[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: some users failing to authenticate others working fine.



It would be useful, I think, for you to illustrate the authentication
success and failure using an OpenLDAP command line tool, such as
ldapwhoami(1) (providing both command input and output) and the
associated slapd(8) logging for each.  For instance, this would
clarify whether you are doing LDAP/SASL authentication or
LDAP/simple authentication.

I note that you should consider updating to at least the
latest stable release of OpenLDAP Software.  2.2 is historic.

At 06:41 AM 4/12/2006, Simon Tennant wrote:
>I have a couple of users whom the following sasl-regexp stanza is not
>catching.  Strange since all user accounts are identical.
>
>sasl-regexp
>        uid=(.*),cn=internal.epo.org,cn=gssapi,cn=auth
>        uid=$1,ou=people,ou=internal,dc=epo,dc=org
>
>I am fairly sure that OpenLDAP is not passing them to saslauthd for
>authentication.  I can see the uid, password, service and kerberos
>realm being passed to saslauthd for some users but nothing leaving
>the OpenLDAP server for the failing user (tested using strace on
>saslauthd with only one child running).  Instead I receive the
>following back from OpenLDAP without it trying to authenticate the user:
>
>[LDAP: error code 49 - Invalid Credentials]
>
>Here is an LDAP account that is working:
>
>version: 1
>dn: uid=st81418,ou=people,ou=internal,dc=epo,dc=org
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>objectClass: posixAccount
>cn: Simon Tennant
>displayName: Simon Tennant
>gidNumber: 666
>givenName: Simon
>homeDirectory: /home/sysman/st81418
>loginShell: /bin/bash
>preferredLanguage: EN
>sn: Tennant
>uid: st81418
>uidNumber: 81418
>userPassword: {sasl}st81418@INTERNAL.EPO.ORG
>
>and here is one that is failing:
>
>version: 1
>dn: uid=ls22367,ou=people,ou=internal,dc=epo,dc=org
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>objectClass: posixAccount
>gidNumber: 666
>homeDirectory: /home/sysman/ls22367
>loginShell: /usr/bin/ksh
>uid: ls22367
>uidNumber: 22367
>cn: blah (changed to protect the innocent from Google searches)
>sn: blah2 (ditto)
>userPassword: {sasl}ls22367@INTERNAL.EPO.ORG
>
>I have tried the following to debug:
>
>changing the userPassword field to point to another user and then tried logging
>in with the new user's password.
>
>tried using a plain text password for the failing user.  Still cannot
>login.  This suggests it has nothing to do with the sasl-regex
>statement although I cannot see a significant difference between a
>working and non-working account.
>
>tried deleting and recreating the record.
>
>the user's name contains 2 accented characters - I ripped them out for
>testing.  Other users have accented characters but they seem to work.
>
>We're using OpenLDAP: slapd 2.2.24.
>
>Any ideas welcome.
>
>S.
>
>-- 
>Simon Tennant ________________ http://imaginator.com/~simon/contact
>