[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with authentication against OpenlDAP

To: <openldap-technical@openldap.org>
Subject: Problems with authentication against OpenlDAP
From: <francesco.policastro@selex-es.com>
Date: Mon, 18 Mar 2013 13:57:13 +0100

Hi all,

I have two OpenLDAP servers (2.4.34) used by some applications to authenticate.
Both servers use the meta backend, that is the frontend to two AD domains in separate forests.
Ldapsearch correctly finds the users in both servers, while authentication works for one only.
I must say that I had to exclude some portions of the trees in order to avoid duplicate names. My "correct" users are in 15 subtrees.

In the working server I configured 15 URI's, one for each subtree, specifying for each of them the credentials, the attribute mappings and the suffixmassage. The bad news is that slapd.conf is 580 lines and its maintenance is error prone.
That's why I configured the second server with two URI's only and with ACL's to limit the access to the 15 subtrees only. The resulting slapd.conf is much more readable and easy to maintain, but it does not work.
The ACL's are all of this type:

access to dn.subtree="ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" read
by dn.exact="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" read

There are no other ACL's, but I already tried adding something like "access to * by * read" with no success.

As said before ldapsearch works fine, while authentication does not. Please look at the excerpt from the log files, for both servers, when I try to authenticate.
Both servers start the same sequence, but one stops just after reading the same search result.

conn=1033 fd=10 ACCEPT from IP=10.31.222.106:38492 (IP=0.0.0.0:389)
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128
conn=1033 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0
conn=1033 op=0 RESULT tag=97 err=0 text=
conn=1033 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(sAMAccountName=policastro)"
conn=1033 op=1 SRCH attr=sAMAccountName
conn=1033 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=1033 op=2 UNBIND
conn=1033 fd=10 closed
===========================
conn=4960 fd=373 ACCEPT from IP=10.31.221.162:40893 (IP=0.0.0.0:389)
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128
conn=4960 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0
conn=4960 op=0 RESULT tag=97 err=0 text=
conn=4960 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(sAMAccountName=policastro)"
conn=4960 op=1 SRCH attr=sAMAccountName
conn=4960 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4960 op=2 BIND anonymous mech=implicit ssf=0
conn=4960 op=2 BIND dn="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" method=128
conn=4960 op=2 BIND dn="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" mech=SIMPLE ssf=0
conn=4960 op=2 RESULT tag=97 err=0 text=
conn=4960 op=3 UNBIND
conn=4960 fd=373 closed
conn=4961 fd=373 ACCEPT from IP=10.31.221.162:40894 (IP=0.0.0.0:389)
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128
conn=4961 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0
conn=4961 op=0 RESULT tag=97 err=0 text=
conn=4961 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=policastro))"
conn=4961 op=1 SRCH attr=sAMAccountName
conn=4961 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4961 op=2 SRCH base="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0 deref=0 filter="(&(!(?employeeID=-*))(employeeID=*)(mail=*)(givenName=*)(sn=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
conn=4961 op=2 SRCH attr=givenName sn mail employeeID sAMAccountName
conn=4961 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4961 op=3 UNBIND
conn=4961 fd=373 closed
conn=4962 fd=373 ACCEPT from IP=10.31.221.162:40895 (IP=0.0.0.0:389)
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" method=128
conn=4962 op=0 BIND dn="cn=LdapSnooper,ou=people,dc=ExtraDomain,dc=com" mech=SIMPLE ssf=0
conn=4962 op=0 RESULT tag=97 err=0 text=
conn=4962 op=1 SRCH base="dc=Company,dc=com" scope=2 deref=0 filter="(sAMAccountName=policastro)"
conn=4962 op=1 SRCH attr=sAMAccountName
conn=4962 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4962 op=2 SRCH base="cn=Policastro Francesco,ou=Users,ou=MySite,dc=FirstSubdomain,dc=Company,dc=com" scope=0 deref=0 filter="(objectClass=*)"
conn=4962 op=2 SRCH attr=shadowExpire
conn=4962 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
conn=4962 op=3 UNBIND

Can anyone explain me what happens and how to let the ACL version work?

Thanks, Francesco

Prev by Date: Re: impact on performance by adding jpeg file
Next by Date: Re: impact on performance by adding jpeg file
Index(es):
- Chronological
- Thread