Re: ldap auth does not works after openldap upgrade

On Thu, Feb 17, 2011 at 7:50 AM, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:

On Wednesday, 16 February 2011 20:37:45 Leonardo Carneiro wrote:
> On Wed, Feb 16, 2011 at 8:43 AM, Andrew Findlay <
>
> andrew.findlay@skills-1st.co.uk> wrote:
> > On Tue, Feb 15, 2011 at 05:08:43PM -0200, Leonardo Carneiro wrote:

In the original question:
> Hello everyone,

>
> I upgraded my debian machine from lenny to squeeze (the new stable)
> that comes with samba 3.5.6 and openldap 2.4.23. this machines works
> primarily as a PDC.
>

> i have 3 services authenticating on ldap: samba, apache and redmine.
> samba is acting very weird, but it's kinda working, but redmine and
> apache aren't working at all.

So, I take it Apache was upgraded as well? From what version? To what version?

> > > fileserver:/etc/ldap# /usr/sbin/slapd -h ldapi:/// ldap:/// -g openldap
> >
> > -u
> >
> > > openldap -F /etc/ldap/slapd.d -d 128
> >
> > Aha! Your server is using LDAP-based config so it is ignoring the config
> > file entirely.
> >
> > > Does these changes that we are making into slapd.conf really being
> > > processed? Normally, i see just the "-F /etc/ldap/slapd.d" flag and
> > > never the "-f /etc/ldap/slapd.conf".
> >
> > I suspect the config file was converted to a config dir during the
> > Debian upgrade process, so the file is now being ignored.
> >
> > I also suspect that there may not be a valid password set on the
> > cn=config suffix, so you will not be able to manage the server through
> > LDAP either.
> >
> > One solution is to change the startup process to use the config file (-f
> > option) rather than the config dir (-F option). Once you have a file
> > that does what you want you have the option of converting it to a
> >
> > directory:
> > Move aside the existing config directory /etc/ldap/slapd.d
> > and make a new one with the same ownership and permissions.
> >
> > Start slapd with both the -f and the -F options.
> >
> > If you are going to do this, I suggest adding a rootpw for the config
> > database first. Append this to your slapd.conf file:
> >
> > ########################################################################
> > database config
> >
> > rootdn "cn=config"
> > rootpw example
> > ########################################################################
> >
> > You will then be able to do normal LDAP operations on the config:
> >
> > ldapsearch -x -D cn=config -w example -b cn=config '(objectclass=*)'
> >
> > I think we're really near to success here =D.
>
> The new slapd.d was created successfully and now i can do searches
> anonymously. Searches like:
>
> ldapsearch -x -h server -D cn=config -w [passwd] -b cn=config
> ldapsearch -x -h server -b "dc=dominio,dc=com,dc=br"
>
> are working ok now. Unfortunally, services are not able to do the search
> yet. At least with the configuration that was working before the upgrade.
>
> I notice some of my services do bind as cn=root,dc=dominio,dc=com,dc=br.
> Here it is a example of the apache:
>
> AuthBasicProvider ldap
> AuthName "who are you?"
> AuthzLDAPAuthoritative OFF
> AuthLDAPURL "ldap://
> 192.168.0.2/ou=users,dc=dominio,dc=com,dc=br?uid"
> AuthLDAPGroupAttribute memberUid
> AuthLDAPGroupAttributeIsDN OFF
> AuthLDAPBindDN "cn=root,dc=dominio,dc=com,dc=br"
> AuthLDAPBindPassword "[password]"
> Require ldap-group
> cn=devteam,ou=groups,dc=dominio,dc=com,dc=br

If you now have Apache 2.2.x, either you have include only some of the
relevant statements, or you are missing a "Satisfy" statement, e.g. "Satisfy
All".

> In the apache log, it just seams that the apache did bind it to ldap, but
> the search results were null. It should work ok know, since i can even bind
> anonymous, write?

Show the log of the LDAP search by apache, so we can be sure.

But, when upgrading from Apache 2.0 to Apache 2.2, one thing that messed me
around for a few hours was the 'Satisfy' statement. Without it, the behaviour
didn't make sense ...

Regards,
Buchan