connid=4
connection_read(17): checking for input on id=4
ber_get_next
                  
ber_get_next
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on
fd 17 failed errno=11 (Resource temporarily unavailable) do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x002293a8 ptr=0x002293ab end=0x002293df len=52
  0000:  60 32 02 01 03 04 22 63  6e 3d 4d 61 6e 61 67 65
`2...."cn=Manage  
  0010:  72 2c 64 63 3d 6e 79 2c  64 63 3d 62 6c 75 65 66
r,dc=ny,dc=bluef  
  0020:  6c 79 2c 64 63 3d 63 6f  6d 80 09 35 70 31 64 33
ly,dc=com..5p1d3  
  0030:  72 4d 61 6e                                        rMan

ber_scanf fmt (m}) ber:
ber_dump: buf=0x002293a8 ptr=0x002293d4 end=0x002293df len=11
  0000:  00 09 35 70 31 64 33 72  4d 61 6e                  ..5p1d3rMan

>>> dnPrettyNormal: <cn=Manager,dc=ny,dc=bluefly,dc=com>
=> ldap_bv2dn(cn=Manager,dc=ny,dc=bluefly,dc=com,0)
<= ldap_bv2dn(cn=Manager,dc=ny,dc=bluefly,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=Manager,dc=ny,dc=bluefly,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=ny,dc=bluefly,dc=com,272)=0
<<< dnPrettyNormal: <cn=Manager,dc=ny,dc=bluefly,dc=com>,
<cn=manager,dc=ny,dc=bluefly,dc=com>
do_bind: version=3 dn="cn=Manager,dc=ny,dc=bluefly,dc=com" method=128
conn=4 op=0 BIND dn="cn=Manager,dc=ny,dc=bluefly,dc=com" method=128 ==>
bdb_bind: dn: cn=Manager,dc=ny,dc=bluefly,dc=com
bdb_dn2entry_rw("cn=manager,dc=ny,dc=bluefly,dc=com")
=> bdb_dn2id_matched( "cn=manager,dc=ny,dc=bluefly,dc=com" ) ====>
bdb_cache_find_entry_dn2id("cn=manager,dc=ny,dc=bluefly,dc=com"): 2 (1
tries) ====> bdb_cache_find_entry_id( 2 )
"cn=Manager,dc=ny,dc=bluefly,dc=com" (found) (1 tries) ====>
bdb_cache_return_entry_r( 2 ): returned (0) conn=4 op=0 BIND
dn="cn=Manager,dc=ny,dc=bluefly,dc=com" mech=simple ssf=0
do_bind: v3 bind: "cn=Manager,dc=ny,dc=bluefly,dc=com" to
"cn=Manager,dc=ny,dc=bluefly,dc=com"
send_ldap_result: conn=4 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
   
ldap_read: want=206, got=206
  0000:  cd 04 21 6f 75 3d 50 65  6f 70 6c 65 2c 64 63 3d
..!ou=People,dc=  
  0010:  6e 79 2c 64 63 3d 62 6c  75 65 66 6c 79 2c 64 63
ny,dc=bluefly,dc  
  0020:  3d 63 6f 6d 0a 01 02 0a  01 00 02 01 01 02 01 1e
=com............  
  0030:  01 01 00 a0 2e a3 1b 04  0b 6f 62 6a 65 63 74 63
.........objectc  
  0040:  6c 61 73 73 04 0c 70 6f  73 69 78 41 63 63 6f 75
lass..posixAccou  
  0050:  6e 74 a3 0f 04 03 75 69  64 04 08 70 6f 6d 61 6c
nt....uid..pomal  
  0060:  6c 65 79 30 69 04 03 75  69 64 04 0c 75 73 65 72
ley0i..uid..user  
  0070:  50 61 73 73 77 6f 72 64  04 09 75 69 64 4e 75 6d
Password..uidNum  
  0080:  62 65 72 04 09 67 69 64  4e 75 6d 62 65 72 04 02
ber..gidNumber..  
  0090:  63 6e 04 0d 68 6f 6d 65  44 69 72 65 63 74 6f 72
cn..homeDirector  
  00a0:  79 04 0a 6c 6f 67 69 6e  53 68 65 6c 6c 04 05 67
y..loginShell..g  
  00b0:  65 63 6f 73 04 0b 64 65  73 63 72 69 70 74 69 6f
ecos..descriptio  
  00c0:  6e 04 0b 6f 62 6a 65 63  74 43 6c 61 73 73
n..objectClass    
ber_get_next: tag 0x30 len 211 contents:
ber_dump: buf=0x0022a2c0 ptr=0x0022a2c0 end=0x0022a393 len=211
  0000:  02 01 02 63 81 cd 04 21  6f 75 3d 50 65 6f 70 6c
...c...!ou=Peopl  
  0010:  65 2c 64 63 3d 6e 79 2c  64 63 3d 62 6c 75 65 66
e,dc=ny,dc=bluef  
  0020:  6c 79 2c 64 63 3d 63 6f  6d 0a 01 02 0a 01 00 02
ly,dc=com.......  
  0030:  01 01 02 01 1e 01 01 00  a0 2e a3 1b 04 0b 6f 62
..............ob  
  0040:  6a 65 63 74 63 6c 61 73  73 04 0c 70 6f 73 69 78
jectclass..posix  
  0050:  41 63 63 6f 75 6e 74 a3  0f 04 03 75 69 64 04 08
Account....uid..  
  0060:  70 6f 6d 61 6c 6c 65 79  30 69 04 03 75 69 64 04
pomalley0i..uid.  
  0070:  0c 75 73 65 72 50 61 73  73 77 6f 72 64 04 09 75
.userPassword..u  
  0080:  69 64 4e 75 6d 62 65 72  04 09 67 69 64 4e 75 6d
idNumber..gidNum  
  0090:  62 65 72 04 02 63 6e 04  0d 68 6f 6d 65 44 69 72
ber..cn..homeDir  
  00a0:  65 63 74 6f 72 79 04 0a  6c 6f 67 69 6e 53 68 65
ectory..loginShe  
  00b0:  6c 6c 04 05 67 65 63 6f  73 04 0b 64 65 73 63 72
ll..gecos..descr  
  00c0:  69 70 74 69 6f 6e 04 0b  6f 62 6a 65 63 74 43 6c
iption..objectCl  
  00d0:  61 73 73                                           ass

ber_get_next
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on
fd 17 failed errno=11 (Resource temporarily unavailable) do_search
ber_scanf fmt ({miiiib) ber:
ber_dump: buf=0x0022a2c0 ptr=0x0022a2c3 end=0x0022a393 len=208
  0000:  63 81 cd 04 21 6f 75 3d  50 65 6f 70 6c 65 2c 64
c...!ou=People,d  
  0010:  63 3d 6e 79 2c 64 63 3d  62 6c 75 65 66 6c 79 2c
c=ny,dc=bluefly,  
  0020:  64 63 3d 63 6f 6d 0a 01  02 0a 01 00 02 01 01 02
dc=com..........  
  0030:  01 1e 01 01 00 a0 2e a3  1b 04 0b 6f 62 6a 65 63
...........objec  
  0040:  74 63 6c 61 73 73 04 0c  70 6f 73 69 78 41 63 63
tclass..posixAcc  
  0050:  6f 75 6e 74 a3 0f 04 03  75 69 64 04 08 70 6f 6d
ount....uid..pom  
  0060:  61 6c 6c 65 79 30 69 04  03 75 69 64 04 0c 75 73
alley0i..uid..us  
  0070:  65 72 50 61 73 73 77 6f  72 64 04 09 75 69 64 4e
erPassword..uidN  
  0080:  75 6d 62 65 72 04 09 67  69 64 4e 75 6d 62 65 72
umber..gidNumber  
  0090:  04 02 63 6e 04 0d 68 6f  6d 65 44 69 72 65 63 74
..cn..homeDirect  
  00a0:  6f 72 79 04 0a 6c 6f 67  69 6e 53 68 65 6c 6c 04
ory..loginShell.  
  00b0:  05 67 65 63 6f 73 04 0b  64 65 73 63 72 69 70 74
.gecos..descript  
  00c0:  69 6f 6e 04 0b 6f 62 6a  65 63 74 43 6c 61 73 73
ion..objectClass  
>>> dnPrettyNormal: <ou=People,dc=ny,dc=bluefly,dc=com>
=> ldap_bv2dn(ou=People,dc=ny,dc=bluefly,dc=com,0)
<= ldap_bv2dn(ou=People,dc=ny,dc=bluefly,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=People,dc=ny,dc=bluefly,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=ny,dc=bluefly,dc=com,272)=0
<<< dnPrettyNormal: <ou=People,dc=ny,dc=bluefly,dc=com>,
<ou=people,dc=ny,dc=bluefly,dc=com>
SRCH "ou=People,dc=ny,dc=bluefly,dc=com" 2 0    1 30 0
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
   
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
    filter: (&(objectClass=posixAccount)(uid=pomalley))
ber_scanf fmt ({M}}) ber:
ber_dump: buf=0x0022a2c0 ptr=0x0022a328 end=0x0022a393 len=107
  
    attrs: uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass conn=4 op=1 SRCH
base="ou=People,dc=ny,dc=bluefly,dc=com" scope=2
filter="(&(objectClass=posixAccount)(uid=pomalley))"
conn=4 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass =>
bdb_back_search
bdb_dn2entry_rw("ou=people,dc=ny,dc=bluefly,dc=com")
=> bdb_dn2id_matched( "ou=people,dc=ny,dc=bluefly,dc=com" ) ====>
bdb_cache_find_entry_dn2id("ou=people,dc=ny,dc=bluefly,dc=com"): 3 (1
tries) ====> bdb_cache_find_entry_id( 3 )
"ou=people,dc=ny,dc=bluefly,dc=com" (found) (1 tries)
search_candidates: base="ou=people,dc=ny,dc=bluefly,dc=com" (0x00000003)
scope=2 => bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=ny,dc=bluefly,dc=com" )
bdb_idl_fetch_key: @ou=people,dc=ny,dc=bluefly,dc=com
<= bdb_dn2idl: id=5 first=3 last=70
<= bdb_filter_candidates: id=5 first=3 last=70
=> bdb_filter_candidates
        OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [5941c014]
<= bdb_index_read 4 candidates
<= bdb_equality_candidates: id=4, first=67, last=70
<= bdb_filter_candidates: id=4 first=67 last=70
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [32a0aec2]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=67 last=0
<= bdb_filter_candidates: id=0 first=67 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=3 last=0
<= bdb_filter_candidates: id=0 first=3 last=0
bdb_search_candidates: id=0 first=3 last=0
====> bdb_cache_return_entry_r( 3 ): returned (0)
bdb_search: no candidates
send_search_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0

I use the latest Berkeley DB for my backend. I guess I have the
following questions as well:

1) Why does my index read fail? What does that mean? It seems to find
the 4 shadowAccount entries I have but not my specific account.
2) What do these mean:

	tls_read: want=5 error=Resource temporarily unavailable?
	ldap_read: want=8 error=Resource temporarily unavailable?
	ber_get_next on fd 17 failed errno=11 (Resource temporarily
unavailable)?

3) What does "connection_read(17): unable to get TLS client DN error=49
id=4" mean?

Here is my slapd.conf file:

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration
options. # This file should NOT be world readable. #
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.solaris8.schema
include         /usr/local/etc/openldap/schema/solaris8.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory #
service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args
threads 400
defaultsearchbase dc=ny,dc=bluefly,dc=com

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to attrs=userPassword
        by self write
        by * auth
access to *
        by self write
        by users read
        by anonymous auth
#
# if no access controls are present, the default policy is:
#       Allow read by all
#
# rootdn can always write!

# password hash algorithm
password-hash {MD5}

#  Authentication parameters
######################################################################
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /var/certs/servercrt.pem TLSCertificateKeyFile
/var/certs/serverkey.pem TLSCACertificateFile /var/certs/cacert.pem
TLSVerifyClient 0 
# ldbm database definitions
#######################################################################

database        bdb
suffix          "dc=ny,dc=bluefly,dc=com"
rootdn          "cn=Manager,dc=ny,dc=bluefly,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}QhJNrbJxp9e+0jqkTVYvbDfB+jbwC/Lm
# The database directory MUST exist prior to running slapd AND # should
only be accessible by the slapd and slap tools. # Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq
index uid,uidNumber,gidNumber,loginShell,homeDirectory eq
index cn pres,eq
cachesize 5000

Any help and guidance is appreciated. A summary will be posted if I can
solve these issues as I see many other people with similar difficulties.
Thanks!


paul o'malley, senior unix systems administrator [fly since 2003] [p]
212.944.8000 x306 [e] paul.omalley@bluefly.com