Re: user authentication on attributes

On Tue, Mar 29, 2011 at 7:43 PM, Dan White <dwhite@olp.net> wrote:

On 29/03/11 14:47 -0700, sim123 wrote:

I have openLDAP server up and running and trying to integrate it with
Confluence. My LDAP structure looks like

DN :: uid=123, ou=users, dc=example, dc=com
uid :: 123
mail :: bjason@example.com
cn :: barbara
sn :: jason
userPassword :: test (plain test for now)

I have another similar entry in another branch (su) for "confluence admin",
I did LDAP configuration in confluence and tested the bind with confluence
user. Now for every user authentication I am assuming LDAP should be able to
bind on any attribute other than DN. however I can not do that. when I try

By that, I assume that you are referring to a two step process where a
privileged user binds (or anonymously binds) to the server, searches for
the DN of a user based on some search criteria, unbinds, and then rebinds
using the returned DN, and the password submitted by the client.

If that's a correct assumption, you might want to verify that:

* The privileged user has appropriate permissions to search in your user
tree
* The client (confluence) is submitting appropriate base, scope, and filter
its search, and is retrieving the expected user DN
* The client is then binding a second time with the DN and user password

to login from confluence using mail & password, this is what I see in my
slapd.d logs :

connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
op tag 0x60, time 1301434489
ber_get_next
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:

dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>

<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>,
<uid=234,ou=su,dc=example,dc=com>
do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128
bdb_dn2entry("uid=234,ou=su,dc=example,dc=com")
=> bdb_dn2id("dc=example,dc=com")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x4
=> bdb_dn2id("uid=234,ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x7
entry_decode: "uid=234,ou=su,dc=example,dc=com"
<= entry_decode(uid=234,ou=su,dc=example,dc=com)
do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to
"uid=234,ou=su,dc=example,dc=com"
send_ldap_result: conn=1000 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 12
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 144 contents:
op tag 0x63, time 1301434489
ber_get_next
conn=1000 op=1 do_search
ber_scanf fmt ({miiiib) ber:

dnPrettyNormal: <ou=user,dc=example,dc=com>

<<< dnPrettyNormal: <ou=user,dc=example,dc=com>, <ou=user,dc=example,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com"
this="ou=user,dc=example,dc=com"
=> bdb_search
bdb_dn2entry("ou=user,dc=example,dc=com")
=> bdb_dn2id("ou=user,dc=example,dc=com")
<= bdb_dn2id: got id=0x3
entry_decode: "ou=user,dc=example,dc=com"
<= entry_decode(ou=user,dc=example,dc=com)
search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0

It looks like the search is not returning any entries. From your confluence
server, can you perform an ldapsearch as your privileged user to see if you
get any entries returned?

--
Dan White