[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user authentication on attributes





On Tue, Mar 29, 2011 at 7:43 PM, Dan White <dwhite@olp.net> wrote:
On 29/03/11 14:47 -0700, sim123 wrote:
I have openLDAP server up and running and trying to integrate it with
Confluence. My LDAP structure looks like

DN :: uid=123, ou=users, dc=example, dc=com
uid :: 123
mail :: bjason@example.com
cn :: barbara
sn :: jason
userPassword :: test (plain test for now)

I have another similar entry in another branch (su) for "confluence admin",
I did LDAP configuration in confluence and tested the bind with confluence
user. Now for every user authentication I am assuming LDAP should be able to
bind on any attribute other than DN. however I can not do that. when I try

By that, I assume that you are referring to a two step process where a
privileged user binds (or anonymously binds) to the server, searches for
the DN of a user based on some search criteria, unbinds, and then rebinds
using the returned DN, and the password submitted by the client.

If that's a correct assumption, you might want to verify that:

* The privileged user has appropriate permissions to search in your user
 tree
* The client (confluence) is submitting appropriate base, scope, and filter
 its search, and is retrieving the expected user DN
* The client is then binding a second time with the DN and user password


to login from confluence using mail & password, this is what I see in my
slapd.d logs :

connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
op tag 0x60, time 1301434489
ber_get_next
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>
<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>,
<uid=234,ou=su,dc=example,dc=com>
do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128
bdb_dn2entry("uid=234,ou=su,dc=example,dc=com")
=> bdb_dn2id("dc=example,dc=com")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x4
=> bdb_dn2id("uid=234,ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x7
entry_decode: "uid=234,ou=su,dc=example,dc=com"
<= entry_decode(uid=234,ou=su,dc=example,dc=com)
do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to
"uid=234,ou=su,dc=example,dc=com"
send_ldap_result: conn=1000 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 12
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 144 contents:
op tag 0x63, time 1301434489
ber_get_next
conn=1000 op=1 do_search
ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=user,dc=example,dc=com>
<<< dnPrettyNormal: <ou=user,dc=example,dc=com>, <ou=user,dc=example,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com"
this="ou=user,dc=example,dc=com"
=> bdb_search
bdb_dn2entry("ou=user,dc=example,dc=com")
=> bdb_dn2id("ou=user,dc=example,dc=com")
<= bdb_dn2id: got id=0x3
entry_decode: "ou=user,dc=example,dc=com"
<= entry_decode(ou=user,dc=example,dc=com)
search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0

It looks like the search is not returning any entries. From your confluence
server, can you perform an ldapsearch as your privileged user to see if you
get any entries returned?

--
Dan White

Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it.

I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't.

ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: (uid=123)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
 
where as
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: (uid=123*)
# requesting: ALL
#

# 123, users, example.com
dn: uid=123,ou=users,dc=example,dc=com
displayName: Barbara Jason
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
mail: bjason@example.com
uid: 123
userPassword:: bXJhanZhaWR5YQ==
sn: Jason
cn: Barbara

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks