[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Binding to openldap fails

To: <openldap-technical@openldap.org>
Subject: RE: Binding to openldap fails
From: "Bjoern Wuest" <bjoern.wuest@gmx.net>
Date: Mon, 18 Jun 2012 10:13:47 +0200
Content-language: de
In-reply-to: <alpine.BSO.2.00.1206171439210.24195@morgaine.smi.sendmail.com>
References: <001c01cd4cc7$63818d50$2a84a7f0$@gmx.net> <alpine.BSO.2.00.1206171439210.24195@morgaine.smi.sendmail.com>
Thread-index: AQL4jobg00RUBSaE466oLLv0r9/gTAJNR3uYlJbKtjA=

>> On Sun, 17 Jun 2012, Bjoern Wuest wrote:
>> ...
> > However, setting up the mail system (dovecot + postfix) I encountered
> > a problem new to me. When I try to bind as a "normal" user (here:
> > bjoern) to LDAP it fails with wrong credentials. I can assure that I
> > did not mistyped the password (tried multiple times). Login to the
> > Linux system and samba with same credentials (i.e. bjoern and his
>> password) works.
> >
> > Here is the part of syslog I expect to be the cause:
> >
> > Jun 17 19:36:45 server slapd[23241]: <<< dnPrettyNormal:
> > <cn=bjoern,ou=Users,dc=domain,dc=my>,
> > <cn=bjoern,ou=users,dc=domain,dc=my>
> > Jun 17 19:36:45 server slapd[23241]: conn=1003 op=0 BIND
> > dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
> > server slapd[23241]: do_bind: version=3
> > dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
> > server slapd[23241]:
> > Jun 17 19:36:45 server slapd[23241]: ==> hdb_bind: dn:
> > cn=bjoern,ou=Users,dc=domain,dc=my
> > Jun 17 19:36:45 server slapd[23241]:
> > bdb_dn2entry("cn=bjoern,ou=users,dc=domain,dc=my")
> > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=8
> > active_threads=0 tvp=zero
> > Jun 17 19:36:45 server slapd[23241]: =>
> > hdb_dn2id("cn=bjoern,ou=users,dc=domain,dc=my")
> > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=9
> > active_threads=0 tvp=zero
> > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=10
> > active_threads=0 tvp=zero
> > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=11
> > active_threads=0 tvp=zero
> > Jun 17 19:36:45 server slapd[23241]: <= hdb_dn2id: get failed:
> DB_NOTFOUND:
> > No matching key/data pair found (-30987)
> 
> In my experience, that sort of error from the DB library usually means a
> change to the indexing or schema was made without reindexing and/or
> dumping and reloading.
> 
> If you're confident that's not the case here (how confident?), then have
you
> compared that log output to the log output of a successful login?
> 
> 
> Philip Guenther

Dear Philip,

thank you for pointing me to the index files. I have recreated all the
indexes but without effect. Here are the indexes I have defined:

index           objectClass eq
index           cn pres,sub,eq
index           sn pres,sub,eq
index           uid pres,sub,eq
index           displayName pres,sub,eq
index           uidNumber eq
index           gidNumber eq
index           memberUid eq
index           sambaSID eq
index           sambaPrimaryGroupSID eq
index           sambaDomainName eq
index           sambaGroupType eq
index           sambaSIDList eq
index           default sub


and here are the index files created:

-rw-rw---- 1 openldap openldap    16384 Jun 18 10:01 cn.bdb
-rw-rw---- 1 openldap openldap    24576 Jun 18 10:01 __db.001
-rw-rw---- 1 openldap openldap  1236992 Jun 18 10:01 __db.002
-rw-rw---- 1 openldap openldap 20979712 Jun 18 10:01 __db.003
-rw-rw---- 1 openldap openldap   163840 Jun 18 10:01 __db.004
-rw-rw---- 1 openldap openldap  1294336 Jun 18 10:01 __db.005
-rw-rw---- 1 openldap openldap    32768 Jun 18 10:01 __db.006
-rw-rw---- 1 openldap openldap      194 Mai 20 08:55 DB_CONFIG
-rw-rw---- 1 openldap openldap    16384 Jun 18 10:01 displayName.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:00 dn2id.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 gidNumber.bdb
-rw-rw---- 1 openldap openldap    32768 Jun 18 10:00 id2entry.bdb
-rw-rw---- 1 openldap openldap 10485760 Jun 18 10:01 log.0000000001
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 memberUid.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 objectClass.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 sambaDomainName.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 sambaGroupType.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 sambaSID.bdb
-rw------- 1 openldap openldap     8192 Jun 18 10:01 sambaSIDList.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 uid.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 uidNumber.bdb

The indexes were created using "slapindex -f /etc/ldap/slapd.conf". The
files "dn2id.bdb" and "id2entry.dbd" are old ones because slapindex would
not create any index without them.

Yet, the problem still remains. User "bjoern" can login to linux (even from
remote hosts) and samba, but fails to login via dovecot as well as
ldapsearch.

I further compared the syslog when doing a successful login versus an
unsuccessful login. Of course I have restarted nscd and nslcd services to
clear caches (I hope). Yet, nscd / nslcd may also explain why linux and
samba login works. Both are done via nslcd which uses the ldap admin account
to access the ldap.

So, further indications are welcome.

If you like I can also provide you with the full slapd.conf file so you
would be able to setup an Ubuntu 12.04 system with the same ldap
configuration in a virtual machine.


Regards
  Bjoern

Follow-Ups:
- RE: Binding to openldap fails
  - From: "Bjoern Wuest" <bjoern.wuest@gmx.net>

References:
- Binding to openldap fails
  - From: "Bjoern Wuest" <bjoern.wuest@gmx.net>
- Re: Binding to openldap fails
  - From: Philip Guenther <guenther+ldaptech@sendmail.com>

Prev by Date: Re: Binding to openldap fails
Next by Date: syncrepl in refreshOnly mode, why nentries=0?
Index(es):
- Chronological
- Thread