On Fri, 2005-12-09 at 17:03 +0100, Giovanni Cuccu wrote: > Hi all, > I'm totally new to (Open)LDAP world and I'm trying to set a set up a > test server. > I'm currently using CentOs 4 with along with the openLDAP shipped with > that linux distro. > the ldap server is working and I'm able to write and read data. > The problem I'm facing is setting up a simple DN/passowrd authentication > mechanism. > Here is my slapd.conf > > # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 > 20:00:31 kurt Exp $ > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/redhat/autofs.schema > include /etc/openldap/schema/redhat/kerberosobject.schema > > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > #pidfile //var/run/slapd.pid > #argsfile //var/run/slapd.args > > # Create a replication log in /var/lib/ldap for use by slurpd. > #replogfile /var/lib/ldap/master-slapd.replog > > # Load dynamic backend modules: > # modulepath /usr/sbin/openldap > # moduleload back_ldap.la > # moduleload back_ldbm.la > # moduleload back_passwd.la > # moduleload back_shell.la > > password-hash {MD5} > database ldbm > suffix "dc=progetto-sole,dc=it" > #suffix "o=My Organization Name,c=US" > rootdn "cn=Manager,dc=progetto-sole,dc=it" > #rootdn "cn=Manager,o=My Organization Name,c=US" > # Cleartext passwords, especially for the rootdn, should > # be avoided. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > rootpw secret > access to attr=userPassword > by dn="cn=Manager,dc=progetto-sole,dc=it" write > by self write > by * read > access to * > by dn="cn=Manager,dc=progetto-sole,dc=it" write > by dn="cn=sole,dc=progetto-sole,dc=it" read > by users read > by self write > by * read > # rootpw {crypt}ijFYNcSNctBYg > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd/tools. Mode 700 recommended. > directory /var/lib/ldap > # Indices to maintain > index objectClass,uid,uidNumber,gidNumber,memberUid eq > index cn,mail,surname,givenname eq,subinitial > # Replicas to which we should propagate changes > #replica host=ldap-1.example.com:389 tls=yes > # bindmethod=sasl saslmech=GSSAPI > # authcId=host/[EMAIL PROTECTED] > loglevel -1 > > and here is the .ldif file contatinig the user to be authenticated > > dn: cn=sole,dc=progetto-sole,dc=it > cn: sole > sn: sole > uid: sole > objectclass: top > objectclass: inetOrgPerson > userPassword: {MD5}d8e7124a5142b544af071ef02bfa505c > > I try to connect using this dn: > cn=sole,dc=progetto-sole,dc=it > along with the relative password > but I always get the "invalid login credential" message. > Here is the ldap log content: > > Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7 > Dec 9 17:05:20 linux slapd[3781]: connection_get(7) > Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5 > Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for > input on id=5 > Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=11 > (Resource temporarily unavailable) > Dec 9 17:05:20 linux slapd[3781]: do_bind > Dec 9 17:05:20 linux slapd[3781]: do_bind: version=3 > dn="cn=sole,dc=progetto-sole,dc=it" method=128 > Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 BIND > dn="CN=SOLE,DC=PROGETTO-SOLE,DC=IT" method=128 > Dec 9 17:05:20 linux slapd[3781]: ==> ldbm_back_bind: dn: > cn=sole,dc=progetto-sole,dc=it > Dec 9 17:05:20 linux slapd[3781]: dn2entry_r: dn: > "CN=SOLE,DC=PROGETTO-SOLE,DC=IT" > Dec 9 17:05:20 linux slapd[3781]: => dn2id( > "CN=SOLE,DC=PROGETTO-SOLE,DC=IT" ) > Dec 9 17:05:20 linux slapd[3781]: ====> > cache_find_entry_dn2id("CN=SOLE,DC=PROGETTO-SOLE,DC=IT"): 15 (1 tries) > Dec 9 17:05:20 linux slapd[3781]: <= dn2id 15 (in cache) > Dec 9 17:05:20 linux slapd[3781]: => id2entry_r( 15 ) > Dec 9 17:05:20 linux slapd[3781]: ====> cache_find_entry_id( 15 ) > "cn=sole,dc=progetto-sole,dc=it" (found) (1 tries) > Dec 9 17:05:20 linux slapd[3781]: <= id2entry_r( 15 ) 0xa07a858 (cache) > Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access to > "cn=sole,dc=progetto-sole,dc=it" "userPassword" requested > Dec 9 17:05:20 linux slapd[3781]: => acl_get: [1] check attr userPassword > Dec 9 17:05:20 linux slapd[3781]: <= acl_get: [1] acl > cn=sole,dc=progetto-sole,dc=it attr: userPassword > Dec 9 17:05:20 linux slapd[3781]: => acl_mask: access to entry > "cn=sole,dc=progetto-sole,dc=it", attr "userPassword" requested > Dec 9 17:05:20 linux slapd[3781]: => acl_mask: to all values by "", (=n) > Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: > cn=Manager,dc=progetto-sole,dc=it > ec 9 17:05:20 linux slapd[3781]: => string_expand: pattern: > cn=Manager,dc=progetto-sole,dc=it > Dec 9 17:05:20 linux slapd[3781]: => string_expand: expanded: > cn=Manager,dc=progetto-sole,dc=it > Dec 9 17:05:20 linux slapd[3781]: => regex_matches: string: > Dec 9 17:05:20 linux slapd[3781]: => regex_matches: rc: 1 no matches > Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: self > Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: * > Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] applying read > (=rscx) (stop) > Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] mask: read (=rscx) > Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access > granted by read (=rscx) > Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: conn=5 op=0 p=3 > Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: 49:: > Dec 9 17:05:20 linux slapd[3781]: send_ldap_response: msgid=1 tag=97 err=49 > Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 RESULT tag=97 err=49 text= > Dec 9 17:05:20 linux slapd[3781]: ====> cache_return_entry_r( 15 ): > returned (0) > Dec 9 17:05:20 linux slapd[3781]: daemon: select: listen=6 > active_threads=1 tvp=NULL > Dec 9 17:05:20 linux slapd[3781]: daemon: activity on 1 descriptors > Dec 9 17:05:20 linux slapd[3781]: daemon: activity on: > Dec 9 17:05:20 linux slapd[3781]: 7r > Dec 9 17:05:20 linux slapd[3781]: > Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7 > Dec 9 17:05:20 linux slapd[3781]: connection_get(7) > Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5 > Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for > input on id=5 > Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=0 > (Success) > Dec 9 17:05:20 linux slapd[3781]: connection_read(7): input error=-2 > id=5, closing. > > The followng command lists the SASL mechanism (althoung I think the auth > metod I'm tesing is not involving SASL) > [EMAIL PROTECTED] openldap]# ldapsearch -H ldap://localhost/ -x -b "" -s base > -LLL supportedSASLMechanisms > dn: > supportedSASLMechanisms: GSSAPI > > Can anyone help me? > I'm not able to understand why Ican't login. > Thanks in advance, > Giovanni ----- You don't give the actual command that is failing
ldapsearch -x -h localhost \ -D "cn=sole,dc=progetto-sole,dc=it" \ -b "dc=progetto-sole,dc=it" \ -W '(cn=sole)' or if you wanted write access... ldapsearch -x -h localhost \ -D "cn=Manager,dc=progetto-sole,dc=it" \ -b "dc=progetto-sole,dc=it" \ -W '(cn=sole)' Probably best to have a contain for 'users' - something like ou=People,dc=progetto-sole,dc=it and put users like sole in that container... uid=sole,ou=People,dc=progetto-sole,dc=it Craig
