[Date Prev][Date Next] [Chronological] [Thread] [Top]
Authenticating against slapd installed from package

To: openldap-software@OpenLDAP.org
Subject: Authenticating against slapd installed from package
From: Marc Tardif <marc@interunion.ca>
Date: Thu, 20 Jul 2006 10:53:08 -0400
Content-disposition: inline
I have installed OpenLDAP 2.2.26 from package on Ubuntu 6.06 LTS. The
postinst script prompts for a password to create an admin user. However,
when I try to run the ldapsearch command as the admin with that password, I
get the following error message:

  $ ldapsearch -x -w password -D "cn=admin,dc=nodomain" '(objectclass=*)'
  ldap_bind: Invalid credentials (49)

It seems that the binddn is listed on the database. Here is the relevant
output from the slapcat command:

  $ sudo slapcat -f /etc/ldap/slapd.conf
  dn: cn=admin,dc=nodomain
  objectClass: simpleSecurityObject
  objectClass: organizationalRole
  cn: admin
  description: LDAP administrator
  userPassword:: e2NyeXB0fVpKalptWm9nNC93dkk=
  structuralObjectClass: organizationalRole
  entryUUID: 73e65794-aa17-102a-8980-a774470bff98
  creatorsName: cn=anonymous
  modifiersName: cn=anonymous
  createTimestamp: 20060717193740Z
  modifyTimestamp: 20060717193740Z
  entryCSN: 20060717193740Z#000001#00#000000

Also, it seems that the binddn has the proper access controls in the
slapd.conf file:

  $ awk "BEGIN { RS='' }; /admin/ { print }"  /etc/ldap/slapd.conf
  # The userPassword by default can be changed
  # by the entry owning it if they are authenticated.
  # Others should not be able to see it, except the
  # admin entry below
  # These access lines apply to database #1 only
  access to attrs=userPassword
          by dn="cn=admin,dc=nodomain" write
          by anonymous auth
          by self write
          by * none
  # The admin dn has full write access, everyone else
  # can read everything.
  access to *
          by dn="cn=admin,dc=nodomain" write
          by * read
  # For Netscape Roaming support, each user gets a roaming
  # profile for which they have write access to
  #access to dn=".*,ou=Roaming,o=morsnet"
  #        by dn="cn=admin,dc=nodomain" write
  #        by dnattr=owner write

So, my last resort was to set the loglevel to 4095 (everything) which
returned the following output, none of which seems to show any invalid
credentials:

  Jul 18 12:14:29 localhost slapd[28482]: daemon: activity on 1 descriptors 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: new connection on 10 
  Jul 18 12:14:30 localhost slapd[28482]: conn=5 fd=10 ACCEPT from IP=127.0.0.1:49718 (IP=0.0.0.0:389) 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: added 10r 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: activity on:
  Jul 18 12:14:30 localhost slapd[28482]:  
  Jul 18 12:14:30 localhost slapd[28482]: daemon: select: listen=6 active_threads=0 tvp=NULL 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: select: listen=7 active_threads=0 tvp=NULL 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: activity on 1 descriptors 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: activity on:
  Jul 18 12:14:30 localhost slapd[28482]:  10r
  Jul 18 12:14:30 localhost slapd[28482]:  
  Jul 18 12:14:30 localhost slapd[28482]: daemon: read activity on 10 
  Jul 18 12:14:30 localhost slapd[28482]: connection_get(10) 
  Jul 18 12:14:30 localhost slapd[28482]: connection_get(10): got connid=5 
  Jul 18 12:14:30 localhost slapd[28482]: connection_read(10): checking for input on id=5 
  Jul 18 12:14:30 localhost slapd[28482]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: select: listen=6 active_threads=0 tvp=NULL 
  Jul 18 12:14:30 localhost slapd[28482]: daemon: select: listen=7 active_threads=0 tvp=NULL 
  Jul 18 12:14:30 localhost slapd[28482]: do_bind 
  Jul 18 12:14:30 localhost slapd[28482]: >>> dnPrettyNormal: <cn=admin,dc=nodomain> 
  Jul 18 12:14:30 localhost slapd[28482]: <<< dnPrettyNormal: <cn=admin,dc=nodomain>, <cn=admin,dc=nodomain> 
  Jul 18 12:14:30 localhost slapd[28482]: do_bind: version=3 dn="cn=admin,dc=nodomain" method=128 
  Jul 18 12:14:31 localhost slapd[28482]: conn=5 op=0 BIND dn="cn=admin,dc=nodomain" method=128 
  Jul 18 12:14:31 localhost slapd[28482]: ==> bdb_bind: dn: cn=admin,dc=nodomain 
  Jul 18 12:14:31 localhost slapd[28482]: bdb_dn2entry("cn=admin,dc=nodomain") 
  Jul 18 12:14:31 localhost slapd[28482]: => access_allowed: auth access to "cn=admin,dc=nodomain" "userPassword" requested 
  Jul 18 12:14:31 localhost slapd[28482]: => acl_get: [1] attr userPassword 
  Jul 18 12:14:31 localhost slapd[28482]: => acl_mask: access to entry "cn=admin,dc=nodomain", attr "userPassword" requested 
  Jul 18 12:14:31 localhost slapd[28482]: => acl_mask: to all values by "", (=n)  
  Jul 18 12:14:31 localhost slapd[28482]: <= check a_dn_pat: cn=admin,dc=nodomain 
  Jul 18 12:14:31 localhost slapd[28482]: <= check a_dn_pat: anonymous 
  Jul 18 12:14:31 localhost slapd[28482]: <= acl_mask: [2] applying auth(=x) (stop) 
  Jul 18 12:14:31 localhost slapd[28482]: <= acl_mask: [2] mask: auth(=x) 
  Jul 18 12:14:31 localhost slapd[28482]: => access_allowed: auth access granted by auth(=x) 
  Jul 18 12:14:31 localhost slapd[28482]: send_ldap_result: conn=5 op=0 p=3 
  Jul 18 12:14:31 localhost slapd[28482]: send_ldap_result: err=49 matched="" text="" 
  Jul 18 12:14:31 localhost slapd[28482]: send_ldap_response: msgid=1 tag=97 err=49 
  Jul 18 12:14:31 localhost slapd[28482]: conn=5 op=0 RESULT tag=97 err=49 text= 
  Jul 18 12:14:31 localhost slapd[28482]: daemon: activity on 1 descriptors 
  Jul 18 12:14:31 localhost slapd[28482]: daemon: activity on:
  Jul 18 12:14:32 localhost slapd[28482]:  10r
  Jul 18 12:14:32 localhost slapd[28482]:  
  Jul 18 12:14:32 localhost slapd[28482]: daemon: read activity on 10 
  Jul 18 12:14:32 localhost slapd[28482]: connection_get(10) 
  Jul 18 12:14:32 localhost slapd[28482]: connection_get(10): got connid=5 
  Jul 18 12:14:32 localhost slapd[28482]: connection_read(10): checking for input on id=5 
  Jul 18 12:14:32 localhost slapd[28482]: ber_get_next on fd 10 failed errno=0 (Success) 
  Jul 18 12:14:32 localhost slapd[28482]: connection_read(10): input error=-2 id=5, closing. 
  Jul 18 12:14:32 localhost slapd[28482]: connection_closing: readying conn=5 sd=10 for close 
  Jul 18 12:14:32 localhost slapd[28482]: connection_close: conn=5 sd=10 
  Jul 18 12:14:32 localhost slapd[28482]: daemon: removing 10 
  Jul 18 12:14:32 localhost slapd[28482]: conn=5 fd=10 closed 
  Jul 18 12:14:32 localhost slapd[28482]: daemon: select: listen=6 active_threads=0 tvp=NULL 
  Jul 18 12:14:32 localhost slapd[28482]: daemon: select: listen=7 active_threads=0 tvp=NULL 
  Jul 18 12:14:32 localhost slapd[28482]: daemon: activity on 1 descriptors 
  Jul 18 12:14:32 localhost slapd[28482]: daemon: select: listen=6 active_threads=0 tvp=NULL 
  Jul 18 12:14:32 localhost slapd[28482]: daemon: select: listen=7 active_threads=0 tvp=NULL 

So, any ideas what I might be doing wrong?

-- 
Marc Tardif <marc@interunion.ca>
Freenode: cr3, Jabber: cr3@jabber.org
1024D/72679CAD 09A9 D871 F7C4 A18F AC08  674D 2B73 740C 7267 9CAD
Follow-Ups:
- Re: Authenticating against slapd installed from package
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Authenticating against slapd installed from package
  - From: Marc Tardif <marc@interunion.ca>
Prev by Date: Re: bdb backend - reliable or not?
Next by Date: Re: bdb backend - reliable or not?
Index(es):
- Chronological
- Thread