[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with simple LDAP authentication

To: openldap-software@OpenLDAP.org
Subject: Problems with simple LDAP authentication
From: Giovanni Cuccu <gcuccu@dianoema.it>
Date: Fri, 09 Dec 2005 17:03:24 +0100
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Hi all, I'm totally new to (Open)LDAP world and I'm trying to set a set up a test server. I'm currently using CentOs 4 with along with the openLDAP shipped with that linux distro. the ldap server is working and I'm able to write and read data. The problem I'm facing is setting up a simple DN/passowrd authentication mechanism. Here is my slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

#pidfile        //var/run/slapd.pid
#argsfile       //var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile     /var/lib/ldap/master-slapd.replog

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

password-hash {MD5}
database        ldbm
suffix          "dc=progetto-sole,dc=it"
#suffix         "o=My Organization Name,c=US"
rootdn          "cn=Manager,dc=progetto-sole,dc=it"
#rootdn         "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
access to attr=userPassword
       by dn="cn=Manager,dc=progetto-sole,dc=it" write
       by self write
       by * read
access to *
       by dn="cn=Manager,dc=progetto-sole,dc=it"  write
       by dn="cn=sole,dc=progetto-sole,dc=it" read
       by users read
       by self write
       by * read
# rootpw                {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
#       bindmethod=sasl saslmech=GSSAPI
#       authcId=host/ldap-master.example.com@EXAMPLE.COM
loglevel -1

and here is the .ldif file contatinig the user to be authenticated

dn: cn=sole,dc=progetto-sole,dc=it
cn: sole
sn: sole
uid: sole
objectclass: top
objectclass: inetOrgPerson
userPassword: {MD5}d8e7124a5142b544af071ef02bfa505c

I try to connect using this dn:
cn=sole,dc=progetto-sole,dc=it
along with the relative password
but I always get the "invalid login credential" message.
Here is the ldap log content:

Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7 Dec 9 17:05:20 linux slapd[3781]: connection_get(7) Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5 Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for input on id=5 Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable) Dec 9 17:05:20 linux slapd[3781]: do_bind Dec 9 17:05:20 linux slapd[3781]: do_bind: version=3 dn="cn=sole,dc=progetto-sole,dc=it" method=128 Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 BIND dn="CN=SOLE,DC=PROGETTO-SOLE,DC=IT" method=128 Dec 9 17:05:20 linux slapd[3781]: ==> ldbm_back_bind: dn: cn=sole,dc=progetto-sole,dc=it Dec 9 17:05:20 linux slapd[3781]: dn2entry_r: dn: "CN=SOLE,DC=PROGETTO-SOLE,DC=IT" Dec 9 17:05:20 linux slapd[3781]: => dn2id( "CN=SOLE,DC=PROGETTO-SOLE,DC=IT" ) Dec 9 17:05:20 linux slapd[3781]: ====> cache_find_entry_dn2id("CN=SOLE,DC=PROGETTO-SOLE,DC=IT"): 15 (1 tries) Dec 9 17:05:20 linux slapd[3781]: <= dn2id 15 (in cache) Dec 9 17:05:20 linux slapd[3781]: => id2entry_r( 15 ) Dec 9 17:05:20 linux slapd[3781]: ====> cache_find_entry_id( 15 ) "cn=sole,dc=progetto-sole,dc=it" (found) (1 tries) Dec 9 17:05:20 linux slapd[3781]: <= id2entry_r( 15 ) 0xa07a858 (cache) Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access to "cn=sole,dc=progetto-sole,dc=it" "userPassword" requested Dec 9 17:05:20 linux slapd[3781]: => acl_get: [1] check attr userPassword Dec 9 17:05:20 linux slapd[3781]: <= acl_get: [1] acl cn=sole,dc=progetto-sole,dc=it attr: userPassword Dec 9 17:05:20 linux slapd[3781]: => acl_mask: access to entry "cn=sole,dc=progetto-sole,dc=it", attr "userPassword" requested Dec 9 17:05:20 linux slapd[3781]: => acl_mask: to all values by "", (=n) Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: cn=Manager,dc=progetto-sole,dc=it ec 9 17:05:20 linux slapd[3781]: => string_expand: pattern: cn=Manager,dc=progetto-sole,dc=it Dec 9 17:05:20 linux slapd[3781]: => string_expand: expanded: cn=Manager,dc=progetto-sole,dc=it Dec 9 17:05:20 linux slapd[3781]: => regex_matches: string: Dec 9 17:05:20 linux slapd[3781]: => regex_matches: rc: 1 no matches Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: self Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: * Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] applying read (=rscx) (stop) Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] mask: read (=rscx) Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access granted by read (=rscx) Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: conn=5 op=0 p=3 Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: 49:: Dec 9 17:05:20 linux slapd[3781]: send_ldap_response: msgid=1 tag=97 err=49 Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 RESULT tag=97 err=49 text= Dec 9 17:05:20 linux slapd[3781]: ====> cache_return_entry_r( 15 ): returned (0) Dec 9 17:05:20 linux slapd[3781]: daemon: select: listen=6 active_threads=1 tvp=NULL Dec 9 17:05:20 linux slapd[3781]: daemon: activity on 1 descriptors Dec 9 17:05:20 linux slapd[3781]: daemon: activity on: Dec 9 17:05:20 linux slapd[3781]: 7r Dec 9 17:05:20 linux slapd[3781]: Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7 Dec 9 17:05:20 linux slapd[3781]: connection_get(7) Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5 Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for input on id=5 Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=0 (Success) Dec 9 17:05:20 linux slapd[3781]: connection_read(7): input error=-2 id=5, closing.

The followng command lists the SASL mechanism (althoung I think the auth metod I'm tesing is not involving SASL) [root@linux openldap]# ldapsearch -H ldap://localhost/ -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI

Can anyone help me?
I'm not able to understand why Ican't login.
Thanks in advance,
	Giovanni

--

----------------------------------------
Giovanni Cuccu
Sw Engineer@dianoema.it
Dianoema S.p.A.
Via de' Carracci 93 40131 Bologna
Tel: 051-7098211   051-4193911
e-mail:gcuccu@dianoema.it
----------------------------------------
No man does it all by himself,
I said young man,
put your pride on the shelf
----------------------------------------

Follow-Ups:
- Re: Problems with simple LDAP authentication
  - From: Craig White <craigwhite@azapple.com>

Prev by Date: Re: ldaps and Active Directory
Next by Date: RE: BDB Database problem
Index(es):
- Chronological
- Thread