[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Lgoin failed if URI in client's ldap.conf is used



> I am running OpenLDAP 2.3.39 on a RedHat server. I am encountering a user
> ssh login failure on an LDAP client if I use the URI based way to specify
> the LDAP servers in the client's /etc/ldap.conf and
> /etc/openldap/ldap.conf files. I don't have such a problem if I use the
> host based way. A snip of the configurations and the ldap.log on the ldapm
> is the following:
> /etc/ldap.conf:
> uri ldap://ldapm.mydomain.com ldap://ldapsl.mydomain.com
> /etc/openldap/ldap.conf:
> URI ldap://ldapm.mydomain.com ldap://ldapsl..mydomain.com

There's probably a typo in the last URI above; don't know if it's related
to your issue, though

> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat:
> cn=admin,dc=mydomain,dc=com
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted
> by read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to
> "uid=luke_l,ou=People,dc=mydomain,dc=com" "uid" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr uid
> May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state
> (uid)
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry
> "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "uid" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat:
> cn=admin,dc=mydomain,dc=com
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted
> by read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to
> "uid=luke_l,ou=People,dc=mydomain,dc=com" "userPassword" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_get: [1] attr userPassword
> May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state
> (userPassword)
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry
> "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "userPassword" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: anonymous
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] applying auth(=xd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] mask: auth(=xd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access denied
> by auth(=xd)
> May 16 14:16:33 ldapm slapd[27604]: send_search_entry: conn 35 access to
> attribute userPassword, value #0 not allowed

You only have "auth" access to the userPassword attribute (which sounds
reasonable) but the client is trying to "read" the password.  I suspect a
misconfiguration of the client, which tries to auth by internally
comparing userPassword values instead of using an LDAP bind operation.

> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to
> "uid=luke_l,ou=People,dc=mydomain,dc=com" "shadowLastChange" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr shadowLastChange
> May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state
> (shadowLastChange)
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry
> "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "shadowLastChange"
> requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat:
> cn=admin,dc=mydomain,dc=com
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted
> by read(=rscxd)
>
> Can anyone please help resolve the above problem? Thanks a lot!

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------