[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with simple LDAP authentication
On Fri, 2005-12-09 at 17:03 +0100, Giovanni Cuccu wrote:
> Hi all,
> I'm totally new to (Open)LDAP world and I'm trying to set a set up a
> test server.
> I'm currently using CentOs 4 with along with the openLDAP shipped with
> that linux distro.
> the ldap server is working and I'm able to write and read data.
> The problem I'm facing is setting up a simple DN/passowrd authentication
> mechanism.
> Here is my slapd.conf
>
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
> 20:00:31 kurt Exp $
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/redhat/autofs.schema
> include /etc/openldap/schema/redhat/kerberosobject.schema
>
> # Define global ACLs to disable default read access.
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral ldap://root.openldap.org
>
> #pidfile //var/run/slapd.pid
> #argsfile //var/run/slapd.args
>
> # Create a replication log in /var/lib/ldap for use by slurpd.
> #replogfile /var/lib/ldap/master-slapd.replog
>
> # Load dynamic backend modules:
> # modulepath /usr/sbin/openldap
> # moduleload back_ldap.la
> # moduleload back_ldbm.la
> # moduleload back_passwd.la
> # moduleload back_shell.la
>
> password-hash {MD5}
> database ldbm
> suffix "dc=progetto-sole,dc=it"
> #suffix "o=My Organization Name,c=US"
> rootdn "cn=Manager,dc=progetto-sole,dc=it"
> #rootdn "cn=Manager,o=My Organization Name,c=US"
> # Cleartext passwords, especially for the rootdn, should
> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw secret
> access to attr=userPassword
> by dn="cn=Manager,dc=progetto-sole,dc=it" write
> by self write
> by * read
> access to *
> by dn="cn=Manager,dc=progetto-sole,dc=it" write
> by dn="cn=sole,dc=progetto-sole,dc=it" read
> by users read
> by self write
> by * read
> # rootpw {crypt}ijFYNcSNctBYg
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd/tools. Mode 700 recommended.
> directory /var/lib/ldap
> # Indices to maintain
> index objectClass,uid,uidNumber,gidNumber,memberUid eq
> index cn,mail,surname,givenname eq,subinitial
> # Replicas to which we should propagate changes
> #replica host=ldap-1.example.com:389 tls=yes
> # bindmethod=sasl saslmech=GSSAPI
> # authcId=host/ldap-master.example.com@EXAMPLE.COM
> loglevel -1
>
> and here is the .ldif file contatinig the user to be authenticated
>
> dn: cn=sole,dc=progetto-sole,dc=it
> cn: sole
> sn: sole
> uid: sole
> objectclass: top
> objectclass: inetOrgPerson
> userPassword: {MD5}d8e7124a5142b544af071ef02bfa505c
>
> I try to connect using this dn:
> cn=sole,dc=progetto-sole,dc=it
> along with the relative password
> but I always get the "invalid login credential" message.
> Here is the ldap log content:
>
> Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7
> Dec 9 17:05:20 linux slapd[3781]: connection_get(7)
> Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5
> Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for
> input on id=5
> Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=11
> (Resource temporarily unavailable)
> Dec 9 17:05:20 linux slapd[3781]: do_bind
> Dec 9 17:05:20 linux slapd[3781]: do_bind: version=3
> dn="cn=sole,dc=progetto-sole,dc=it" method=128
> Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 BIND
> dn="CN=SOLE,DC=PROGETTO-SOLE,DC=IT" method=128
> Dec 9 17:05:20 linux slapd[3781]: ==> ldbm_back_bind: dn:
> cn=sole,dc=progetto-sole,dc=it
> Dec 9 17:05:20 linux slapd[3781]: dn2entry_r: dn:
> "CN=SOLE,DC=PROGETTO-SOLE,DC=IT"
> Dec 9 17:05:20 linux slapd[3781]: => dn2id(
> "CN=SOLE,DC=PROGETTO-SOLE,DC=IT" )
> Dec 9 17:05:20 linux slapd[3781]: ====>
> cache_find_entry_dn2id("CN=SOLE,DC=PROGETTO-SOLE,DC=IT"): 15 (1 tries)
> Dec 9 17:05:20 linux slapd[3781]: <= dn2id 15 (in cache)
> Dec 9 17:05:20 linux slapd[3781]: => id2entry_r( 15 )
> Dec 9 17:05:20 linux slapd[3781]: ====> cache_find_entry_id( 15 )
> "cn=sole,dc=progetto-sole,dc=it" (found) (1 tries)
> Dec 9 17:05:20 linux slapd[3781]: <= id2entry_r( 15 ) 0xa07a858 (cache)
> Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access to
> "cn=sole,dc=progetto-sole,dc=it" "userPassword" requested
> Dec 9 17:05:20 linux slapd[3781]: => acl_get: [1] check attr userPassword
> Dec 9 17:05:20 linux slapd[3781]: <= acl_get: [1] acl
> cn=sole,dc=progetto-sole,dc=it attr: userPassword
> Dec 9 17:05:20 linux slapd[3781]: => acl_mask: access to entry
> "cn=sole,dc=progetto-sole,dc=it", attr "userPassword" requested
> Dec 9 17:05:20 linux slapd[3781]: => acl_mask: to all values by "", (=n)
> Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat:
> cn=Manager,dc=progetto-sole,dc=it
> ec 9 17:05:20 linux slapd[3781]: => string_expand: pattern:
> cn=Manager,dc=progetto-sole,dc=it
> Dec 9 17:05:20 linux slapd[3781]: => string_expand: expanded:
> cn=Manager,dc=progetto-sole,dc=it
> Dec 9 17:05:20 linux slapd[3781]: => regex_matches: string:
> Dec 9 17:05:20 linux slapd[3781]: => regex_matches: rc: 1 no matches
> Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: self
> Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: *
> Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] applying read
> (=rscx) (stop)
> Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] mask: read (=rscx)
> Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access
> granted by read (=rscx)
> Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: conn=5 op=0 p=3
> Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: 49::
> Dec 9 17:05:20 linux slapd[3781]: send_ldap_response: msgid=1 tag=97 err=49
> Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 RESULT tag=97 err=49 text=
> Dec 9 17:05:20 linux slapd[3781]: ====> cache_return_entry_r( 15 ):
> returned (0)
> Dec 9 17:05:20 linux slapd[3781]: daemon: select: listen=6
> active_threads=1 tvp=NULL
> Dec 9 17:05:20 linux slapd[3781]: daemon: activity on 1 descriptors
> Dec 9 17:05:20 linux slapd[3781]: daemon: activity on:
> Dec 9 17:05:20 linux slapd[3781]: 7r
> Dec 9 17:05:20 linux slapd[3781]:
> Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7
> Dec 9 17:05:20 linux slapd[3781]: connection_get(7)
> Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5
> Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for
> input on id=5
> Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=0
> (Success)
> Dec 9 17:05:20 linux slapd[3781]: connection_read(7): input error=-2
> id=5, closing.
>
> The followng command lists the SASL mechanism (althoung I think the auth
> metod I'm tesing is not involving SASL)
> [root@linux openldap]# ldapsearch -H ldap://localhost/ -x -b "" -s base
> -LLL supportedSASLMechanisms
> dn:
> supportedSASLMechanisms: GSSAPI
>
> Can anyone help me?
> I'm not able to understand why Ican't login.
> Thanks in advance,
> Giovanni
-----
You don't give the actual command that is failing
ldapsearch -x -h localhost \
-D "cn=sole,dc=progetto-sole,dc=it" \
-b "dc=progetto-sole,dc=it" \
-W '(cn=sole)'
or if you wanted write access...
ldapsearch -x -h localhost \
-D "cn=Manager,dc=progetto-sole,dc=it" \
-b "dc=progetto-sole,dc=it" \
-W '(cn=sole)'
Probably best to have a contain for 'users' - something like
ou=People,dc=progetto-sole,dc=it
and put users like sole in that container...
uid=sole,ou=People,dc=progetto-sole,dc=it
Craig