[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Binding to openldap fails



Hello together,


Just to stay updated.

I tried to connect using the distinguished name
cn=<username>,ou=Users,dc=domain,dc=my .

I have changed the DN to uid=<username>,ou=Users,dc=domain,dc=my and login
works. Yet I am confused because I have set index on cn as well as uid
attribute (or is uid not an attribute but an element)?

Below is an ldif of the user "bjoern"

# bjoern, Users, domain.my
dn: uid=bjoern,ou=Users,dc=domain,dc=my
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: bjoern
uid: bjoern
uidNumber: <some number>
homeDirectory: <some path>
loginShell: /bin/bash
gecos: bjoern
description: User account
sambaSID: <some SID>
displayName: bjoern
sambaNTPassword: <some hash>
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1338641123
sambaAcctFlags: [U          ]
gidNumber: <some group id>
userPassword:: <some password>


Thank you for your support.

Bjoern


> -----Original Message-----
> From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-
> technical-bounces@OpenLDAP.org] On Behalf Of Bjoern Wuest
> Sent: Monday, June 18, 2012 10:14 AM
> To: openldap-technical@openldap.org
> Subject: RE: Binding to openldap fails
> 
> >> On Sun, 17 Jun 2012, Bjoern Wuest wrote:
> >> ...
> > > However, setting up the mail system (dovecot + postfix) I
> > > encountered a problem new to me. When I try to bind as a "normal" user
> (here:
> > > bjoern) to LDAP it fails with wrong credentials. I can assure that I
> > > did not mistyped the password (tried multiple times). Login to the
> > > Linux system and samba with same credentials (i.e. bjoern and his
> >> password) works.
> > >
> > > Here is the part of syslog I expect to be the cause:
> > >
> > > Jun 17 19:36:45 server slapd[23241]: <<< dnPrettyNormal:
> > > <cn=bjoern,ou=Users,dc=domain,dc=my>,
> > > <cn=bjoern,ou=users,dc=domain,dc=my>
> > > Jun 17 19:36:45 server slapd[23241]: conn=1003 op=0 BIND
> > > dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
> > > server slapd[23241]: do_bind: version=3
> > > dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
> > > server slapd[23241]:
> > > Jun 17 19:36:45 server slapd[23241]: ==> hdb_bind: dn:
> > > cn=bjoern,ou=Users,dc=domain,dc=my
> > > Jun 17 19:36:45 server slapd[23241]:
> > > bdb_dn2entry("cn=bjoern,ou=users,dc=domain,dc=my")
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=8
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: =>
> > > hdb_dn2id("cn=bjoern,ou=users,dc=domain,dc=my")
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=9
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=10
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=11
> > > active_threads=0 tvp=zero
> > > Jun 17 19:36:45 server slapd[23241]: <= hdb_dn2id: get failed:
> > DB_NOTFOUND:
> > > No matching key/data pair found (-30987)
> >
> > In my experience, that sort of error from the DB library usually means
> > a change to the indexing or schema was made without reindexing and/or
> > dumping and reloading.
> >
> > If you're confident that's not the case here (how confident?), then
> > have
> you
> > compared that log output to the log output of a successful login?
> >
> >
> > Philip Guenther
> 
> Dear Philip,
> 
> thank you for pointing me to the index files. I have recreated all the
indexes
> but without effect. Here are the indexes I have defined:
> 
> index           objectClass eq
> index           cn pres,sub,eq
> index           sn pres,sub,eq
> index           uid pres,sub,eq
> index           displayName pres,sub,eq
> index           uidNumber eq
> index           gidNumber eq
> index           memberUid eq
> index           sambaSID eq
> index           sambaPrimaryGroupSID eq
> index           sambaDomainName eq
> index           sambaGroupType eq
> index           sambaSIDList eq
> index           default sub
> 
> 
> and here are the index files created:
> 
> -rw-rw---- 1 openldap openldap    16384 Jun 18 10:01 cn.bdb
> -rw-rw---- 1 openldap openldap    24576 Jun 18 10:01 __db.001
> -rw-rw---- 1 openldap openldap  1236992 Jun 18 10:01 __db.002
> -rw-rw---- 1 openldap openldap 20979712 Jun 18 10:01 __db.003
> -rw-rw---- 1 openldap openldap   163840 Jun 18 10:01 __db.004
> -rw-rw---- 1 openldap openldap  1294336 Jun 18 10:01 __db.005
> -rw-rw---- 1 openldap openldap    32768 Jun 18 10:01 __db.006
> -rw-rw---- 1 openldap openldap      194 Mai 20 08:55 DB_CONFIG
> -rw-rw---- 1 openldap openldap    16384 Jun 18 10:01 displayName.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:00 dn2id.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 gidNumber.bdb
> -rw-rw---- 1 openldap openldap    32768 Jun 18 10:00 id2entry.bdb
> -rw-rw---- 1 openldap openldap 10485760 Jun 18 10:01 log.0000000001
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 memberUid.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 objectClass.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01
> sambaDomainName.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 sambaGroupType.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 sambaSID.bdb
> -rw------- 1 openldap openldap     8192 Jun 18 10:01 sambaSIDList.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 uid.bdb
> -rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 uidNumber.bdb
> 
> The indexes were created using "slapindex -f /etc/ldap/slapd.conf". The
> files "dn2id.bdb" and "id2entry.dbd" are old ones because slapindex would
> not create any index without them.
> 
> Yet, the problem still remains. User "bjoern" can login to linux (even
from
> remote hosts) and samba, but fails to login via dovecot as well as
> ldapsearch.
> 
> I further compared the syslog when doing a successful login versus an
> unsuccessful login. Of course I have restarted nscd and nslcd services to
> clear caches (I hope). Yet, nscd / nslcd may also explain why linux and
samba
> login works. Both are done via nslcd which uses the ldap admin account to
> access the ldap.
> 
> So, further indications are welcome.
> 
> If you like I can also provide you with the full slapd.conf file so you
would
> be able to setup an Ubuntu 12.04 system with the same ldap configuration
> in a virtual machine.
> 
> 
> Regards
>   Bjoern
>