[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Invalid dn errors for valid dns?
Hiya,
I'm having trouble getting Apache's auth_ldap to work using 'require group',
and I'm getting errors in the slapd logs.
Everything seems to be working: ldappasswd, ldapmodify, and ldapsearch all
function properly. In fact, you can hit the server yourself:
ldap://germane-software.com/cn=svnTLR,ou=Group,dc=germane-software,dc=com?*?base
pam_ldap also works, as does binding from Apache using "require user".
Everything is hunky-dory... except 'require group'.
Here's the relevant slapd errors:
May 28 05:32:48 [slapd] daemon: read activity on 19
May 28 05:32:48 [slapd] connection_get(19)
May 28 05:32:48 [slapd] connection_get(19): got connid=4636
May 28 05:32:48 [slapd] connection_read(19): checking for input on id=4636
May 28 05:32:48 [slapd] ber_get_next on fd 19 failed errno=11 (Resource
temporarily unavailable)
May 28 05:32:48 [slapd] do_compare
May 28 05:32:48 [slapd] do_compare: invalid dn
("cn=svnTLR,ou=Group,dc=germane-software,dc=com")
May 28 05:32:48 [slapd] send_ldap_result: conn= 4636 op=5 p=3
May 28 05:32:48 [slapd] send_ldap_result: 34::invalid DN
May 28 05:32:48 [slapd] send_ldap_response: msgid=6 tag=111 err=34
May 28 05:32:48 [slapd] conn=4636 op=5 RESULT tag=111 err=34 text=invalid DN
May 28 05:32:48 [slapd] daemon: select: listen=6 active_threads=1 tvp=NULL
May 28 05:32:48 [slapd] daemon: select: listen=7 active_threads=1 tvp=NULL
May 28 05:32:48 [slapd] daemon: select: listen=8 active_threads=1 tvp=NULL
This comes after messages that say that I've successfully bound to the
database. I see the "invalid dn" error in there, but when I do a search, I
get:
germane-software private # ldapsearch -b 'dc=germane-software,dc=com' \
cn=svnTLR
# extended LDIF
#
# LDAPv3
# base <dc=germane-software,dc=com> with scope sub
# filter: cn=svnTLR
# requesting: ALL
#
# svnTLR, Group, germane-software.com
dn: cn=svnTLR,ou=Group,dc=germane-software,dc=com
objectClass: posixGroup
objectClass: top
cn: svnTLR
gidNumber: 5000
memberUid: aviram
memberUid: ser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
And as far as I can tell, that "invalid dn" is exactly the same as the dn
being reported by ldapsearch.
So, my question is: why is slapd reporting that the dn is invalid when it does
appear to be valid? Is there some common mistake that I'm making here?
In case you care, here's the .htaccess file I'm using to test this. This
works if I change "require group" to "require valid-user" or "require user
ser".
Options Indexes
AuthName "Sean's Dir"
AuthType basic
AuthLDAPURL "ldap://localhost/ou=People,dc=germane-software,dc=com?uid?sub"
AuthLDAPGroupAttribute memberUID
AuthLDAPGroupAttributeIsDN off
#Require user mmcdole
Require group "cn=svnTLR,ou=Group,dc=germane-software,dc=com"
Incidentally, I've tried a number of permutations of the AuthLDAPURL and the
group dn, including stripping the dcs and even the ou from the group dn, and
stripping the ou and the query part from the URL.
Thanks for any pointers!
--
### SER
### Deutsch|Esperanto|Francaise|Linux|XML|Java|Ruby|Aikido
### http://www.germane-software.com/~ser jabber.com:ser ICQ:83578737
### GPG: http://www.germane-software.com/~ser/Security/ser_public.gpg