[icinga-users] LDAP login fails

Larsson, Pierre Fri, 20 Jul 2012 07:26:59 -0700

Hi,

I've been trying to setup LDAP using auth.xml but had no luck.


It looks like it binds find to my 389 directory but then tries to do a search 
which doesn't return full values for the user. This is my guess. The import 
only has kid and not the other user details.

Output:

[Fri Jul 20 13:48:26 2012] [debug] Auth.Dispatch: Userdata found in db (uid=11)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider: Object (name=openldap-ldap1) 
initialized

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Try LDAP connect 
(dsn=ldap://ldapserver.foo.bar/,bind=true)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP got resource Resource id 
#211

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Successfully bind 
(dn=cn=Directory Manager)

[Fri Jul 20 13:48:26 2012] [info] Auth.Provider.LDAP connection successfully 
(ldap://ldapserver.foo.bar/)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Prepare LDAPsearch 
(base=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com, 
filter=(objectClass=*))

[Fri Jul 20 13:48:26 2012] [debug] Auth.Dispatch: Authoritative provider found 
(provider=openldap-ldap1, 
authid=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Dispatch: Updating profile 
(user=larssonp,provider=openldap-ldap1)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Try LDAP connect 
(dsn=ldap://ldapserver.foo.bar/,bind=true)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP got resource Resource id 
#214

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Successfully bind 
(dn=cn=Directory Manager)

[Fri Jul 20 13:48:26 2012] [info] Auth.Provider.LDAP connection successfully 
(ldap://ldapserver.foo.bar/)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Try import 
(user=larssonp, authid=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com)

[Fri Jul 20 13:48:26 2012] [error] Auth.Provider.LDAP Using existing link 
(linkid=1,res=Resource id #214)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Prepare LDAPsearch 
(base=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com, 
filter=(objectClass=*))

[Fri Jul 20 13:48:26 2012] [debug] Auth.Dispatch: Profile data 
(user=larssonp,provider=openldap-ldap1) Array

(

    [user_disabled] => 0

)


[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Trying authenticate 
(authkey=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com,user=larssonp)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Try LDAP connect 
(dsn=ldap://ldapserver.foo.bar/,bind=true)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP got resource Resource id 
#219

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Successfully bind 
(dn=cn=Directory Manager)

[Fri Jul 20 13:48:26 2012] [info] Auth.Provider.LDAP connection successfully 
(ldap://ldapserver.foo.bar/)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Prepare LDAPsearch 
(base=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com, 
filter=(&(uid=larssonp)))

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Try LDAP connect 
(dsn=ldap://ldapserver.foo.bar/,bind=false)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP got resource Resource id 
#222

[Fri Jul 20 13:48:26 2012] [info] Auth.Provider.LDAP connection successfully 
(ldap://ldapserver.foo.bar/)

[Fri Jul 20 13:48:26 2012] [fatal] Uncaught AppKitPHPError: PHP Error 
ldap_bind(): Unable to bind to server: Referral 
(/usr/share/icinga-web/app/modules/AppKit/models/Auth/Provider/LDAPModel.class.php:30)
 
(/usr/share/icinga-web/app/modules/AppKit/lib/logging/AppKitExceptionHandler.class.php:37)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.LDAP Error: Referral 
(errno=10,resource=222)

[Fri Jul 20 13:48:26 2012] [warn] Auth.Provider.LDAP Bind failed 
(authkey=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com,user=larssonp)

[Fri Jul 20 13:48:26 2012] [info] Auth.Dispatch: Delegate authentication 
(not_authoritative=openldap-ldap1,user=larssonp)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider: Object (name=internal) 
initialized

[Fri Jul 20 13:48:26 2012] [debug] Auth.Dispatch: Delegate authentication, try 
internal (not_authoritative=openldap-ldap1,user=larssonp)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider.Database: 
HASH(696bb39b55334a258a48a81c2c9c83fecfd9360a756a8cbbdde99eceed89559f)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider: Object (name=auth_key) 
initialized

[Fri Jul 20 13:48:26 2012] [debug] Auth.Provider: Object 
(name=http-basic-authentication) initialized

[Fri Jul 20 13:48:26 2012] [debug] Auth.Dispatch: Delegate authentication, try 
http-basic-authentication (not_authoritative=openldap-ldap1,user=larssonp)

[Fri Jul 20 13:48:26 2012] [error] Auth.Dispatch: Delegate authentication, no 
providers found for larssonp (not_authoritative=openldap-ldap1)

[Fri Jul 20 13:48:26 2012] [debug] Auth.Dispatch: User cound not authorized 
(username=larssonp)

[Fri Jul 20 13:48:26 2012] [error] Userlogin by larssonp failed!

[Fri Jul 20 13:53:53 2012] [debug] Auth.Provider: Object (name=internal) 
initialized

[Fri Jul 20 13:53:53 2012] [debug] Auth.Provider: Object (name=auth_key) 
initialized

[Fri Jul 20 13:53:53 2012] [debug] Auth.Provider: Object 
(name=http-basic-authentication) initialized

[Fri Jul 20 13:53:53 2012] [debug] Auth.Provider.HTTPBasicAuthentification: Got 
data (auth_name=, auth_type=)

[Fri Jul 20 13:53:53 2012] [debug] Auth.Provider: Object (name=openldap-ldap1) 
initialized


My config looks like this:

        <setting name="provider">

                <ae:parameter name="openldap-ldap1">

                        <ae:parameter name="auth_module">AppKit</ae:parameter>

                        <ae:parameter 
name="auth_provider">Auth.Provider.LDAP</ae:parameter>

                        <ae:parameter name="auth_enable">true</ae:parameter>

                        <ae:parameter 
name="auth_authoritative">true</ae:parameter>

                        <ae:parameter name="auth_create">true</ae:parameter>

                        <ae:parameter name="auth_update">true</ae:parameter>

                        <ae:parameter name="auth_map">

                                <ae:parameter 
name="user_firstname">givenName</ae:parameter>

                                <ae:parameter 
name="user_lastname">sn</ae:parameter>

                                <ae:parameter 
name="user_email">mail</ae:parameter>

                        </ae:parameter>

                        <ae:parameter 
name="ldap_dsn">ldap://ldapserver.foo.bar.com/</ae:parameter>

                        <ae:parameter 
name="ldap_basedn">dc=foo,dc=bar,dc=com</ae:parameter>

                        <ae:parameter name="ldap_binddn">cn=Directory 
Manager</ae:parameter>

                        <ae:parameter 
name="ldap_bindpw"><![CDATA[XXXXXXXX]]></ae:parameter>

                        <ae:parameter name="ldap_userattr">uid</ae:parameter>

                        <ae:parameter 
name="ldap_filter_user"><![CDATA[(&(uid=__USERNAME__))]]></ae:parameter>

                </ae:parameter>

        </setting>


When I do a ldapsearch using 
base=uid=larssonp,cn=users,cn=compat,dc=foo,dc=bar,dc=com I don't get 
givenName/sn/mail but if I search using 
base=uid=larssonp,cn=users,cn=accounts,dc=foo,dc=bar,dc=com I get full details.

For some reason the php module seems to add compat as part of the search.


Any help is much appreciated!


Thanks,

Pierre


Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trade marks of British Sky Broadcasting Group plc and 
are used under licence. British Sky Broadcasting Limited (Registration No. 
2906991), Sky Interactive Limited (Registration No. 3554332), Sky-In-Home 
Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited 
(Registration No. 2340150) are direct or indirect subsidiaries of British Sky 
Broadcasting Group plc (Registration No. 2247735). All of the companies 
mentioned in this paragraph are incorporated in England and Wales and share the 
same registered office at Grant Way, Isleworth, Middlesex TW7 5QD.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
icinga-users mailing list
icinga-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/icinga-users

[icinga-users] LDAP login fails

Reply via email to