openldap-technical June 2010

openldap-technical@openldap.org

104 participants
113 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra 27 Dec '10

27 Dec '10

Hi, We have some problems with certificate authentication when the master server is behind a back-ldap proxy. We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and these are the details of our scenario: The master server: server1.example.com has the following slapd.conf file: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" read by * auth access to attrs=shadowLastChange by self write by * read access to * by * read # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /etc/ssl/certs/server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key TLSCACertificatePath /etc/ssl/cacerts/ TLSVerifyClient demand # #Log level # loglevel 256 # Require authentication require authc ####################################################################### # HDB database definitions ####################################################################### database hdb suffix "dc=example,dc=com" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=example,dc=com" rootpw secret # Indices to maintain index objectClass eq # Overlay ppolicy overlay ppolicy ---------------------- Authentication is required, and we give access to the user passwords for the dn of a certificate. When we search for passwords using the certificate we get the following: root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://server1.example.com userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= ----------------------- The root user (ldap client) has a ~/.ldaprc file with: TLS_CACERTDIR /etc/ssl/cacerts/ TLS_CERT /etc/ssl/certs/admin_w_cert.pem TLS_KEY /etc/ssl/private/admin_w_cert.key TLS_REQCERT demand SASL_MECH EXTERNAL In /var/log/messages we get: ldap-master[22358]: conn=1000 fd=11 ACCEPT from IP=server1.example.com:40899 (IP=server1.example.com:636) ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256 ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163 ldap-master[22358]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22358]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= ldap-master[22358]: conn=1000 op=2 UNBIND ldap-master[22358]: conn=1000 fd=11 closed This is the correct behavior for us. The problem appears when we introduce a back-ldap proxy between the client and the master. The proxy server (proxy-server1.example.com) is listening in port 1636 and its slapd.conf file is: # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificatePath /etc/ssl/cacerts/ TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key TLSVerifyClient demand # Log level loglevel 256 ####################################################################### # Database definitions ####################################################################### database ldap rebind-as-user true suffix "dc=example,dc=com" uri "ldaps://server1.example.com" tls ldaps tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem tls_key=/etc/ssl/private/proxy-server1.example.com.key tls_cacertdir=/etc/ssl/cacerts/ ---------------------- If we search for passwords through the proxy we get: root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 Server is unwilling to perform (53) Additional information: authentication required In the /var/log/messages the following messages appear: ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636) ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256 ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163 ldap-proxy[22802]: conn=1001 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text= ldap-proxy[22802]: conn=1001 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=2 UNBIND ldap-proxy[22802]: conn=1001 fd=8 closed The /root/.ldaprc file is the same than the previous one. When we increase the logging level we discover this: .... ldap-proxy[23008]: conn=1000 op=0 do_bind ldap-proxy[23008]: >>> dnPrettyNormal: <> ldap-proxy[23008]: <<< dnPrettyNormal: <>, <> ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163 ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 ldap-proxy[23008]: SASL Canonicalize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: slap_sasl_getdn: conn 1000 id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61] ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing> ldap-proxy[23008]: SASL Canonicalize [conn=1000]: slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL proxy authorize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1 ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind: dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" sasl_ssf=0 ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0 ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-proxy[23008]: <== slap_sasl_bind: rc=0 .... ldap-proxy[23008]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword ldap-proxy[23008]: ==> limits_get: conn=1000 op=1 self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" this="uid=user_w_pass,ou=people,dc=example,dc=com" ldap-master[22983]: daemon: activity on 1 descriptor ldap-master[22983]: daemon: activity on: ldap-master[22983]: ldap-master[22983]: slap_listener_activate(7): ldap-master[22983]: daemon: epoll: listen=7 busy ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com) ..... ldap-master[22983]: conn=1000 op=0 do_bind ldap-master[22983]: >>> dnPrettyNormal: <> ldap-master[22983]: <<< dnPrettyNormal: <>, <> ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128 ldap-master[22983]: do_bind: version=3 dn="" method=128 ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3 ldap-master[22983]: send_ldap_result: err=0 matched="" text="" ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0 ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22983]: do_bind: v3 anonymous bind ---------------- Therefore the proxy is binding anonymously in the master, instead of using the dn of the certificate. Is there any problem with the SASL EXTERNAL method? If we use SIMPLE authentication through the proxy, there is no problem: root # ldapsearch -LLL -x -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 -D 'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword Enter LDAP Password: dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= Thanks in advance. --------------------------------------------------------------------------------------------- ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en

3 4

comp match module has unusable X509 cert code
by Lehnert, Hartmut 10 Aug '10

10 Aug '10

Hi all! I have performed some tests with the comp match module (yes it runs if you work around ITS 6556 ;-)). The result is that the comp match module only works with very simple X509 certs that use old algorithms! For example if you use X509 certificates with long serial numbers the snacc generated asn.1 parser (contained in file certificate.c) fails decoding the serial number. Another drawback: The attributes in Name components subject and issuer (cn, c, o, ou) have to be PrintableStrings; if for example there is an UTF8String present in the issuer the asn.1 parser fails decoding the issuer. All modern algorithms (sha256WithRSA, sha512WithRSA) are not recognized by the parser; if your X509 certificate is signed with sha256WithRSA the asn.1 parser fails decoding the AlgorithmIdentifier. In modern times these drawbacks aren't acceptable. Another appropriate asn.1 module for the X509 certificate structure has to be compiled with the openldap esnacc compiler. I would have done this but the openldap esnacc fails parsing its own modules!!! See something like this: openldap@ocsp-openldap24:~/Certificate> ~/openldap-snacc-2.3.6/compiler/esnacc -E BER_COMP -E GSER -t -d -f -I /home/openldap/openldap-snacc-2.3.6/asn1specs -I . Certificate.asn1 /home/openldap/openldap-snacc-2.3.6/asn1specs/asn1module.asn1(91) : parse error at symbol ""OID"" Parsing errors---cannot proceed The code in the asn.1 module: 88 ModuleId ::= SEQUENCE 89 { 90 name MyString, 91 oid OBJECT IDENTIFIER OPTIONAL --snacc cTypeName:"OID" isPtr:"TRUE" 92 } 93 Does anybody know how the esnacc error can be avoided? Regards, Hartmut

5 33

Re: Configuring slapd.conf-less OpenLDAP
by Benjamin Griese 17 Jul '10

17 Jul '10

Good morning. Please set logging in your hdb/bdb config ldif. This logfile should be the default. Please be sure to always reply to the mailinglist. Bye Am 29.06.2010 08:05 schrieb "Braden McDaniel" <braden(a)endoframe.com>: On Wed, 2010-06-23 at 18:35 +0200, Benjamin Griese wrote: > There is no cleartext because even that ... Hm... I've tried base64-encoding the value for olcRootPW; still no luck. :-( > What does your logfile say to your invalid passwd? > > Enable logging by setting the loglevel to... I've added olcLogLevel: 256 to cn=config.ldif. But I'm not seeing anything in /var/log/messages. Are the log messages going somewhere else? -- Braden McDaniel <braden(a)endoframe.com>

3 4

OpenLDAP, PADL and querying multiple ADs
by Markus 07 Jul '10

07 Jul '10

Hello list, I'm on SLES 11 and the mission is to allow Active Directory (AD) users to log in to Linux. The difficulty is that those users are stored in two separate ADs which have no connection to each other. Both ADs are running on Windows 2003 R2 (or later) and I'm using the LDAP PADL NSS (/etc/ldap.conf) implementation to map the UNIX attributes that are stored in the AD to local values (homedir, shell, UID/GID etc.). So far so good, everything works fine (getent passwd, PAM logins). Now, when searching for a solution on how to query two ADs via LDAP at the same time it seems like OpenLDAP supports multiple LDAP search bases, and there was also a mentioning of the translucent overlay feature, so I suppose using OpenLDAP I could fetch the UNIX attributes from both ADs simultaneously. What completely puzzles me is the NSS/PAM configuration and how PADL NSS and OpenLDAP interact respectively not interact: - If I configure OpenLDAP (/etc/openldap/ldap.conf) instead of PADL NSS (/etc/ldap.conf) how do I configure NSS/PAM for OpenLDAP? I need "getent passwd" and "getent group" and of course PAM logins to work. E.g. getent passwd has to give me back all users from BOTH ADs that have UNIX attributes stored. But since there seems to be only the PADL NSS module in existance (/lib/libnss_ldap.so.2), I am clueless on how to integrate the OpenLDAP variant. Shouldn't there be something like /lib/libnss_openldap.so and shouldn't I be able to add something like "passwd: compat openldap" to /etc/nsswitch.conf? I guess not, but I don't understand why. - So that leaves me with the idea of *somehow* fetching the UNIX attributes from both ADs via OpenLDAP, set up a local OpenLDAP server to store this information in, and then using the PADL NSS module to query it. I'm not sure if this is the right approach or if this is even technically feasible. Is there maybe a easier way with less overhead (e.g. no OpenLDAP server required). Thank you very much for any hints or pointers that you might share with me! I'm really lost... Best regards Markus

4 6

meta setup
by Gidobo 69 05 Jul '10

05 Jul '10

Hi, I plan to set up a meta directory. It looks like a normal one according to the openldap descriptions so I was surprised that I was unable to find any howto/faq/forum entry/mailing about it. Let me describe it: I have a heterogeneous system and want to have a common ldap system for it. Here is what I have now: Two AD domains An openldap db for a software with internal users. My aim: - To be able to authenticate a domain user from either AD. - To have non-AD users as well. - To have non-AD attributes for all three. So for authentication: If user is an AD user -> authenticate from appropriate DC If user is a non-AD one -> authenticate from openldap If I want non-AD attribute added to AD users as well. If an attribute doesn't exist for an AD user in openldap ask the appropriate DC. This way I could user AD users and their groups through openldap, have independent non-AD users and have attributes for all users in openldap local db regardless of authentication source. Have I missed something and this is too 'exotic'? Example: ad1.company.com -> AD1 users, authenticates from DC1 ad2.company.com -> AD2 users, authenticates from DC2 ldap.company.com -> 'other' users, authenticates from openldap local db Attributes mapped. If user is an AD one and attribute doesn't exists in local DB, proxy the query to AD. Thanks in advance Gidobo

1 1

ACL to allow an attribute to be cleared, but not changed to something else?
by Tim Gustafson 01 Jul '10

01 Jul '10

Hi, I'd like to let my account managers to clear the passwords of their managees in the event that an employee is no longer active. So, I've got an ACL like this: access to attrs=userPassword,sambaNTPassword by set="this/manager & user" write by * break But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want. Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg(a)soe.ucsc.edu 831-459-5354

5 10

Adding Schema
by Alexander Erameh 01 Jul '10

01 Jul '10

Hi, Just joined this list, so please pardon me for any mistakes. I have been trying to add "CourierMailAccount" object class and "qmailUser" object class for days without success. I created a schema file and defined the Attributetypes and Object classes and added the file in the Include statement in slapd.conf but SLAPD does not seem to recognize the new object classes. When I try to add users to the Database using LDAPADD, I get the error message below: "ldap_add: Invalid syntax (21) additional info: objectClass:value #2 invalid per syntax" The #2 objectClass is "qmailuser". Suggestions and advice will be appreciated. Alexander <file:///C:\Program%20Files\Common%20Files\Microsoft%20Shared\Stationery\fie ruled.gif>

2 5

LDAP proxy with local database
by Tunguskin Petr 01 Jul '10

01 Jul '10

Hello. I have one program which can authenticate with LDAP server and Active Directory with read access. I need to authenticate extra users, but I can't add them to Active Directory for security reasons. Program can work with only one LDAP source. I have tryed to use openldap chain overlay to join local and remote LDAP databases with refferals. Search works fine, but bind operation doesn't work, openldap writes error: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Is it possible to bind to remote LDAP records with chain overlay? ------------------------------------------ database bdb suffix "dc=local" rootdn "cn=ldapadmin,dc=local" rootpw 12345678 directory /var/lib/ldap overlay chain chain-uri "ldap://10.1.1.1/" chain-rebind-as-user TRUE chain-cache-uri true chain-chaining resolve=chainingRequired continuation=chainingRequired chain-idassert-bind bindmethod="simple" binddn="cn=ldapuser,cn=Users,dc=test,dc=local" credentials="123" mode="none" ---------------------------------------- Could you recommend another solution? Thank you --

3 2

SASL auth not working
by Diego Lima 30 Jun '10

30 Jun '10

Hello all, I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far. I've already set up MIT Kerberos V and I can successfully get tickets from it: root@filesystem:~# kinit diego.lima Password for diego.lima@USERS: root@filesystem:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: diego.lima@USERS Valid starting Expires Service principal 06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS renew until 06/24/10 09:44:46 I've also set up SASL to use the kerberos5 auth mechanism and it seems to work: root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456 0: OK "Success." The saslauthd output looks like this: saslauthd[28383] :rel_accept_lock : released accept lock saslauthd[28385] :get_accept_lock : acquired accept lock saslauthd[28383] :do_auth : auth success: [user=diego.lima@USERS] [service=imap] [realm=] [mech=kerberos5] saslauthd[28383] :do_request : response: OK I've set up my user account on LDAP like this: dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br krbPrincipalName: diego.lima@USERS krbPrincipalKey:: (big key) krbLastPwdChange: 20100622215607Z objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux objectClass: posixAccount structuralObjectClass: krbPrincipal entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18 creatorsName: cn=admin,dc=domain,dc=com,dc=br createTimestamp: 20100622215607Z uid: diego.lima uidNumber: 10001 gidNumber: 10001 cn: diego.lima homeDirectory: /home/diego.lima loginShell: /bin/bash userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw== krbLastSuccessfulAuth: 20100623124649Z krbLoginFailedCount: 0 krbExtraData:: (data) krbExtraData:: (data) entryCSN: 20100623124649.354631Z#000000#000#000000 modifiersName: cn=admin,dc=domain,dc=com,dc=br modifyTimestamp: 20100623124649Z The userPassword value translates to {SASL}diego.lima@USERS When I try to do an authenticated search on LDAP I see the following: # ldapsearch -D krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b dc=domain,dc=com,dc=br '(objectClass=*)' -W Enter LDAP Password: ldap_bind: Invalid credentials (49) And on the slapd output: daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy daemon: epoll: listen=8 active_threads=0 tvp=zero >>> slap_listener(ldap:///) daemon: listen=7, new connection on 18 daemon: added 18r (active) listener=(nil) conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 18r daemon: read active on 18 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=35 connection_read(18): checking for input on id=35 ber_get_next ldap_read: want=8, got=8 0000: 30 53 02 01 01 60 4e 02 0S...`N. ldap_read: want=77, got=77 0000: 01 03 04 41 6b 72 62 50 72 69 6e 63 69 70 61 6c ...AkrbPrincipal 0010: 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 6d 61 40 Name=diego.lima@ 0020: 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 53 2c 64 USERS,cn=USERS,d 0030: 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 6f 6d 2c c=domain,dc=com, 0040: 64 63 3d 62 72 80 06 31 32 33 34 35 36 dc=br..123456 ber_get_next: tag 0x30 len 83 contents: ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83 0000: 02 01 01 60 4e 02 01 03 04 41 6b 72 62 50 72 69 ...`N....AkrbPri 0010: 6e 63 69 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f ncipalName=diego 0020: 2e 6c 69 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 .lima@USERS,cn=U 0030: 53 45 52 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 SERS,dc=domain,d 0040: 63 3d 63 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 c=com,dc=br..123 0050: 34 35 36 456 op tag 0x60, time 1277298275 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=35 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80 0000: 60 4e 02 01 03 04 41 6b 72 62 50 72 69 6e 63 69 `N....AkrbPrinci 0010: 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 palName=diego.li 0020: 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 ma@USERS,cn=USER 0030: 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 S,dc=domain,dc=c 0040: 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 34 35 36 om,dc=br..123456 ber_scanf fmt (m}) ber: ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8 0000: 00 06 31 32 33 34 35 36 ..123456 >>> dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br> => ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br,0) <= ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0 => ldap_dn2bv(272) <= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0 => ldap_dn2bv(272) <= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br)=0 <<< dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>, <krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br> conn=35 op=0 BIND dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" method=128 do_bind: version=3 dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" method=128 ==> hdb_bind: dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br bdb_dn2entry("krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br") => access_allowed: auth access to "krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br <= check a_dn_pat: anonymous <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => slap_access_allowed: auth access granted by auth(=xd) => access_allowed: auth access granted by auth(=xd) SASL Canonicalize [conn=35]: authcid="diego.lima@USERS" SASL Canonicalize [conn=35]: authcid="diego.lima@USERS" send_ldap_result: conn=35 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 14 bytes to sd 18 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... conn=35 op=0 RESULT tag=97 err=49 text= daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 18r daemon: read active on 18 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=35 connection_read(18): checking for input on id=35 ber_get_next ldap_read: want=8, got=0 ber_get_next on fd 18 failed errno=0 (Success) connection_read(18): input error=-2 id=35, closing. connection_closing: readying conn=35 sd=18 for close connection_close: conn=35 sd=18 daemon: removing 18 conn=35 fd=18 closed (connection lost) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero I see nothing on the saslauthd output when I try to log in. Did I miss anything? Please note that I'm trying to use the same kerberos principal as my user, and this is intended. I did try adding another user (account and posixAccount objectClasses) with a separate kerberos principal and that did not work either. Lastly, here is my slapd.conf: include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_hdb sizelimit 500 tool-threads 1 backend hdb database hdb suffix "dc=domain,dc=com,dc=br" rootdn "cn=admin,dc=domain,dc=com,dc=br" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30 access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange by dn="cn=admin,dc=domain,dc=com,dc=br" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=domain,dc=com,dc=br" write by * read Thanks for the help! -- Diego Lima

3 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2010