[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slave/Replica server authentication/authorization question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
~From my understanding the following rules should allow for users to
authenticate as themselves or anonymously:
access to attrs=userPassword
~ by self write
~ by anonymous auth
and the following allows anonymous queries of the database:
access to *
~ by * read
So, if I'm understanding this correctly then I should be able to
perform an anonymous bind as a user, provide the password and be good
to go. However on my replica server with just these ACL's here is
what I'm seeing from the client side:
ldapsearch -d -1 -x -h 148.80.158.219 -D
"uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com" "uid=fdrake" -W
ldap_create
Enter LDAP Password:
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP 148.80.158.219:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 148.80.158.219:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
ldap_int_sasl_open: host=148.80.158.219
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 72 bytes to sd 3
~ 0000: 30 46 02 01 01 60 41 02 01 03 04 33 75 69 64 3d
0F...`A....3uid=
~ 0010: 61 68 69 72 73 63 68 2c 6f 75 3d 6f 66 66 69 63
ahirsch,ou=offic
~ 0020: 65 2c 6f 75 3d 70 72 6f 6a 65 63 74 73 2c 64 63
e,ou=projects,dc
~ 0030: 3d 63 65 6c 6c 6e 65 74 2c 64 63 3d 63 6f 6d 80
=cellnet,dc=com.
~ 0040: 07 7e 30 72 61 63 31 33 .~0rac13
ldap_write: want=72, written=72
~ 0000: 30 46 02 01 01 60 41 02 01 03 04 33 75 69 64 3d
0F...`A....3uid=
~ 0010: 61 68 69 72 73 63 68 2c 6f 75 3d 6f 66 66 69 63
ahirsch,ou=offic
~ 0020: 65 2c 6f 75 3d 70 72 6f 6a 65 63 74 73 2c 64 63
e,ou=projects,dc
~ 0030: 3d 63 65 6c 6c 6e 65 74 2c 64 63 3d 63 6f 6d 80
=cellnet,dc=com.
~ 0040: 07 7e 30 72 61 63 31 33 .~0rac13
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
wait4msg (infinite timeout), msgid 1
wait4msg continue, msgid 1, all 1
** Connections:
* host: 148.80.158.219 port: 389 (default)
~ refcnt: 2 status: Connected
~ last used: Thu Feb 26 09:43:35 2004
** Outstanding Requests:
~ * msgid 1, origid 1, status InProgress
~ outstanding referrals 0, parent count 0
** Response Queue:
~ Empty
ldap_chkResponseList for msgid=1, all=1
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 1
ber_get_next
ldap_read: want=8, got=8
~ 0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
~ 0000: 01 31 04 00 04 00 .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x09723ed8 ptr=0x09723ed8 end=0x09723ee4 len=12
~ 0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x09723ed8 ptr=0x09723edb end=0x09723ee4 len=9
~ 0000: 61 07 0a 01 31 04 00 04 00 a...1....
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x09723ed8 ptr=0x09723edb end=0x09723ee4 len=9
~ 0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x09723ed8 ptr=0x09723ee4 end=0x09723ee4 len=0
ldap_msgfree
ldap_perror
ldap_bind: Invalid credentials (49)
And here is what I see on the server side:
slapd startup: initiated.
bdb_db_open: dc=cellnet,dc=com
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
daemon: added 7r
daemon: added 8r
daemon: added 9r
daemon: added 10r
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: new connection on 13
ldap_pvt_gethostbyname_a: host=konldap2, r=0
conn=0 fd=13 ACCEPT from IP=148.80.180.89:35695 (IP=0.0.0.0:389)
daemon: added 13r
daemon: activity on:
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
~ 0000: 30 46 02 01 01 60 41 02 0F...`A.
ldap_read: want=64, got=64
~ 0000: 01 03 04 33 75 69 64 3d 61 68 69 72 73 63 68 2c
...3uid=ahirsch,
~ 0010: 6f 75 3d 6f 66 66 69 63 65 2c 6f 75 3d 70 72 6f
ou=office,ou=pro
~ 0020: 6a 65 63 74 73 2c 64 63 3d 63 65 6c 6c 6e 65 74
jects,dc=cellnet
~ 0030: 2c 64 63 3d 63 6f 6d 80 07 7e 30 72 61 63 31 33
,dc=com..~0rac13
ber_get_next: tag 0x30 len 70 contents:
ber_dump: buf=0x0020e1c0 ptr=0x0020e1c0 end=0x0020e206 len=70
~ 0000: 02 01 01 60 41 02 01 03 04 33 75 69 64 3d 61 68
...`A....3uid=ah
~ 0010: 69 72 73 63 68 2c 6f 75 3d 6f 66 66 69 63 65 2c
irsch,ou=office,
~ 0020: 6f 75 3d 70 72 6f 6a 65 63 74 73 2c 64 63 3d 63
ou=projects,dc=c
~ 0030: 65 6c 6c 6e 65 74 2c 64 63 3d 63 6f 6d 80 07 7e
ellnet,dc=com..~
~ 0040: 30 72 61 63 31 33 0rac13
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x0020e1c0 ptr=0x0020e1c3 end=0x0020e206 len=67
~ 0000: 60 41 02 01 03 04 33 75 69 64 3d 61 68 69 72 73
`A....3uid=ahirs
~ 0010: 63 68 2c 6f 75 3d 6f 66 66 69 63 65 2c 6f 75 3d
ch,ou=office,ou=
~ 0020: 70 72 6f 6a 65 63 74 73 2c 64 63 3d 63 65 6c 6c
projects,dc=cell
~ 0030: 6e 65 74 2c 64 63 3d 63 6f 6d 80 07 7e 30 72 61
net,dc=com..~0ra
~ 0040: 63 31 33 c13
ber_scanf fmt (m}) ber:
ber_dump: buf=0x0020e1c0 ptr=0x0020e1fd end=0x0020e206 len=9
~ 0000: 00 07 7e 30 72 61 63 31 33 ..~0rac13
|>> dnPrettyNormal:
|>> <uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com>
=> ldap_bv2dn(uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com,0)
<= ldap_bv2dn(uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com,272)=0
<<< dnPrettyNormal:
<uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com>,
<uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com>
do_bind: version=3
dn="uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com" method=128
conn=0 op=0 BIND
dn="uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com" method=128
==> bdb_bind: dn: uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com
bdb_dn2entry("uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com")
=> bdb_dn2id( "dc=cellnet,dc=com" )
<= bdb_dn2id: got id=0x00000001
=> bdb_dn2id( "ou=projects,dc=cellnet,dc=com" )
<= bdb_dn2id: got id=0x00000006
=> bdb_dn2id( "ou=office,ou=projects,dc=cellnet,dc=com" )
<= bdb_dn2id: got id=0x000000cd
=> bdb_dn2id( "uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com" )
<= bdb_dn2id: got id=0x000000ed
entry_decode: "uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com"
<= entry_decode(uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com)
=> access_allowed: auth access to
"uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com" "userPassword"
requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl
uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com attr: userPassword
=> acl_mask: access to entry
"uid=ahirsch,ou=office,ou=projects,dc=cellnet,dc=com", attr
"userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=x) (stop)
<= acl_mask: [2] mask: auth(=x)
=> access_allowed: auth access granted by auth(=x)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush: 14 bytes to sd 13
~ 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00
0....a...1....
ldap_write: want=14, written=14
~ 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00
0....a...1....
conn=0 op=0 RESULT tag=97 err=49 text=
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Error 0)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13
daemon: removing 13
conn=0 fd=13 closed
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: select: listen=8 active_threads=0 tvp=NULL
daemon: select: listen=9 active_threads=0 tvp=NULL
daemon: select: listen=10 active_threads=0 tvp=NULL
The username and location is correct and so is the password. So, that
brings me back to the question, why am I unable to bind to my replica
server yet I am able to bind to my master server with the same ACL's?
Anyone?
| I lied, it's not working still. It's now allowing me to
| authenticate my linux machines, but if I use ldapsearch -x -D
| "cn=ahirsch,ou=web,ou=projects,dc=cellnet,dc=com" -W I'm still
| getting err=49. I've appended the same ACL's that are on the
| master server to the slave/replica server and the problem is
| persisting. I've double checked permissions on /var/lib/ldap files
| and they are owned by ldap, which is who slapd is running as.
|
| I've verified the passwords are correct so, I'm back to square one.
| Does anyone know why the ACL's work on the master but not on the
| slave? Could it possibly be DNS related? Both hosts resolve by
| name, but only the masters reverse lookup is working properly.
|
| TIA
|
| | Well, I'm not really sure if this was the fix or not, but on the
| | master server I had password-has {CRYPT} and I didn't have it on
| | the slave/replica server. I changed this and everything is
| working | as it should. | | | I have a master server and a
| slave/replica server. All the | | information that is popluated in
| the master server is in the | | slave/replica server. Changes
| performed on the master server are | | propogated out properly to
| the slava/replica server. I've verified | | this through the use
| of the ldapbrowser tool. The problem is | that | if I point a ldap
| client to the slave/replica server for | | authentication it fails.
| Yup, I get err=49 when attempting to bind | | to the slave/replica
| server. | | openldap 2.2.4, openssl-0.9.7c, | cyrus-sasl-2.1.17 and
| db-4.2.52 are | the packages used, which are | the same on the
| master server. | | Here is the slapd.conf from the | slave/replica
| server: | | bash-2.05# cat slapd.conf # # See | slapd.conf(5) for
| details on | configuration options. # This file | should NOT be
| world readable. # | include |
| /opt/ldap/etc/openldap/schema/core.schema include | |
| /opt/ldap/etc/openldap/schema/cosine.schema include | |
| /opt/ldap/etc/openldap/schema/inetorgperson.schema include | |
| /opt/ldap/etc/openldap/schema/nis.schema include | |
| /opt/ldap/etc/openldap/schema/misc.schema include | |
| /opt/ldap/etc/openldap/schema/solaris.schema | | allow bind_v2 |
| bind_anon_dn loglevel 296 pidfile | |
| /opt/ldap/var/run/slapd.pid argsfile | /opt/ldap/var/run/slapd.args
| | | | TLSCipherSuite HIGH:MEDIUM TLSCertificateFile | |
| /opt/ldap/etc/openldap/slapd-cert.pem TLSCertificateKeyFile | |
| /opt/ldap/etc/openldap/slapd-key.pem | | database bdb |
| readonly off suffix | "dc=cellnet,dc=com" rootdn |
| "cn=replica,dc=cellnet,dc=com" | updatedn |
| "cn=replica,dc=cellnet,dc=com" updateref | |
| https://konldap1.cellnet.com/ldap/ldap_config.pl rootpw | |
| {SSHA}5vb4Mp3BltJOBhnwCecA6FGN1zECY7Wp directory | /var/lib/ldap |
| mode 0700 | | index objectClass | eq,pres index |
| ou,cn,mail,surname,givenname eq,pres,sub index | |
| uidNumber,gidNumber,loginShell eq,pres index uid,memberUid | |
| eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub | |
| index nisNetgroupTriple pres | | I'm looking online
| | now, but not finding any answers. The master | server is a RH
| 3.0 | Linux server and the slave/replica is a Sun | Solaris 9
| machine. | | | Does anyone have any insight into why |
| authorization/authentication | works on the master but not the |
| slave/replica? | | I did have the same ACL's on the slave/replica |
| as the master but | that didn't work either.
- --
Aaron M. Hirsch
Atos Origin - Cellnet
11146 Thompson Ave.
Lenexa, KS 66219
Work:(913) 312-4717
Fax:(913) 312-4701
Mobile:(913) 284-9094
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAPhUBgBD+XyMGAPwRAq7nAJ9FWONkMfKmCet1sbA451qLjoy/bQCfVrHF
RlsijBJ5fTyyq1sTGdkfkVU=
=Tqhn
-----END PGP SIGNATURE-----