[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: user authentication on attributes
- To: Dan White <dwhite@olp.net>
- Subject: Re: user authentication on attributes
- From: sim123 <Sim3159@gmail.com>
- Date: Wed, 30 Mar 2011 04:36:56 -0700
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=LILhsD4+3QAREaUnOaq/BEWE0oXGr1dEJU/L3vwiJG8=; b=DGFZRR7ArG+KQMXVauii/zo51ZQWKNULfsldZMh1NAGO+fmpzcHrk87fSxfHaqtYZk 3DHKFpSIv6lDLPJGciWqgfWgjPt0Fplaq9w+cYcccgazU9rsLRP2Ydl+nqWDF7swatPn mP2jXobgtiTpYnY6dVXP9SUYKIMgu9/amyfug=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=L0TKyHffk5PYdjgJGR/qiTow7IaQIQTmRtz3IzdDRkmqCCMMiHnGVVsvbakj5LzztG aUwsu9z4VSn98i2ztm8b7kjeXBkShWCZ7npUgT0ylVDWAFZD0HTMRLSdC4BsSeU7UepR 7tC7VOhH/X+i1M0gP9rgRiPlc6yZuEDA0sH1M=
- In-reply-to: <20110330024318.GE3164@dan.olp.net>
- References: <AANLkTimX29-8AEBnX2dEpnspCF5FZLY519SuKeJseM9x@mail.gmail.com> <20110330024318.GE3164@dan.olp.net>
On Tue, Mar 29, 2011 at 7:43 PM, Dan White
<dwhite@olp.net> wrote:
On 29/03/11 14:47 -0700, sim123 wrote:
I have openLDAP server up and running and trying to integrate it with
Confluence. My LDAP structure looks like
DN :: uid=123, ou=users, dc=example, dc=com
uid :: 123
mail :: bjason@example.com
cn :: barbara
sn :: jason
userPassword :: test (plain test for now)
I have another similar entry in another branch (su) for "confluence admin",
I did LDAP configuration in confluence and tested the bind with confluence
user. Now for every user authentication I am assuming LDAP should be able to
bind on any attribute other than DN. however I can not do that. when I try
By that, I assume that you are referring to a two step process where a
privileged user binds (or anonymously binds) to the server, searches for
the DN of a user based on some search criteria, unbinds, and then rebinds
using the returned DN, and the password submitted by the client.
If that's a correct assumption, you might want to verify that:
* The privileged user has appropriate permissions to search in your user
tree
* The client (confluence) is submitting appropriate base, scope, and filter
its search, and is retrieving the expected user DN
* The client is then binding a second time with the DN and user password
to login from confluence using mail & password, this is what I see in my
slapd.d logs :
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 48 contents:
op tag 0x60, time 1301434489
ber_get_next
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>
<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>,
<uid=234,ou=su,dc=example,dc=com>
do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128
bdb_dn2entry("uid=234,ou=su,dc=example,dc=com")
=> bdb_dn2id("dc=example,dc=com")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x4
=> bdb_dn2id("uid=234,ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x7
entry_decode: "uid=234,ou=su,dc=example,dc=com"
<= entry_decode(uid=234,ou=su,dc=example,dc=com)
do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to
"uid=234,ou=su,dc=example,dc=com"
send_ldap_result: conn=1000 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 12
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 144 contents:
op tag 0x63, time 1301434489
ber_get_next
conn=1000 op=1 do_search
ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=user,dc=example,dc=com>
<<< dnPrettyNormal: <ou=user,dc=example,dc=com>, <ou=user,dc=example,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com"
this="ou=user,dc=example,dc=com"
=> bdb_search
bdb_dn2entry("ou=user,dc=example,dc=com")
=> bdb_dn2id("ou=user,dc=example,dc=com")
<= bdb_dn2id: got id=0x3
entry_decode: "ou=user,dc=example,dc=com"
<= entry_decode(ou=user,dc=example,dc=com)
search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0
It looks like the search is not returning any entries. From your confluence
server, can you perform an ldapsearch as your privileged user to see if you
get any entries returned?
--
Dan White
Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it.
I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't.
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: (uid=123)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
where as
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: (uid=123*)
# requesting: ALL
#
dn: uid=123,ou=users,dc=example,dc=com
displayName: Barbara Jason
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
uid: 123
userPassword:: bXJhanZhaWR5YQ==
sn: Jason
cn: Barbara
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks