[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Question about OpenLDAP

To: "Howard Chu" <hyc@symas.com>
Subject: RE: Question about OpenLDAP
From: "Mark Hennessy" <mhennessy@cloud9.net>
Date: Tue, 12 Dec 2006 09:00:33 -0500
Cc: openldap-software@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <457DFAE5.7070508@symas.com>
Thread-index: Accdhl28LBweUm77RQO6x7eF28QTbAAbwzEg
Thread-topic: Question about OpenLDAP

They're trying to connect from an AD client running on a Windows machine.

I see a message from back in 2000 that indicates that method 137 may be NTLM.

How would I get slapd to support method 137?  Would it require anything like
Kerberos to be built-in?

Thanks again!

--
 Mark Hennessy

> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com] 
> Sent: Monday, December 11, 2006 7:42 PM
> To: Mark Hennessy
> Cc: openldap-software@openldap.org
> Subject: Re: Question about OpenLDAP
> 
> Mark Hennessy wrote:
> > I have a user who tries to connect from an IP x.x.x.31, but 
> they keep getting
> > rejected.  The ACL is using IPs to allow anonymous 
> read-only connections.  I
> > have a client at another host that's also in the ACL by IP 
> which is set to
> > use an anonymous connection and that works.  What should I 
> be looking for
> > with this client that's not working?  Also, I built 
> OpenLDAP without SASL on
> > purpose.  This is serving a simple database that could 
> potentially have lots
> > of reads and no writes from a couple of trusted hosts.  Any 
> help in this
> > matter would be greatly appreciated!
> > 
> > This is OpenLDAP from FreeBSD ports built supposedly without SASL.
> > 
> > Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from 
> IP=x.x.x.31:1691
> > (IP=0.0.0.0:389)
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base="" 
> scope=0 deref=0
> > filter="(objectClass=*)"
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH 
> attr=supportedCapabilities
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT 
> tag=101 err=0
> > nentries=1 text=
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base="" 
> scope=0 deref=0
> > filter="(objectClass=*)"
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH 
> attr=supportedSASLMechanisms
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT 
> tag=101 err=0
> > nentries=1 text=
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97 
> err=7 text=unknown
> > authentication method
> > Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND
> > Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
> 
> The log shows they're trying to Bind with a "method=137" and 
> correctly 
> getting an unknown authentication method response back. I.e., they're 
> trying to Bind with a mechanism that slapd doesn't recognize. It's 
> certainly not an anonymous LDAP Simple Bind. Seems like a 
> broken client.
> 
> -- 
>    -- Howard Chu
>    Chief Architect, Symas Corp.  http://www.symas.com
>    Director, Highland Sun        http://highlandsun.com/hyc
>    OpenLDAP Core Team            http://www.openldap.org/project/
> 
>

References:
- Re: Question about OpenLDAP
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: dnsDomain2.schema and aRecord
Next by Date: RE: Question about OpenLDAP
Index(es):
- Chronological
- Thread