Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 12 months
Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra
Hi,
We have some problems with certificate authentication when the master
server is behind a back-ldap proxy.
We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and
these are the details of our scenario:
The master server: server1.example.com has the following slapd.conf file:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty
Ltd,ST=Some-State,C=AU" read
by *
auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /etc/ssl/certs/server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key
TLSCACertificatePath /etc/ssl/cacerts/
TLSVerifyClient demand
#
#Log level
#
loglevel 256
# Require authentication
require authc
#######################################################################
# HDB database definitions
#######################################################################
database hdb
suffix "dc=example,dc=com"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
# Indices to maintain
index objectClass eq
# Overlay ppolicy
overlay ppolicy
----------------------
Authentication is required, and we give access to the user passwords
for the dn of a certificate.
When we search for passwords using the certificate we get the following:
root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://server1.example.com userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
-----------------------
The root user (ldap client) has a ~/.ldaprc file with:
TLS_CACERTDIR /etc/ssl/cacerts/
TLS_CERT /etc/ssl/certs/admin_w_cert.pem
TLS_KEY /etc/ssl/private/admin_w_cert.key
TLS_REQCERT demand
SASL_MECH EXTERNAL
In /var/log/messages we get:
ldap-master[22358]: conn=1000 fd=11 ACCEPT from
IP=server1.example.com:40899 (IP=server1.example.com:636)
ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256
ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163
ldap-master[22358]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22358]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
ldap-master[22358]: conn=1000 op=2 UNBIND
ldap-master[22358]: conn=1000 fd=11 closed
This is the correct behavior for us. The problem appears when we
introduce a back-ldap proxy between the client and the master.
The proxy server (proxy-server1.example.com) is listening in port
1636 and its slapd.conf file is:
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificatePath /etc/ssl/cacerts/
TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key
TLSVerifyClient demand
# Log level
loglevel 256
#######################################################################
# Database definitions
#######################################################################
database ldap
rebind-as-user true
suffix "dc=example,dc=com"
uri "ldaps://server1.example.com"
tls ldaps
tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem
tls_key=/etc/ssl/private/proxy-server1.example.com.key
tls_cacertdir=/etc/ssl/cacerts/
----------------------
If we search for passwords through the proxy we get:
root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://proxy-server1.example.com:1636 userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
Server is unwilling to perform (53)
Additional information: authentication required
In the /var/log/messages the following messages appear:
ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from
IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636)
ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256
ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163
ldap-proxy[22802]: conn=1001 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text=
ldap-proxy[22802]: conn=1001 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=2 UNBIND
ldap-proxy[22802]: conn=1001 fd=8 closed
The /root/.ldaprc file is the same than the previous one.
When we increase the logging level we discover this:
....
ldap-proxy[23008]: conn=1000 op=0 do_bind
ldap-proxy[23008]: >>> dnPrettyNormal: <>
ldap-proxy[23008]: <<< dnPrettyNormal: <>, <>
ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163
ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL
ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: slap_sasl_getdn: conn 1000
id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61]
ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name
cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN
ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing>
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL proxy authorize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization
allowed authzDN=""
ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1
ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind:
dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
sasl_ssf=0
ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0
ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-proxy[23008]: <== slap_sasl_bind: rc=0
....
ldap-proxy[23008]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword
ldap-proxy[23008]: ==> limits_get: conn=1000 op=1
self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
this="uid=user_w_pass,ou=people,dc=example,dc=com"
ldap-master[22983]: daemon: activity on 1 descriptor
ldap-master[22983]: daemon: activity on:
ldap-master[22983]:
ldap-master[22983]: slap_listener_activate(7):
ldap-master[22983]: daemon: epoll: listen=7 busy
ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com)
.....
ldap-master[22983]: conn=1000 op=0 do_bind
ldap-master[22983]: >>> dnPrettyNormal: <>
ldap-master[22983]: <<< dnPrettyNormal: <>, <>
ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128
ldap-master[22983]: do_bind: version=3 dn="" method=128
ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3
ldap-master[22983]: send_ldap_result: err=0 matched="" text=""
ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0
ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22983]: do_bind: v3 anonymous bind
----------------
Therefore the proxy is binding anonymously in the master, instead of
using the dn of the certificate.
Is there any problem with the SASL EXTERNAL method?
If we use SIMPLE authentication through the proxy, there is no problem:
root # ldapsearch -LLL -x -b
'uid=user_w_pass,ou=people,dc=example,dc=com' -H
ldaps://proxy-server1.example.com:1636 -D
'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword
Enter LDAP Password:
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
Thanks in advance.
---------------------------------------------------------------------------------------------
ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php
WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en
12 years, 5 months
comp match module has unusable X509 cert code
by Lehnert, Hartmut
Hi all!
I have performed some tests with the comp match module (yes it runs if
you work around ITS 6556 ;-)).
The result is that the comp match module only works with very simple
X509 certs that use old algorithms!
For example if you use X509 certificates with long serial numbers the
snacc generated asn.1 parser (contained in file certificate.c) fails
decoding the serial number.
Another drawback: The attributes in Name components subject and issuer
(cn, c, o, ou) have to be PrintableStrings; if for example there is an
UTF8String present in the issuer the asn.1 parser fails decoding the
issuer.
All modern algorithms (sha256WithRSA, sha512WithRSA) are not recognized
by the parser; if your X509 certificate is signed with sha256WithRSA the
asn.1 parser fails decoding the AlgorithmIdentifier.
In modern times these drawbacks aren't acceptable. Another appropriate
asn.1 module for the X509 certificate structure has to be compiled with
the openldap esnacc compiler. I would have done this but the openldap
esnacc fails parsing its own modules!!!
See something like this:
openldap@ocsp-openldap24:~/Certificate>
~/openldap-snacc-2.3.6/compiler/esnacc -E BER_COMP -E GSER -t -d -f -I
/home/openldap/openldap-snacc-2.3.6/asn1specs -I . Certificate.asn1
/home/openldap/openldap-snacc-2.3.6/asn1specs/asn1module.asn1(91) :
parse error at symbol ""OID""
Parsing errors---cannot proceed
The code in the asn.1 module:
88 ModuleId ::= SEQUENCE
89 {
90 name MyString,
91 oid OBJECT IDENTIFIER OPTIONAL --snacc cTypeName:"OID"
isPtr:"TRUE"
92 }
93
Does anybody know how the esnacc error can be avoided?
Regards,
Hartmut
12 years, 9 months
Re: Configuring slapd.conf-less OpenLDAP
by Benjamin Griese
Good morning.
Please set logging in your hdb/bdb config ldif.
This logfile should be the default.
Please be sure to always reply to the mailinglist.
Bye
Am 29.06.2010 08:05 schrieb "Braden McDaniel" <braden(a)endoframe.com>:
On Wed, 2010-06-23 at 18:35 +0200, Benjamin Griese wrote:
> There is no cleartext because even that ...
Hm... I've tried base64-encoding the value for olcRootPW; still no
luck. :-(
> What does your logfile say to your invalid passwd?
>
> Enable logging by setting the loglevel to...
I've added
olcLogLevel: 256
to cn=config.ldif. But I'm not seeing anything in /var/log/messages.
Are the log messages going somewhere else?
--
Braden McDaniel <braden(a)endoframe.com>
12 years, 10 months
OpenLDAP, PADL and querying multiple ADs
by Markus
Hello list,
I'm on SLES 11 and the mission is to allow Active Directory (AD) users to
log in to Linux. The difficulty is that those users are stored in two
separate ADs which have no connection to each other. Both ADs are running
on Windows 2003 R2 (or later) and I'm using the LDAP PADL NSS
(/etc/ldap.conf) implementation to map the UNIX attributes that are stored
in the AD to local values (homedir, shell, UID/GID etc.). So far so good,
everything works fine (getent passwd, PAM logins).
Now, when searching for a solution on how to query two ADs via LDAP at the
same time it seems like OpenLDAP supports multiple LDAP search bases, and
there was also a mentioning of the translucent overlay feature, so I
suppose using OpenLDAP I could fetch the UNIX attributes from both ADs
simultaneously.
What completely puzzles me is the NSS/PAM configuration and how PADL NSS
and OpenLDAP interact respectively not interact:
- If I configure OpenLDAP (/etc/openldap/ldap.conf) instead of PADL NSS
(/etc/ldap.conf) how do I configure NSS/PAM for OpenLDAP? I need "getent
passwd" and "getent group" and of course PAM logins to work. E.g. getent
passwd has to give me back all users from BOTH ADs that have UNIX
attributes stored. But since there seems to be only the PADL NSS module in
existance (/lib/libnss_ldap.so.2), I am clueless on how to integrate the
OpenLDAP variant. Shouldn't there be something like
/lib/libnss_openldap.so and shouldn't I be able to add something like
"passwd: compat openldap" to /etc/nsswitch.conf? I guess not, but I don't
understand why.
- So that leaves me with the idea of *somehow* fetching the UNIX
attributes from both ADs via OpenLDAP, set up a local OpenLDAP server to
store this information in, and then using the PADL NSS module to query it.
I'm not sure if this is the right approach or if this is even technically
feasible. Is there maybe a easier way with less overhead (e.g. no OpenLDAP
server required).
Thank you very much for any hints or pointers that you might share with
me! I'm really lost...
Best regards
Markus
12 years, 10 months
meta setup
by Gidobo 69
Hi,
I plan to set up a meta directory. It looks like a normal one according to
the openldap descriptions so I was surprised that I was unable to find any
howto/faq/forum entry/mailing about it.
Let me describe it:
I have a heterogeneous system and want to have a common ldap system for it.
Here is what I have now:
Two AD domains
An openldap db for a software with internal users.
My aim:
- To be able to authenticate a domain user from either AD.
- To have non-AD users as well.
- To have non-AD attributes for all three.
So for authentication:
If user is an AD user -> authenticate from appropriate DC
If user is a non-AD one -> authenticate from openldap
If I want non-AD attribute added to AD users as well.
If an attribute doesn't exist for an AD user in openldap ask the
appropriate DC.
This way I could user AD users and their groups through openldap, have
independent non-AD users and have attributes for all users in openldap local
db regardless of authentication source.
Have I missed something and this is too 'exotic'?
Example:
ad1.company.com -> AD1 users, authenticates from DC1
ad2.company.com -> AD2 users, authenticates from DC2
ldap.company.com -> 'other' users, authenticates from openldap local db
Attributes mapped. If user is an AD one and attribute doesn't exists in
local DB, proxy the query to AD.
Thanks in advance
Gidobo
12 years, 10 months
ACL to allow an attribute to be cleared, but not changed to something else?
by Tim Gustafson
Hi,
I'd like to let my account managers to clear the passwords of their managees in the event that an employee is no longer active. So, I've got an ACL like this:
access to attrs=userPassword,sambaNTPassword
by set="this/manager & user" write
by * break
But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want.
Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute?
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
12 years, 11 months
Adding Schema
by Alexander Erameh
Hi,
Just joined this list, so please pardon me for any mistakes.
I have been trying to add "CourierMailAccount" object class and "qmailUser"
object class for days without success. I created a schema file and defined
the Attributetypes and Object classes and added the file in the Include
statement in slapd.conf but SLAPD does not seem to recognize the new object
classes.
When I try to add users to the Database using LDAPADD, I get the error
message below:
"ldap_add: Invalid syntax (21)
additional info: objectClass:value #2 invalid per syntax"
The #2 objectClass is "qmailuser".
Suggestions and advice will be appreciated.
Alexander
<file:///C:\Program%20Files\Common%20Files\Microsoft%20Shared\Stationery\fie
ruled.gif>
12 years, 11 months
LDAP proxy with local database
by Tunguskin Petr
Hello.
I have one program which can authenticate with LDAP server and Active Directory with read access.
I need to authenticate extra users, but I can't add them to Active Directory for security reasons. Program can work with only one LDAP source.
I have tryed to use openldap chain overlay to join local and remote LDAP databases with refferals. Search works fine, but bind operation doesn't work, openldap writes error:
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
Is it possible to bind to remote LDAP records with chain overlay?
------------------------------------------
database bdb
suffix "dc=local"
rootdn "cn=ldapadmin,dc=local"
rootpw 12345678
directory /var/lib/ldap
overlay chain
chain-uri "ldap://10.1.1.1/"
chain-rebind-as-user TRUE
chain-cache-uri true
chain-chaining resolve=chainingRequired continuation=chainingRequired
chain-idassert-bind bindmethod="simple"
binddn="cn=ldapuser,cn=Users,dc=test,dc=local"
credentials="123"
mode="none"
----------------------------------------
Could you recommend another solution?
Thank you
--
12 years, 11 months
SASL auth not working
by Diego Lima
Hello all,
I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:
root@filesystem:~# kinit diego.lima
Password for diego.lima@USERS:
root@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.lima@USERS
Valid starting Expires Service principal
06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS
renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456
0: OK "Success."
The saslauthd output looks like this:
saslauthd[28383] :rel_accept_lock : released accept lock
saslauthd[28385] :get_accept_lock : acquired accept lock
saslauthd[28383] :do_auth : auth success:
[user=diego.lima@USERS] [service=imap] [realm=] [mech=kerberos5]
saslauthd[28383] :do_request : response: OK
I've set up my user account on LDAP like this:
dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
krbPrincipalName: diego.lima@USERS
krbPrincipalKey:: (big key)
krbLastPwdChange: 20100622215607Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: posixAccount
structuralObjectClass: krbPrincipal
entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18
creatorsName: cn=admin,dc=domain,dc=com,dc=br
createTimestamp: 20100622215607Z
uid: diego.lima
uidNumber: 10001
gidNumber: 10001
cn: diego.lima
homeDirectory: /home/diego.lima
loginShell: /bin/bash
userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw==
krbLastSuccessfulAuth: 20100623124649Z
krbLoginFailedCount: 0
krbExtraData:: (data)
krbExtraData:: (data)
entryCSN: 20100623124649.354631Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=com,dc=br
modifyTimestamp: 20100623124649Z
The userPassword value translates to {SASL}diego.lima@USERS
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
And on the slapd output:
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
daemon: epoll: listen=8 active_threads=0 tvp=zero
>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 18
daemon: added 18r (active) listener=(nil)
conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=8
0000: 30 53 02 01 01 60 4e 02 0S...`N.
ldap_read: want=77, got=77
0000: 01 03 04 41 6b 72 62 50 72 69 6e 63 69 70 61 6c ...AkrbPrincipal
0010: 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 6d 61 40 Name=diego.lima@
0020: 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 53 2c 64 USERS,cn=USERS,d
0030: 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 6f 6d 2c c=domain,dc=com,
0040: 64 63 3d 62 72 80 06 31 32 33 34 35 36 dc=br..123456
ber_get_next: tag 0x30 len 83 contents:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83
0000: 02 01 01 60 4e 02 01 03 04 41 6b 72 62 50 72 69 ...`N....AkrbPri
0010: 6e 63 69 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f ncipalName=diego
0020: 2e 6c 69 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 .lima@USERS,cn=U
0030: 53 45 52 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 SERS,dc=domain,d
0040: 63 3d 63 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 c=com,dc=br..123
0050: 34 35 36 456
op tag 0x60, time 1277298275
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=35 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80
0000: 60 4e 02 01 03 04 41 6b 72 62 50 72 69 6e 63 69 `N....AkrbPrinci
0010: 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 palName=diego.li
0020: 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 ma@USERS,cn=USER
0030: 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 S,dc=domain,dc=c
0040: 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 34 35 36 om,dc=br..123456
ber_scanf fmt (m}) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8
0000: 00 06 31 32 33 34 35 36 ..123456
>>> dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>
=> ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br,0)
<= ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br)=0
<<< dnPrettyNormal:
<krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>,
<krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br>
conn=35 op=0 BIND
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
do_bind: version=3
dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
method=128
==> hdb_bind: dn:
krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br
bdb_dn2entry("krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br")
=> access_allowed: auth access to
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br",
attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
SASL Canonicalize [conn=35]: authcid="diego.lima@USERS"
send_ldap_result: conn=35 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 18
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
conn=35 op=0 RESULT tag=97 err=49 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 18 failed errno=0 (Success)
connection_read(18): input error=-2 id=35, closing.
connection_closing: readying conn=35 sd=18 for close
connection_close: conn=35 sd=18
daemon: removing 18
conn=35 fd=18 closed (connection lost)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.
Lastly, here is my slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/kerberos.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=domain,dc=com,dc=br"
rootdn "cn=admin,dc=domain,dc=com,dc=br"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange
by dn="cn=admin,dc=domain,dc=com,dc=br" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=domain,dc=com,dc=br" write
by * read
Thanks for the help!
--
Diego Lima
12 years, 11 months