[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Binding to openldap fails
Hello together,
Just to stay updated.
I tried to connect using the distinguished name
cn=<username>,ou=Users,dc=domain,dc=my .
I have changed the DN to uid=<username>,ou=Users,dc=domain,dc=my and login
works. Yet I am confused because I have set index on cn as well as uid
attribute (or is uid not an attribute but an element)?
Below is an ldif of the user "bjoern"
# bjoern, Users, domain.my
dn: uid=bjoern,ou=Users,dc=domain,dc=my
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: bjoern
uid: bjoern
uidNumber: <some number>
homeDirectory: <some path>
loginShell: /bin/bash
gecos: bjoern
description: User account
sambaSID: <some SID>
displayName: bjoern
sambaNTPassword: <some hash>
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1338641123
sambaAcctFlags: [U ]
gidNumber: <some group id>
userPassword:: <some password>
Thank you for your support.
Bjoern
> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-
> technical-bounces@OpenLDAP.org] On Behalf Of Bjoern Wuest
> Sent: Monday, June 18, 2012 10:14 AM
> To: openldap-technical@openldap.org
> Subject: RE: Binding to openldap fails
>
> >> On Sun, 17 Jun 2012, Bjoern Wuest wrote:
> >> ...
> > > However, setting up the mail system (dovecot + postfix) I
> > > encountered a problem new to me. When I try to bind as a "normal" user
> (here:
> > > bjoern) to LDAP it fails with wrong credentials. I can assure that I
> > > did not mistyped the password (tried multiple times). Login to the
> > > Linux system and samba with same credentials (i.e. bjoern and his
> >> password) works.
> > >
> > > Here is the part of syslog I expect to be the cause:
> > >
> > > Jun 17 19:36:45 server slapd[23241]: <<< dnPrettyNormal:
> > > <cn=bjoern,ou=Users,dc=domain,dc=my>,
> > > <cn=bjoern,ou=users,dc=domain,dc=my>
> > > Jun 17 19:36:45 server slapd[23241]: conn=1003 op=0 BIND
> > > dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
> > > server slapd[23241]: do_bind: version=3
> > > dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
> > > server slapd[23241]:
> > > Jun 17 19:36:45 server slapd[23241]: ==> hdb_bind: dn:
> > > cn=bjoern,ou=Users,dc=domain,dc=my
> > > Jun 17 19:36:45 server slapd[23241]:
> > > bdb_dn2entry("cn=bjoern,ou=users,dc=domain,dc=my")
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=8
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: =>
> > > hdb_dn2id("cn=bjoern,ou=users,dc=domain,dc=my")
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=9
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=10
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=11
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: <= hdb_dn2id: get failed:
> > DB_NOTFOUND:
> > > No matching key/data pair found (-30987)
> >
> > In my experience, that sort of error from the DB library usually means
> > a change to the indexing or schema was made without reindexing and/or
> > dumping and reloading.
> >
> > If you're confident that's not the case here (how confident?), then
> > have
> you
> > compared that log output to the log output of a successful login?
> >
> >
> > Philip Guenther
>
> Dear Philip,
>
> thank you for pointing me to the index files. I have recreated all the
indexes
> but without effect. Here are the indexes I have defined:
>
> index objectClass eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber eq
> index gidNumber eq
> index memberUid eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index sambaGroupType eq
> index sambaSIDList eq
> index default sub
>
>
> and here are the index files created:
>
> -rw-rw---- 1 openldap openldap 16384 Jun 18 10:01 cn.bdb
> -rw-rw---- 1 openldap openldap 24576 Jun 18 10:01 __db.001
> -rw-rw---- 1 openldap openldap 1236992 Jun 18 10:01 __db.002
> -rw-rw---- 1 openldap openldap 20979712 Jun 18 10:01 __db.003
> -rw-rw---- 1 openldap openldap 163840 Jun 18 10:01 __db.004
> -rw-rw---- 1 openldap openldap 1294336 Jun 18 10:01 __db.005
> -rw-rw---- 1 openldap openldap 32768 Jun 18 10:01 __db.006
> -rw-rw---- 1 openldap openldap 194 Mai 20 08:55 DB_CONFIG
> -rw-rw---- 1 openldap openldap 16384 Jun 18 10:01 displayName.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:00 dn2id.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01 gidNumber.bdb
> -rw-rw---- 1 openldap openldap 32768 Jun 18 10:00 id2entry.bdb
> -rw-rw---- 1 openldap openldap 10485760 Jun 18 10:01 log.0000000001
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01 memberUid.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01 objectClass.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01
> sambaDomainName.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01 sambaGroupType.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01 sambaSID.bdb
> -rw------- 1 openldap openldap 8192 Jun 18 10:01 sambaSIDList.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01 uid.bdb
> -rw-rw---- 1 openldap openldap 8192 Jun 18 10:01 uidNumber.bdb
>
> The indexes were created using "slapindex -f /etc/ldap/slapd.conf". The
> files "dn2id.bdb" and "id2entry.dbd" are old ones because slapindex would
> not create any index without them.
>
> Yet, the problem still remains. User "bjoern" can login to linux (even
from
> remote hosts) and samba, but fails to login via dovecot as well as
> ldapsearch.
>
> I further compared the syslog when doing a successful login versus an
> unsuccessful login. Of course I have restarted nscd and nslcd services to
> clear caches (I hope). Yet, nscd / nslcd may also explain why linux and
samba
> login works. Both are done via nslcd which uses the ldap admin account to
> access the ldap.
>
> So, further indications are welcome.
>
> If you like I can also provide you with the full slapd.conf file so you
would
> be able to setup an Ubuntu 12.04 system with the same ldap configuration
> in a virtual machine.
>
>
> Regards
> Bjoern
>