Re: can't connect to my ldap server

Mon, 15 Nov 2021 08:52:58 -0800 

Hi Meissa,
I can confirm this is a buig the the Apache Directory server. the comparison of the RDN does not work properly when providing a RDN like "cn=Meissa Sakho+uid=msakho". 

The added entry has this normalized DN:


0.9.2342.19200300.100.1.1= msakho +2.5.4.3= meissa  sakho 
,0.9.2342.19200300.100.1.25= example ,0.9.2342.19200300.100.1.25= com


while the Bind dn is normalized this way :


2.5.4.3= meissa  sakho +0.9.2342.19200300.100.1.1= msakho 
,0.9.2342.19200300.100.1.25= example ,0.9.2342.19200300.100.1.25= com



As you can see, the two values are inverted (cn+uid in one case, and 
uid+cn in the other case). That should not be the case.


This is the rreason why it fails.


Funny enough, would you try to login using "uid=msakho+cn=Meissa 
SAKHO,ou=users,dc=example,dc=com", it would work...


On 15/11/2021 05:16, Emmanuel Lécharny wrote:

Hi,


Still, the first LDAP entry (with cn: meissa sakho) should work, as CN 
is case insensitive.


I'll investigate.

Thanks for the inffo !

On 14/11/2021 18:57, Meissa Sakho wrote:

I'm using the latest version:

Version: 2.0.0.v20210717-M17

I was able to make it work by changing this section:

*dn: cn=Meissa SAKHO+uid=msakho,ou=Users,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: meissa sakho
sn: sakho
title: cn=Administrator,ou=Groups,dc=example,dc=com
uid: msakho
userpassword: meissa*

*
*

*with this section:*

dn: cn=Meissa SAKHO,ou=Users,dc=example,dc=com
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: top
cn: Meissa SAKHO
description: Capt. Meissa SAKHO, R.N
givenname: Meissa
sn: Sakho
uid: msakho
mail: msa...@redhat.com <mailto:msa...@redhat.com>
userpassword: meissa*
*


The difference between the two is in the cn.


The first version worked once. I've borrowed it from this article[1] 
written by one of my colleagues.


It seems like there are some differences.



[1]=https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console# 
<https://developers.redhat.com/blog/2018/09/21/setup-ldap-auth-amq-console#> 







Le sam. 13 nov. 2021 à 19:51, Emmanuel Lécharny <elecha...@gmail.com 
<mailto:elecha...@gmail.com>> a écrit :


    Thanks.

    Will do a test with the data you've provided.

    Which is the LDAP DS version you are using ?

    On 12/11/2021 08:55, Meissa Sakho wrote:
     > Hi Emmanuel,

     > below is the complete ldif and in bold the corresponding user 
whose

     > password (uid=msakho, password=meissa) is in clear:
     > version: 1
     >
     > dn: dc=example,dc=com
     > objectclass: top
     > objectclass: domain
     > dc: example
     >
     > dn: ou=Groups,dc=example,dc=com
     > objectClass: organizationalUnit
     > objectClass: top
     > ou: Groups
     >
     >
     > dn: ou=Users,dc=example,dc=com
     > objectClass: organizationalUnit
     > objectClass: top
     > ou: Users
     >
     >
     > dn: cn=Administrator,ou=Groups,dc=example,dc=com
     > objectClass: groupOfNames
     > objectClass: top
     > cn: Administrator
     > member: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
     > member: cn=Elvadas NONO,ou=Users,dc=example,dc=com
     >
     > dn: cn=AMQGroup,ou=Groups,dc=example,dc=com
     > objectClass: groupOfNames
     > objectClass: top
     > cn: AMQGroup
     > member: cn=Elvadas
    Nono+sn=WOGUIA+uid=nelvadas,ou=Users,dc=example,dc=com
     > member: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
     > member: cn=Meissa+sn=Sakho+uid=msakho,ou=Users,dc=example,dc=com
     >
     > dn: cn=John+sn=Doe+uid=jdoe,ou=Users,dc=example,dc=com
     > objectClass: organizationalPerson
     > objectClass: person
     > objectClass: inetOrgPerson
     > objectClass: top
     > cn: John
     > sn: Doe
     > title: cn=Administrator,ou=Groups,dc=example,dc=com
     > uid: jdoe
     > userPassword: redhat
     >
     >
     > dn: cn=Elvadas NONO+uid=enonowoguia,ou=Users,dc=example,dc=com
     > objectClass: organizationalPerson
     > objectClass: person
     > objectClass: inetOrgPerson
     > objectClass: top
     > cn: elvadas nono
     > sn: Woguia
     > title: cn=Administrator,ou=Groups,dc=example,dc=com
     > uid: enonowoguia
     > userpassword::
    e1NTSEF9dlMzVU95V1Bnek9JMUhreG5IV290My9jS0NxZWlGNmlDSlh1SEE9P
     >   Q==
     >
     > *dn: cn=Meissa SAKHO+uid=msakho,ou=Users,dc=example,dc=com
     > objectClass: organizationalPerson
     > objectClass: person
     > objectClass: inetOrgPerson
     > objectClass: top
     > cn: meissa sakho
     > sn: sakho
     > title: cn=Administrator,ou=Groups,dc=example,dc=com
     > uid: msakho
     > userpassword: meissa
     > *
     > *
     > *
     > Thanks
     >
     > Le ven. 12 nov. 2021 à 04:03, Emmanuel Lécharny
    <elecha...@gmail.com <mailto:elecha...@gmail.com>

     > <mailto:elecha...@gmail.com <mailto:elecha...@gmail.com>>> a 
écrit :

     >
     >     Hi,
     >

     >     can you provide the entry associated to this user (with 
password

     >     redacted, of course)?
     >
     >     Thanks !
     >
     >     On 11/11/2021 18:53, Meissa Sakho wrote:
     >      > Hello everyone,
     >      > I'm trying to connect to my Ldap DS server from ActiveMq .
     >      > The connection setting is configured via a login.config
    file like
     >     below:
     >      > activemq {
     >      >

     >      >     
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule

     >      > required
     >      >       debug=true

     >      >      
 initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory

     >      >       connectionURL="ldap://localhost:10389";
     >      >       connectionUsername="uid=admin,ou=system"
     >      >       connectionPassword=secret
     >      >       connectionProtocol=s
     >      >       authentication=simple
     >      >       userBase="ou=Users,dc=example,dc=com"
     >      >       userSearchMatching="(uid={0})"
     >      >       userSearchSubtree=true
     >      >       roleBase="ou=Groups,dc=example,dc=com"
     >      >       roleName=cn
     >      >       roleSearchMatching="(member={0})"
     >      >       roleSearchSubtree=false
     >      >       reload=true
     >      >    ;
     >      >
     >      > };
     >      > I've imported a sample ldiff file and double checked that
    every user
     >      > connection is correct.
     >      > When I try to get connected via the ActiveMq admin
    console, I'm
     >     getting a
     >      > login failed error message because of a password that does
    not match.
     >      >
     >      > 2021-11-11 18:38:29,436 DEBUG
     >      >

     >      
 [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]

     >     LDAP

     >      > returned a relative name: cn=Meissa 
SAKHO+uid=msakho,ou=Users

     >      >
     >      > 2021-11-11 18:38:29,436 DEBUG
     >      >

     >      
 [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]

     >     Using

     >      > DN [cn=Meissa 
SAKHO+uid=msakho,ou=Users,dc=example,dc=com] for

     >     binding.
     >      >
     >      > 2021-11-11 18:38:29,436 DEBUG
     >      >
    [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
     >      > Binding the user.
     >      >
     >      > 2021-11-11 18:38:29,438 DEBUG
     >      >
    [org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule]
     >      > Authentication failed for dn=cn=Meissa
     >      > SAKHO+uid=msakho,ou=Users,dc=example,dc=com
     >      >
     >      > WARN  | qtp2029780820-35 | Login failed due to: Password
    does not
     >     match for
     >      > user: msakh
     >      > When I check the password test connection via the DS
    Studio, it
     >     works fine.
     >      > I don't know what's wrong and where.
     >      > Any idea?
     >      >
     >
     >     --

     >     *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 
NICE

     >     T. +33 (0)4 89 97 36 50
     >     P. +33 (0)6 08 33 32 61
     > emmanuel.lecha...@busit.com <mailto:emmanuel.lecha...@busit.com>
    <mailto:emmanuel.lecha...@busit.com
    <mailto:emmanuel.lecha...@busit.com>>
     > https://www.busit.com/ <https://www.busit.com/>
    <https://www.busit.com/ <https://www.busit.com/>>
     >

     >      
 ---------------------------------------------------------------------

     >     To unsubscribe, e-mail:
    users-unsubscr...@directory.apache.org
    <mailto:users-unsubscr...@directory.apache.org>
     >     <mailto:users-unsubscr...@directory.apache.org
    <mailto:users-unsubscr...@directory.apache.org>>
     >     For additional commands, e-mail:

    users-h...@directory.apache.org 
<mailto:users-h...@directory.apache.org>

     >     <mailto:users-h...@directory.apache.org
    <mailto:users-h...@directory.apache.org>>
     >


    --     *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 
NICE

    T. +33 (0)4 89 97 36 50
    P. +33 (0)6 08 33 32 61
    emmanuel.lecha...@busit.com <mailto:emmanuel.lecha...@busit.com>
    https://www.busit.com/ <https://www.busit.com/>





--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org























					Reply via email to