[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user authentication on attributes





On Wed, Mar 30, 2011 at 12:18 PM, sim123 <Sim3159@gmail.com> wrote:


On Wed, Mar 30, 2011 at 7:49 AM, Dan White <dwhite@olp.net> wrote:
On 30/03/11 04:36 -0700, sim123 wrote:
On Tue, Mar 29, 2011 at 7:43 PM, Dan White <dwhite@olp.net> wrote:
It looks like the search is not returning any entries. From your confluence
server, can you perform an ldapsearch as your privileged user to see if you
get any entries returned?

Thanks for your reply. You got me right and I am sure the first two things
are working so my authentication user has privileges, Confluence is
submitting base,scope and filter. I am not sure about the third point, needs
to validate it.

I tried doing ldapsearch from ldap server machine (local) and from
confluence server using filter on uid/cn. However, don't know why wild card
works and specific search doesn't.

ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b
'ou=users,dc=example,dc=com' '(uid=123)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: (uid=123)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

where as
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b
'ou=users,dc=example,dc=com' '(uid=123*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: (uid=123*)
# requesting: ALL
#

# 123, users, example.com
dn: uid=123,ou=users,dc=example,dc=com
displayName: Barbara Jason
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
mail: bjason@example.com
uid: 123
userPassword:: bXJhanZhaWR5YQ==
sn: Jason
cn: Barbara

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

again, I tried searching for it but couldn't find it, sorry for being naive
but would appreciate any help. Thanks

My guess is that you're running into a bdb/hdb indexing problem. Try adding
an index in your slapd.conf/slapd-config for uid (if it doesn't exist), and
then rebuild your indexes using slapindex.

See the man pages for slapd-bdb/slapd-hdb and slapindex for details.

--
Dan White

Thanks for your response, its index, I recreated the index and cane do ldapsearch. 

Confluence is doing the three step process you described i.e Init session and bind with confluence user, search for dn and bind with dn. For some reason I see search can not find anything and log says:

bdb_nidex_read: failed (-30988)
----
bdb_search: no candidates

I had it working once!! don't know what magic happend that time ...  posting logs incase there is any clue there :

Success Logs
slap_listener_activate(8): 
>>> slap_listener(ldap:///)
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 43 contents:
op tag 0x60, time 1301501949
ber_get_next
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=Manager,dc=example,dc=com>
<<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>, <cn=manager,dc=example,dc=com>
do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128
do_bind: v3 bind: "cn=Manager,dc=example,dc=com" to "cn=Manager,dc=example,dc=com"
send_ldap_result: conn=1000 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 12
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 120 contents:
op tag 0x63, time 1301501949
ber_get_next
conn=1000 op=1 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=dc=example,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("ou=users,dc=example,dc=com")
=> bdb_dn2id("dc=example,dc=com")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("ou=users,dc=example,dc=com")
<= bdb_dn2id: got id=0x3
entry_decode: "ou=users,dc=example,dc=com"
<= entry_decode(ou=users,dc=example,dc=com)
search_candidates: base="ou=users,dc=example,dc=com" (0x00000003) scope=2
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl("ou=users,dc=example,dc=com")
<= bdb_dn2idl: id=2 first=3 last=6
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 2 candidates
<= bdb_equality_candidates: id=2, first=6, last=7
=> bdb_equality_candidates (cn)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=6, last=6
bdb_search_candidates: id=1 first=6 last=6
entry_decode: "uid=123,ou=users,dc=example,dc=com"
<= entry_decode(uid=123,ou=users,dc=example,dc=com)
=> bdb_dn2id("uid=123,ou=users,dc=example,dc=com")
<= bdb_dn2id: got id=0x6
=> send_search_entry: conn 1000 dn="uid=123,ou=users,dc=example,dc=com"
ber_flush2: 265 bytes to sd 12
<= send_search_entry: conn 1000 exit.
send_ldap_result: conn=1000 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 12
slap_listener_activate(8): 
>>> slap_listener(ldap:///)
connection_get(15): got connid=1001
connection_read(15): checking for input on id=1001
ber_get_next
ber_get_next: tag 0x30 len 52 contents:
op tag 0x60, time 1301501949
ber_get_next
conn=1001 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <uid=123,ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <uid=123,ou=users,dc=example,dc=com>, <uid=123,ou=users,dc=example,dc=com>
do_bind: version=3 dn="uid=123,ou=users,dc=example,dc=com" method=128
bdb_dn2entry("uid=123,ou=users,dc=example,dc=com")
do_bind: v3 bind: "uid=123,ou=users,dc=example,dc=com" to "uid=123,ou=users,dc=example,dc=com"
send_ldap_result: conn=1001 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 15
connection_get(15): got connid=1001
connection_read(15): checking for input on id=1001
ber_get_next
ber_get_next: tag 0x30 len 34 contents:
op tag 0x42, time 1301501968
ber_get_next
ber_get_next on fd 15 failed errno=0 (Success)
conn=1001 op=1 do_unbind
connection_close: conn=1001 sd=15

Failure log

connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ber_get_next: tag 0x30 len 118 contents:
op tag 0x63, time 1301512406
ber_get_next
conn=1000 op=2 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=users,dc=example,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
=> bdb_search
bdb_dn2entry("ou=users,dc=example,dc=com")
search_candidates: base="ou=users,dc=example,dc=com" (0x00000003) scope=2
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_dn2idl("ou=users,dc=example,dc=com")
<= bdb_dn2idl: id=2 first=3 last=6
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read 2 candidates
<= bdb_equality_candidates: id=2, first=6, last=7
=> bdb_equality_candidates (cn)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0
bdb_search_candidates: id=0 first=3 last=0
bdb_search: no candidates
send_ldap_result: conn=1000 op=2 p=3
send_ldap_response: msgid=3 tag=101 err=0
ber_flush2: 14 bytes to sd 12

Thanks


Sorry for long logs above, I just found out I can use cn field for logging in and it works fine, however uid field doesn't work, I have index on cn and uid so not sure why uid doesn't work. 

Thanks.