I have an openldap 2.4 authentication system, that works smoothly with
many versions of linux, and OSX 10.5. But I can't get OSX 10.4 to
authenticate with it.
I was previously using openldap 2.0.27 with an identical setup, and 10.4
was able to authenticate with it.
I can su to user accounts that are in the ldap database, but when I'm
required to enter a password for the user, the authentication fails.
Heres the relevant section from my logfile when I try to authenticate:
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SRCH
base="dc=mydomain,dc=gov" scope=2 deref=0
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=dthomp))(|(cn=dthomp))))"
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SRCH attr=uid cn
Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not
indexed
Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not
indexed
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SRCH
base="dc=mydomain,dc=gov" scope=2 deref=0
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))"
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SRCH attr=userPassword
Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not
indexed
Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not
indexed
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=22 SRCH
base="dc=mydomain,dc=gov" scope=2 deref=0
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))"
Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not
indexed
Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not
indexed
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=22 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 6 16:03:58 owl slapd[10661]: conn=35 fd=20 ACCEPT from
IP=192.168.1.145:49405 (IP=0.0.0.0:636)
Jun 6 16:03:58 owl slapd[10661]: conn=35 fd=20 closed (TLS negotiation
failure)
Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 ACCEPT from
IP=192.168.1.145:49406 (IP=0.0.0.0:636)
Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 TLS established tls_ssf=32
ssf=32
Jun 6 16:03:59 owl slapd[10661]: conn=36 op=0 BIND dn="" method=163
Jun 6 16:03:59 owl slapd[10661]: conn=36 op=0 RESULT tag=97 err=14
text=SASL(0): successful result:
Jun 6 16:03:59 owl slapd[10661]: conn=36 op=1 BIND dn="" method=163
Jun 6 16:03:59 owl slapd[10661]: SASL [conn=36] Failure: no secret in
database
Jun 6 16:03:59 owl slapd[10661]: conn=36 op=1 RESULT tag=97 err=49
text=SASL(-13): user not found: no secret in database
Jun 6 16:03:59 owl slapd[10661]: conn=36 op=2 UNBIND
Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 closed
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SRCH
base="dc=mydomain,dc=gov" scope=2 deref=0
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=dthomp))(|(cn=dthomp))))"
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SRCH attr=uid cn
Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not
indexed
Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not
indexed
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SRCH
base="dc=mydomain,dc=gov" scope=2 deref=0
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))"
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SRCH attr=userPassword
Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not
indexed
Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not
indexed
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=25 SRCH
base="dc=mydomain,dc=gov" scope=2 deref=0
filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))"
Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not
indexed
Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not
indexed
Jun 6 16:03:59 owl slapd[10661]: conn=22 op=25 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 6 16:03:59 owl slapd[10661]: conn=37 fd=20 ACCEPT from
IP=192.168.1.145:49407 (IP=0.0.0.0:636)
Jun 6 16:03:59 owl slapd[10661]: conn=37 fd=20 closed (TLS negotiation
failure)
Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 ACCEPT from
IP=192.168.1.145:49408 (IP=0.0.0.0:636)
Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 TLS established tls_ssf=32
ssf=32
Jun 6 16:03:59 owl slapd[10661]: conn=38 op=0 BIND dn="" method=163
Jun 6 16:03:59 owl slapd[10661]: conn=38 op=0 RESULT tag=97 err=14
text=SASL(0): successful result:
Jun 6 16:03:59 owl slapd[10661]: conn=38 op=1 BIND dn="" method=163
Jun 6 16:03:59 owl slapd[10661]: SASL [conn=38] Failure: no secret in
database
Jun 6 16:03:59 owl slapd[10661]: conn=38 op=1 RESULT tag=97 err=49
text=SASL(-13): user not found: no secret in database
Jun 6 16:03:59 owl slapd[10661]: conn=38 op=2 UNBIND
Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 closed
I'm not sure why its trying to use sasl to authenticate, or even sure if
thats the problem. I ended up creating an empty sasl database, because
originally it kept trying to open one that wasn't there. Do I have to do
some king of mapping from the sasl database to ldap?