Unable to do ldapsearch, but testsaslauthd works in OpenLDAP 2.4

Ravi K Althuru Tue, 09 Feb 2016 18:47:32 -0800

We have OpenLDAP 2.3 running on Linux. It is set up in SASL mode authenticating
against multiple ADs. Everything works fine there, which is our Production env.


We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 
6
in our Dev and QA env. Then, we moved the slapd.conf and slapd-meta.conf file 
to 
the new instance, and created the required users. 

When we run testsaslauthd, we are successfully able to authenticate against the
appropriate AD that the user is under.  

testsaslauthd -u ravi@SONEPAR -p secret - WORKS

ldapsearch -x -D uid=ravi,ou=People,ou=company,dc=inside,dc=devserver,dc=com -w
secret

results in: ldap_bind: Invalid credentials (49)

But when we do a ldap search or connect using LDAP Browser, the user is not 
able 
to get autheticated. We are not able to bind to the OpenLDAP by using the same 
credentials. 
I get a Invalid credentials err 49, which indcates either credentials are 
incorrect,
which in this case its not, or the bind info is incorrect.

I seems as though the user is not able to bind to OpenLDAP 2.4 or it does not 
know how
to. When I change the password form {SASL}ralthuru@SONEPAR to a text say 
"secret", it works fine. 

Here is the log output from the same user authetication in OpenLDAP 2.3 and 
OpenLDAP 2.4:

SUCCESS - QA 2.4 - testsaslauthd -u ralthuru@SONEPAR -p secret

Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 fd=8 ACCEPT from 
IP=127.0.0.1:44500 (IP=127.0.0.1:391)
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND 
dn="cn=Manager,dc=local" method=128
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND 
dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 RESULT tag=97 
err=0 text=
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH 
base="ou=SONEPAR,dc=local" scope=2 deref=0 
filter="(|(uid=ralthuru)(?SMACCOUNTNAME=ralthuru))"
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH attr=dn
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND anonymous 
mech=implicit ssf=0
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi 
Althuru,cn=Users,ou=SONEPAR,dc=local" method=128
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi 
Althuru,cn=Users,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 RESULT tag=97 
err=0 text=

SUCCESS - QA 2.4 - login as cn=Manager/Password1 from LDAP Browser

Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 fd=12 ACCEPT from 
IP=10.108.138.66:64931 (IP=0.0.0.0:389)
Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND 
dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" method=128
Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND 
dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" mech=SIMPLE ssf=0
Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 RESULT tag=97 
err=0 text=
Feb  2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 op=1 UNBIND
Feb  2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 fd=12 closed

FAIL - QA 2.4 - login as uid=ralthuru/Sonepar123 from LDAP Browser

Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 ACCEPT from 
IP=10.108.138.66:64939 (IP=0.0.0.0:389)
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 BIND 
dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sdusadevl,dc=com" mthod=128
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 RESULT tag=97 
err=49 text=
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=1 UNBIND
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 closed

SUCCESS - PRODUCTION 2.3 - testsaslauthd -u ralthuru@SONEPAR -p secret

Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND anonymous 
mech=implicit ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND 
dn="cn=Manager,dc=local" method=128
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND 
dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 RESULT tag=97 err=0 text=
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH 
base="ou=SONEPAR,dc=local" scope=2 deref=0 
filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH attr=dn
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND anonymous 
mech=implicit ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C 
Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C 
Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 RESULT tag=97 err=0 text=

SUCCESS - PRODUCTION 2.3 - login as uid=ralthuru/secret from LDAP Browser

eb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 fd=15 ACCEPT from 
IP=10.108.138.66:54298 (IP=0.0.0.0:389)
Feb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND 
dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND anonymous 
mech=implicit ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND 
dn="cn=Manager,dc=local" method=128
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND 
dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 RESULT tag=97 err=0 text=
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH 
base="ou=SONEPAR,dc=local" scope=2 deref=0 
filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH attr=dn
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND anonymous 
mech=implicit ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C 
Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C 
Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 RESULT tag=97 err=0 text=
Feb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND 
dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" 
mech=SIMPLE ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 RESULT tag=97 err=0 
text=
Feb  3 10:44:47 pavfldapp01 slapd[4806]: conn=50825 op=1 UNBIND

SUCCESS - PRODUCTION 2.3 - LDAP Search command as uid=ralthuru/secret

Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 ACCEPT from 
IP=10.199.204.205:44578 (IP=0.0.0.0:389)
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND 
dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND anonymous 
mech=implicit ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND 
dn="cn=Manager,dc=local" method=128
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND 
dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 RESULT tag=97 err=0 text=
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH 
base="ou=SONEPAR,dc=local" scope=2 deref=0 
filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH attr=dn
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND anonymous 
mech=implicit ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C 
Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C 
Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 RESULT tag=97 err=0 text=
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND 
dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" 
mech=SIMPLE ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 RESULT tag=97 err=0 
text=
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SRCH 
base="dc=inside,dc=sonepar-us,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SEARCH RESULT tag=101 
err=4 nentries=500 text=
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=2 UNBIND
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 closed

Here is the ldap.conf
URI ldap://10.99.19.179
BASE dc=inside,dc=sdusadevl,dc=com
TLS_REQCERT never

Here is the slapd.conf, only the relevant info:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/schema_extension.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib64/openldap

loglevel 256

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=inside,dc=sdusadevl,dc=com"
rootdn          "cn=Manager,dc=inside,dc=sdusadevl,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          xyz123

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index uniqueMember                      eq,pres

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/[email protected]


# adding to ignore error for slaptest
cachesize 2000

sasl-host       localhost
sasl-secprops   none

----------------------
Here is the slapd-meta.conf containing the AD where the user ralthuru is 
autheticating to:
uri ldap://sdusa-dc-01.sdusadevl.com:3268/ou=SONEPAR,dc=local
lastmod off
suffixmassage   "ou=SONEPAR,dc=local" "dc=sdusadevl,dc=com"
idassert-bind bindmethod=simple
   binddn="CN=Vignette\\, Service Account,OU=Vignette 
Service,OU=Vignette,OU=Enterpise Systems,DC=sdusadevl,DC=com"
   credentials="hiddenpassword"
   mode=none
   flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=local"


I have searched across many forums, compared the set up on the OpenLDAP 2.3 and
OpenLDAP 2.4 instances and cannot find any differences.

Any suggestions on how to resolve this is appreciated!

Unable to do ldapsearch, but testsaslauthd works in OpenLDAP 2.4

Reply via email to