My client was able to resolve the connection issue he was having by changing the binding from "Anonymous" to "None" in his configuration.
Thanks for your assistance in this matter!
-- Mark Hennessy
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, December 11, 2006 7:42 PM To: Mark Hennessy Cc: openldap-software@openldap.org Subject: Re: Question about OpenLDAP
Mark Hennessy wrote:
I have a user who tries to connect from an IP x.x.x.31, but
they keep getting
rejected. The ACL is using IPs to allow anonymous
read-only connections. I
have a client at another host that's also in the ACL by IP
which is set to
use an anonymous connection and that works. What should I
be looking for
with this client that's not working? Also, I built
OpenLDAP without SASL on
purpose. This is serving a simple database that could
potentially have lots
of reads and no writes from a couple of trusted hosts. Any
help in this
matter would be greatly appreciated!
This is OpenLDAP from FreeBSD ports built supposedly without SASL.
Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 ACCEPT from
IP=x.x.x.31:1691
(IP=0.0.0.0:389) Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SRCH
attr=supportedCapabilities
Dec 11 13:34:19 x slapd[2566]: conn=28 op=0 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH base=""
scope=0 deref=0
filter="(objectClass=*)" Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SRCH
attr=supportedSASLMechanisms
Dec 11 13:34:19 x slapd[2566]: conn=28 op=1 SEARCH RESULT
tag=101 err=0
nentries=1 text= Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 BIND dn="" method=137 Dec 11 13:34:19 x slapd[2566]: conn=28 op=2 RESULT tag=97
err=7 text=unknown
authentication method Dec 11 13:34:19 x slapd[2566]: conn=28 op=3 UNBIND Dec 11 13:34:19 x slapd[2566]: conn=28 fd=10 closed
The log shows they're trying to Bind with a "method=137" and correctly getting an unknown authentication method response back. I.e., they're trying to Bind with a mechanism that slapd doesn't recognize. It's certainly not an anonymous LDAP Simple Bind. Seems like a broken client.
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/