Hi,
I am trying to configure our LDAP server (OpenLDAP) to work with Fedora 3.0,
and encountered authentication issue. When I used the fedora client to log
in, I got the bad usrename/password error. I checked the LDAP log file,
and did not see anything wrong (I am new to LDAP admin as well, so may not
interpret this correctly either). It seems that Fedora is doing an
anonymous bind to the server, and retrieve the attributes with no problem.
How does Fedora authenticate then? Does it compare the user password from
the directory with the one supplied by the client inside its own code? Or
does it try to bind to the tree with that credential? If the former, how
does Fedora deal with password encryption and encoding?
My LdapFilterForAttributes looks like this:
<filter>
<filter-name>LdapFilterForAttributes</filter-name>
<filter-class>fedora.server.security.servletfilters.ldap.FilterLdap</filter-
class>
<init-param>
<param-name>version</param-name>
<param-value>3</param-value>
</init-param>
<init-param>
<param-name>authenticate</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>security-authentication</param-name>
<param-value>simple</param-value>
</init-param>
<init-param>
<param-name>password-attribute</param-name>
<param-value>userPassword</param-value>
</init-param>
<init-param>
<param-name>id-attribute</param-name>
<param-value>uid</param-value>
</init-param>
<init-param>
<param-name>bind-filter</param-name>
<param-value>uid={0},ou=people,dc=icpsr,dc=umich,dc=edu</param-value>
</init-param>
<init-param>
<param-name>url</param-name>
<param-value>ldap://localhost:389/</param-value>
</init-param>
<init-param>
<param-name>search-base</param-name>
<param-value>ou=people,dc=icpsr,dc=umich,dc=edu</param-value>
</init-param>
<init-param>
<param-name>search-filter</param-name>
<param-value>(uid={0})</param-value>
</init-param>
<init-param>
<param-name>attributes</param-name>
<param-value>eduPersonEntitlement</param-value>
</init-param>
<init-param>
<param-name>attributes-common-name</param-name>
<param-value>fedoraRole</param-value>
</init-param>
</filter>
The LDAP output looks like this:
Aug 26 13:43:41 ldap slapd[17064]:
Aug 26 13:43:41 ldap slapd[17064]: >>> slap_listener(ldap:///)
Aug 26 13:43:41 ldap slapd[17064]: daemon: listen=7, new connection on 11
Aug 26 13:43:41 ldap slapd[17064]: daemon: added 11r (active) listener=(nil)
Aug 26 13:43:41 ldap slapd[17064]: conn=5 fd=11 ACCEPT from
IP=141.211.192.55:51297 (IP=0.0.0.0:389)
Aug 26 13:43:41 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on 1 descriptor
Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on:
Aug 26 13:43:41 ldap slapd[17064]: 11r
Aug 26 13:43:41 ldap slapd[17064]:
Aug 26 13:43:41 ldap slapd[17064]: daemon: read active on 11
Aug 26 13:43:41 ldap slapd[17064]: connection_get(11)
Aug 26 13:43:41 ldap slapd[17064]: connection_get(11): got connid=5
Aug 26 13:43:41 ldap slapd[17064]: connection_read(11): checking for input
on id=5
Aug 26 13:43:41 ldap slapd[17064]: do_bind
Aug 26 13:43:41 ldap slapd[17064]: >>> dnPrettyNormal: <>
Aug 26 13:43:41 ldap slapd[17064]: <<< dnPrettyNormal: <>, <>
Aug 26 13:43:41 ldap slapd[17064]: do_bind: version=3 dn="" method=128
Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=0 BIND dn="" method=128
Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: conn=5 op=0 p=3
Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: err=0 matched=""
text=""
Aug 26 13:43:41 ldap slapd[17064]: send_ldap_response: msgid=1 tag=97 err=0
Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=0 RESULT tag=97 err=0 text=
Aug 26 13:43:41 ldap slapd[17064]: do_bind: v3 anonymous bind
Aug 26 13:43:41 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on 1 descriptor
Aug 26 13:43:41 ldap slapd[17064]: daemon: activity on:
Aug 26 13:43:41 ldap slapd[17064]: 11r
Aug 26 13:43:41 ldap slapd[17064]:
Aug 26 13:43:41 ldap slapd[17064]: daemon: read active on 11
Aug 26 13:43:41 ldap slapd[17064]: connection_get(11)
Aug 26 13:43:41 ldap slapd[17064]: connection_get(11): got connid=5
Aug 26 13:43:41 ldap slapd[17064]: connection_read(11): checking for input
on id=5
Aug 26 13:43:41 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
Aug 26 13:43:41 ldap slapd[17064]: do_search
Aug 26 13:43:41 ldap slapd[17064]: >>> dnPrettyNormal:
<ou=people,dc=icpsr,dc=umich,dc=edu>
Aug 26 13:43:41 ldap slapd[17064]: <<< dnPrettyNormal:
<ou=people,dc=icpsr,dc=umich,dc=edu>, <ou=people,dc=icpsr,dc=umich,dc=edu>
Aug 26 13:43:41 ldap slapd[17064]: SRCH "ou=people,dc=icpsr,dc=umich,dc=edu"
2 3
Aug 26 13:43:41 ldap slapd[17064]: 0 0 0
Aug 26 13:43:41 ldap slapd[17064]: begin get_filter
Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
Aug 26 13:43:41 ldap slapd[17064]: end get_filter 0
Aug 26 13:43:41 ldap slapd[17064]: filter: (uid=janewang)
Aug 26 13:43:41 ldap slapd[17064]: => get_ctrls
Aug 26 13:43:41 ldap slapd[17064]: => get_ctrls:
oid="2.16.840.1.113730.3.4.2" (noncritical)
Aug 26 13:43:41 ldap slapd[17064]: <= get_ctrls: n=1 rc=0 err=""
Aug 26 13:43:41 ldap slapd[17064]: attrs:
Aug 26 13:43:41 ldap slapd[17064]: eduPersonEntitlement
Aug 26 13:43:41 ldap slapd[17064]: userPassword
Aug 26 13:43:41 ldap slapd[17064]: objectClass
Aug 26 13:43:41 ldap slapd[17064]: javaSerializedData
Aug 26 13:43:41 ldap slapd[17064]: javaClassName
Aug 26 13:43:41 ldap slapd[17064]: javaFactory
Aug 26 13:43:41 ldap slapd[17064]: javaCodeBase
Aug 26 13:43:41 ldap slapd[17064]: javaReferenceAddress
Aug 26 13:43:41 ldap slapd[17064]: javaClassNames
Aug 26 13:43:41 ldap slapd[17064]: javaRemoteLocation
Aug 26 13:43:41 ldap slapd[17064]:
Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 SRCH
base="ou=people,dc=icpsr,dc=umich,dc=edu" scope=2 deref=3
filter="(uid=janewang)"
Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 SRCH attr=businessCategory
userPassword objectClass javaSerializedData javaClassName javaFactory
javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation
Aug 26 13:43:41 ldap slapd[17064]: slap_global_control: unavailable control:
2.16.840.1.113730.3.4.2
Aug 26 13:43:41 ldap slapd[17064]: ==> limits_get: conn=5 op=1
dn="[anonymous]"
Aug 26 13:43:41 ldap slapd[17064]: => bdb_search
Aug 26 13:43:41 ldap slapd[17064]:
bdb_dn2entry("ou=people,dc=icpsr,dc=umich,dc=edu")
Aug 26 13:43:41 ldap slapd[17064]: search_candidates:
base="ou=people,dc=icpsr,dc=umich,dc=edu" (0x00000008) scope=2
Aug 26 13:43:41 ldap slapd[17064]: => bdb_filter_candidates
Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
Aug 26 13:43:41 ldap slapd[17064]: => bdb_equality_candidates (objectClass)
Aug 26 13:43:41 ldap slapd[17064]: => key_read
Aug 26 13:43:41 ldap slapd[17064]: bdb_idl_fetch_key: [01872a84]
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_index_read: failed (-30989)
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_equality_candidates: id=0,
first=0, last=0
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_filter_candidates: id=0 first=0
last=0
Aug 26 13:43:41 ldap slapd[17064]: =>
bdb_dn2idl("ou=people,dc=icpsr,dc=umich,dc=edu")
Aug 26 13:43:41 ldap slapd[17064]: bdb_idl_fetch_key:
@ou=people,dc=icpsr,dc=umich,dc=edu
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_dn2idl: id=3 first=8 last=13
Aug 26 13:43:41 ldap slapd[17064]: => bdb_filter_candidates
Aug 26 13:43:41 ldap slapd[17064]: AND
Aug 26 13:43:41 ldap slapd[17064]: => bdb_list_candidates 0xa0
Aug 26 13:43:41 ldap slapd[17064]: => bdb_filter_candidates
Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
Aug 26 13:43:41 ldap slapd[17064]: => bdb_equality_candidates (uid)
Aug 26 13:43:41 ldap slapd[17064]: => key_read
Aug 26 13:43:41 ldap slapd[17064]: bdb_idl_fetch_key: [687ad9bf]
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_index_read 1 candidates
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_equality_candidates: id=1,
first=9, last=9
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_filter_candidates: id=1 first=9
last=9
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_list_candidates: id=1 first=9
last=9
Aug 26 13:43:41 ldap slapd[17064]: <= bdb_filter_candidates: id=1 first=9
last=9
Aug 26 13:43:41 ldap slapd[17064]: bdb_search_candidates: id=1 first=9
last=9
Aug 26 13:43:41 ldap slapd[17064]: => test_filter
Aug 26 13:43:41 ldap slapd[17064]: EQUALITY
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: search access to
"cn=Jane Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "uid" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [2] attr uid
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "uid" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
(stop)
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: search access granted
by read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: <= test_filter 6
Aug 26 13:43:41 ldap slapd[17064]: => send_search_entry: conn 5 dn="cn=Jane
Wang,ou=people,dc=icpsr,dc=umich,dc=edu"
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to
"cn=Jane Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "entry" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [4] attr entry
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "entry" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to all values by "", (=0)
Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
(stop)
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to
"cn=Jane Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "objectClass" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [4] attr objectClass
Aug 26 13:43:41 ldap slapd[17064]: access_allowed: no res from state
(objectClass)
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "objectClass" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
(stop)
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to
"cn=Jane Wang,ou=people,dc=icpsr,dc=umich,dc=edu" " eduPersonEntitlement"
requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [3] attr eduPersonEntitlement
Aug 26 13:43:41 ldap slapd[17064]: access_allowed: no res from state (
eduPersonEntitlement)
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr " eduPersonEntitlement"
requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
(stop)
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access to
"cn=Jane Wang,ou=people,dc=icpsr,dc=umich,dc=edu" "userPassword" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_get: [1] attr userPassword
Aug 26 13:43:41 ldap slapd[17064]: access_allowed: no res from state
(userPassword)
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: access to entry "cn=Jane
Wang,ou=people,dc=icpsr,dc=umich,dc=edu", attr "userPassword" requested
Aug 26 13:43:41 ldap slapd[17064]: => acl_mask: to value by "", (=0)
Aug 26 13:43:41 ldap slapd[17064]: <= check a_dn_pat: anonymous
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] applying read(=rscxd)
(stop)
Aug 26 13:43:41 ldap slapd[17064]: <= acl_mask: [1] mask: read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: => access_allowed: read access granted by
read(=rscxd)
Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 ENTRY dn="cn=jane
wang,ou=people,dc=icpsr,dc=umich,dc=edu"
Aug 26 13:43:41 ldap slapd[17064]: <= send_search_entry: conn 5 exit.
Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: conn=5 op=1 p=3
Aug 26 13:43:41 ldap slapd[17064]: send_ldap_result: err=0 matched=""
text=""
Aug 26 13:43:41 ldap slapd[17064]: send_ldap_response: msgid=2 tag=101 err=0
Aug 26 13:43:41 ldap slapd[17064]: conn=5 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on 1 descriptor
Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on:
Aug 26 13:43:47 ldap slapd[17064]: 11r
Aug 26 13:43:47 ldap slapd[17064]:
Aug 26 13:43:47 ldap slapd[17064]: daemon: read active on 11
Aug 26 13:43:47 ldap slapd[17064]: connection_get(11)
Aug 26 13:43:47 ldap slapd[17064]: connection_get(11): got connid=5
Aug 26 13:43:47 ldap slapd[17064]: connection_read(11): checking for input
on id=5
Aug 26 13:43:47 ldap slapd[17064]: do_unbind
Aug 26 13:43:47 ldap slapd[17064]: conn=5 op=2 UNBIND
Aug 26 13:43:47 ldap slapd[17064]: ber_get_next on fd 11 failed errno=0
(Success)
Aug 26 13:43:47 ldap slapd[17064]: connection_read(11): input error=-2 id=5,
closing.
Aug 26 13:43:47 ldap slapd[17064]: connection_closing: readying conn=5 sd=11
for close
Aug 26 13:43:47 ldap slapd[17064]: connection_close: deferring conn=5 sd=-1
Aug 26 13:43:47 ldap slapd[17064]: connection_resched: attempting closing
conn=5 sd=11
Aug 26 13:43:47 ldap slapd[17064]: connection_close: conn=5 sd=-1
Aug 26 13:43:47 ldap slapd[17064]: daemon: removing 11
Aug 26 13:43:47 ldap slapd[17064]: conn=5 fd=11 closed
Aug 26 13:43:47 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on 1 descriptor
Aug 26 13:43:47 ldap slapd[17064]: daemon: activity on:
Aug 26 13:43:47 ldap slapd[17064]:
Aug 26 13:43:47 ldap slapd[17064]: daemon: epoll: listen=7 active_threads=0
tvp=NULL
Any suggestion on what I missed or did wrong?
Thanks.
---------------------------------------------
Jane Wang
Computing and Network Services
ICPSR, University of Michigan
PO Box 1248
Ann Arbor, MI 48106-1248
Tel: 734-763-8992
Email: [email protected]
---------------------------------------------
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
