[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP question
- To: <openldap-software@OpenLDAP.org>
- Subject: OpenLDAP question
- From: "Paul O'Malley" <paul.omalley@bluefly.com>
- Date: Wed, 7 Jan 2004 11:59:20 -0500
- Content-class: urn:content-classes:message
- Thread-index: AcPVPf8MkgShDXt7TD2/DVqmgiPAFgAALQrg
- Thread-topic: OpenLDAP question
I am trying to use openLDAP for authenticating Solaris users. I am able
to do an ldapsearch and retrieve my userid entry (index 69) but cannot
do an su to my id. My id is not in the passwd or shadow files. I have
installed PADL nss_ldap and pam_ldap modules. If I do a 'getent passwd'
I get all entries including those in LDAP and all looks fine. Here is
the debug output from the su attempt:
On client:
bash-2.03# su - pomalley
su: Unknown id: pomalley
bash-2.03#
On LDAP Server (condensed):
..V.0.[..
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
tls_write: want=1027, written=1027
0000: 16 03 01 00 4a 02 00 00 46 03 01 3f fc 36 38 cf
....J...F..?.68.
0010: 67 ae 39 8b a3 de 38 47 7a 01 83 1f c3 f5 1e be
g.9...8Gz.......
...
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Resource temporarily unavailable
TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS
trace: SSL_accept:error in SSLv3 read client certificate A
"..1.J
TLS trace: SSL_accept:SSLv3 read client key exchange A
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(17): unable to get TLS client DN error=49 id=4
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 17r
daemon: read activity on 17
connection_get(17)
connection_get(17): got connid=4
connection_read(17): checking for input on id=4
ber_get_next
ber_get_next
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on
fd 17 failed errno=11 (Resource temporarily unavailable) do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x002293a8 ptr=0x002293ab end=0x002293df len=52
0000: 60 32 02 01 03 04 22 63 6e 3d 4d 61 6e 61 67 65
`2...."cn=Manage
0010: 72 2c 64 63 3d 6e 79 2c 64 63 3d 62 6c 75 65 66
r,dc=ny,dc=bluef
0020: 6c 79 2c 64 63 3d 63 6f 6d 80 09 35 70 31 64 33
ly,dc=com..5p1d3
0030: 72 4d 61 6e rMan
ber_scanf fmt (m}) ber:
ber_dump: buf=0x002293a8 ptr=0x002293d4 end=0x002293df len=11
0000: 00 09 35 70 31 64 33 72 4d 61 6e ..5p1d3rMan
>>> dnPrettyNormal: <cn=Manager,dc=ny,dc=bluefly,dc=com>
=> ldap_bv2dn(cn=Manager,dc=ny,dc=bluefly,dc=com,0)
<= ldap_bv2dn(cn=Manager,dc=ny,dc=bluefly,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=Manager,dc=ny,dc=bluefly,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=ny,dc=bluefly,dc=com,272)=0
<<< dnPrettyNormal: <cn=Manager,dc=ny,dc=bluefly,dc=com>,
<cn=manager,dc=ny,dc=bluefly,dc=com>
do_bind: version=3 dn="cn=Manager,dc=ny,dc=bluefly,dc=com" method=128
conn=4 op=0 BIND dn="cn=Manager,dc=ny,dc=bluefly,dc=com" method=128 ==>
bdb_bind: dn: cn=Manager,dc=ny,dc=bluefly,dc=com
bdb_dn2entry_rw("cn=manager,dc=ny,dc=bluefly,dc=com")
=> bdb_dn2id_matched( "cn=manager,dc=ny,dc=bluefly,dc=com" ) ====>
bdb_cache_find_entry_dn2id("cn=manager,dc=ny,dc=bluefly,dc=com"): 2 (1
tries) ====> bdb_cache_find_entry_id( 2 )
"cn=Manager,dc=ny,dc=bluefly,dc=com" (found) (1 tries) ====>
bdb_cache_return_entry_r( 2 ): returned (0) conn=4 op=0 BIND
dn="cn=Manager,dc=ny,dc=bluefly,dc=com" mech=simple ssf=0
do_bind: v3 bind: "cn=Manager,dc=ny,dc=bluefly,dc=com" to
"cn=Manager,dc=ny,dc=bluefly,dc=com"
send_ldap_result: conn=4 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
ldap_read: want=206, got=206
0000: cd 04 21 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d
..!ou=People,dc=
0010: 6e 79 2c 64 63 3d 62 6c 75 65 66 6c 79 2c 64 63
ny,dc=bluefly,dc
0020: 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 01 02 01 1e
=com............
0030: 01 01 00 a0 2e a3 1b 04 0b 6f 62 6a 65 63 74 63
.........objectc
0040: 6c 61 73 73 04 0c 70 6f 73 69 78 41 63 63 6f 75
lass..posixAccou
0050: 6e 74 a3 0f 04 03 75 69 64 04 08 70 6f 6d 61 6c
nt....uid..pomal
0060: 6c 65 79 30 69 04 03 75 69 64 04 0c 75 73 65 72
ley0i..uid..user
0070: 50 61 73 73 77 6f 72 64 04 09 75 69 64 4e 75 6d
Password..uidNum
0080: 62 65 72 04 09 67 69 64 4e 75 6d 62 65 72 04 02
ber..gidNumber..
0090: 63 6e 04 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72
cn..homeDirector
00a0: 79 04 0a 6c 6f 67 69 6e 53 68 65 6c 6c 04 05 67
y..loginShell..g
00b0: 65 63 6f 73 04 0b 64 65 73 63 72 69 70 74 69 6f
ecos..descriptio
00c0: 6e 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73
n..objectClass
ber_get_next: tag 0x30 len 211 contents:
ber_dump: buf=0x0022a2c0 ptr=0x0022a2c0 end=0x0022a393 len=211
0000: 02 01 02 63 81 cd 04 21 6f 75 3d 50 65 6f 70 6c
...c...!ou=Peopl
0010: 65 2c 64 63 3d 6e 79 2c 64 63 3d 62 6c 75 65 66
e,dc=ny,dc=bluef
0020: 6c 79 2c 64 63 3d 63 6f 6d 0a 01 02 0a 01 00 02
ly,dc=com.......
0030: 01 01 02 01 1e 01 01 00 a0 2e a3 1b 04 0b 6f 62
..............ob
0040: 6a 65 63 74 63 6c 61 73 73 04 0c 70 6f 73 69 78
jectclass..posix
0050: 41 63 63 6f 75 6e 74 a3 0f 04 03 75 69 64 04 08
Account....uid..
0060: 70 6f 6d 61 6c 6c 65 79 30 69 04 03 75 69 64 04
pomalley0i..uid.
0070: 0c 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75
.userPassword..u
0080: 69 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d
idNumber..gidNum
0090: 62 65 72 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72
ber..cn..homeDir
00a0: 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65
ectory..loginShe
00b0: 6c 6c 04 05 67 65 63 6f 73 04 0b 64 65 73 63 72
ll..gecos..descr
00c0: 69 70 74 69 6f 6e 04 0b 6f 62 6a 65 63 74 43 6c
iption..objectCl
00d0: 61 73 73 ass
ber_get_next
tls_read: want=5 error=Resource temporarily unavailable
ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on
fd 17 failed errno=11 (Resource temporarily unavailable) do_search
ber_scanf fmt ({miiiib) ber:
ber_dump: buf=0x0022a2c0 ptr=0x0022a2c3 end=0x0022a393 len=208
0000: 63 81 cd 04 21 6f 75 3d 50 65 6f 70 6c 65 2c 64
c...!ou=People,d
0010: 63 3d 6e 79 2c 64 63 3d 62 6c 75 65 66 6c 79 2c
c=ny,dc=bluefly,
0020: 64 63 3d 63 6f 6d 0a 01 02 0a 01 00 02 01 01 02
dc=com..........
0030: 01 1e 01 01 00 a0 2e a3 1b 04 0b 6f 62 6a 65 63
...........objec
0040: 74 63 6c 61 73 73 04 0c 70 6f 73 69 78 41 63 63
tclass..posixAcc
0050: 6f 75 6e 74 a3 0f 04 03 75 69 64 04 08 70 6f 6d
ount....uid..pom
0060: 61 6c 6c 65 79 30 69 04 03 75 69 64 04 0c 75 73
alley0i..uid..us
0070: 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 64 4e
erPassword..uidN
0080: 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 65 72
umber..gidNumber
0090: 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72 65 63 74
..cn..homeDirect
00a0: 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65 6c 6c 04
ory..loginShell.
00b0: 05 67 65 63 6f 73 04 0b 64 65 73 63 72 69 70 74
.gecos..descript
00c0: 69 6f 6e 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73
ion..objectClass
>>> dnPrettyNormal: <ou=People,dc=ny,dc=bluefly,dc=com>
=> ldap_bv2dn(ou=People,dc=ny,dc=bluefly,dc=com,0)
<= ldap_bv2dn(ou=People,dc=ny,dc=bluefly,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=People,dc=ny,dc=bluefly,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=ny,dc=bluefly,dc=com,272)=0
<<< dnPrettyNormal: <ou=People,dc=ny,dc=bluefly,dc=com>,
<ou=people,dc=ny,dc=bluefly,dc=com>
SRCH "ou=People,dc=ny,dc=bluefly,dc=com" 2 0 1 30 0
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
filter: (&(objectClass=posixAccount)(uid=pomalley))
ber_scanf fmt ({M}}) ber:
ber_dump: buf=0x0022a2c0 ptr=0x0022a328 end=0x0022a393 len=107
attrs: uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass conn=4 op=1 SRCH
base="ou=People,dc=ny,dc=bluefly,dc=com" scope=2
filter="(&(objectClass=posixAccount)(uid=pomalley))"
conn=4 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn
homeDirectory loginShell gecos description objectClass =>
bdb_back_search
bdb_dn2entry_rw("ou=people,dc=ny,dc=bluefly,dc=com")
=> bdb_dn2id_matched( "ou=people,dc=ny,dc=bluefly,dc=com" ) ====>
bdb_cache_find_entry_dn2id("ou=people,dc=ny,dc=bluefly,dc=com"): 3 (1
tries) ====> bdb_cache_find_entry_id( 3 )
"ou=people,dc=ny,dc=bluefly,dc=com" (found) (1 tries)
search_candidates: base="ou=people,dc=ny,dc=bluefly,dc=com" (0x00000003)
scope=2 => bdb_filter_candidates
AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=ny,dc=bluefly,dc=com" )
bdb_idl_fetch_key: @ou=people,dc=ny,dc=bluefly,dc=com
<= bdb_dn2idl: id=5 first=3 last=70
<= bdb_filter_candidates: id=5 first=3 last=70
=> bdb_filter_candidates
OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [5941c014]
<= bdb_index_read 4 candidates
<= bdb_equality_candidates: id=4, first=67, last=70
<= bdb_filter_candidates: id=4 first=67 last=70
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [32a0aec2]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=67 last=0
<= bdb_filter_candidates: id=0 first=67 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=3 last=0
<= bdb_filter_candidates: id=0 first=3 last=0
bdb_search_candidates: id=0 first=3 last=0
====> bdb_cache_return_entry_r( 3 ): returned (0)
bdb_search: no candidates
send_search_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0
I use the latest Berkeley DB for my backend. I guess I have the
following questions as well:
1) Why does my index read fail? What does that mean? It seems to find
the 4 shadowAccount entries I have but not my specific account.
2) What do these mean:
tls_read: want=5 error=Resource temporarily unavailable?
ldap_read: want=8 error=Resource temporarily unavailable?
ber_get_next on fd 17 failed errno=11 (Resource temporarily
unavailable)?
3) What does "connection_read(17): unable to get TLS client DN error=49
id=4" mean?
Here is my slapd.conf file:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration
options. # This file should NOT be world readable. #
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.solaris8.schema
include /usr/local/etc/openldap/schema/solaris8.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory #
service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
threads 400
defaultsearchbase dc=ny,dc=bluefly,dc=com
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
access to attrs=userPassword
by self write
by * auth
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
# password hash algorithm
password-hash {MD5}
# Authentication parameters
######################################################################
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /var/certs/servercrt.pem TLSCertificateKeyFile
/var/certs/serverkey.pem TLSCACertificateFile /var/certs/cacert.pem
TLSVerifyClient 0
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=ny,dc=bluefly,dc=com"
rootdn "cn=Manager,dc=ny,dc=bluefly,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}QhJNrbJxp9e+0jqkTVYvbDfB+jbwC/Lm
# The database directory MUST exist prior to running slapd AND # should
only be accessible by the slapd and slap tools. # Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index uid,uidNumber,gidNumber,loginShell,homeDirectory eq
index cn pres,eq
cachesize 5000
Any help and guidance is appreciated. A summary will be posted if I can
solve these issues as I see many other people with similar difficulties.
Thanks!
paul o'malley, senior unix systems administrator [fly since 2003] [p]
212.944.8000 x306 [e] paul.omalley@bluefly.com