[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Getting more info from ldap_auth in case of a quiet failure?
- To: openldap-technical@openldap.org
- Subject: Getting more info from ldap_auth in case of a quiet failure?
- From: a z <rhoyerboat@gmail.com>
- Date: Thu, 12 May 2011 18:39:15 -0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:date:message-id:subject :from:to:content-type; bh=Lj3tTcsWWHywYDSRTzdiNBI9cCj4RuTyU8Dxn3Wph0M=; b=KHnDqtRqIcjh3RbgxpoDopR9M/Bn3IzUPKaCXs0SeBwQwP0qXWPl0OAk5A21CEnoTH v0SzfY2AGH7Kk//8k2vtTlzmWKF/i9Xo572VBo6zd+Ksvh60qtGjw7bjMZa0+MkvUdH0 T5A3gP9/XmZ6D9qHKxnSxEDnsIYVRIN7JbK5I=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; b=db33uNDN/xWN9AHVP8pnJ4NKxZ/WZ4MAcLrir1TmD+CjiLh2dz6stY8Fldq34J/sWV +Dd7UXizdkUh/IBFOVpQa5XVPOJI/5+M7Sf+Qj7V9W47QLnqbYm77r5Jy5mv241733Cf do/fOP2tLRzbw86976CCiasFcwtGxwxoYoVxk=
Hi everyone,
I am definitely new to the list, openLDAP, Ldap in general, nssswitch, shadow, samba etc, but heck, we all have to start somewhere.
Not really -that- new to application code, but yeah, I'm kinda young and working at an amateur/unemployed small business level, so by default yeah .. technical noob alert...
I am having problems finding out why domain login is failing:
Up until now I have had pretty good luck being able to figure out how to, for example,
Get Ldap and nsswitch running well enough that ldap authenticates my ssh sessions against shadow..
Get a valid sambaSID or objectClass: sambaSamAccount into an ldif without relying on the smbldap_tools library, or writing new acls to put the samba domain admin in a different ou=. (This is why I am trying to work around smbldap_tools, of course I could probably change the UID) I have been through slapd.conf loglevel -1 all day long watching it request attributes that weren't in the ldif, I cannot see yet where in smbldap_tools it decides it needs root's uid, but it goes ahead and uses it to write updates even though there is another user with write access to the right attributes)
Â
I can join windows machines to the samba workgroup MYDOMAIN, and be given an opportunity to login to the samba server, so despite the weird unupported things I do, perhaps senselessly, I -think- I have the premise correct..
So I think this is failing on a bdb_index_read: failed (-30988) report.
If anyone is still with me, thanks a ton.
Before I go nuts enough to post the parts of slapd logging output I am pretty sure are okay, this is what the probable problems are:
It just seems that uid=testuser and objectClass=sambaSamAccount should match this con=1011 string and the next time it fails it should be for the next problem Ill have, and not this one.
May 14 00:13:34 localhost slapd[30055] => conn=1011 op=3 SRCH base="dc=MYDOMAIN,dc=com" scope=2 deref=0 filter="(&(uid=testuser)(objectClass=sambaSamAccount))"
.
.
.
May 13 00:13:34 localhost slapd[30055]: => slap_access_allowed: search access granted by read(=rscxd)
May 13 00:13:34 localhost slapd[30055]: => access_allowed: search access granted by read(=rscxd)
May 13 00:13:34 localhost slapd[30055]: search_candidates: base="dc=MYDOMAIN.dc=com" (0x00000001) scope=2
.
.
.
May 13 00:13:34 localhost slapd[30055]: <= bdb_index_read: failed (-30988)
and of course, the ldif I think it should be matching:
dn: cn=testuser,ou=People,dc=MYDOMAIN,dc=com
changetype: add
objectClass: inetOrgPerson
sn: testuser
uid: testuser
sambaSID: S-1-5-21-28598429-1396753209-3957328313-513
objectClass: sambaSamAccount
sambaDomainName: MYDOMAIN
Again, thanks. I look forward to seeing the list traffic every day, and yet more slapd -1 logs
--
ââââ@âââââ-âââââ:/ââââ/âââ#