Re: ldap auth does not works after openldap upgrade

> On Thu, Feb 17, 2011 at 1:03 PM, Pierangelo Masarati < > masarati(a)aero.polimi.it&gt; wrote: > >> Dieter Kluenter wrote: >> >>> Am Thu, 17 Feb 2011 11:28:59 -0200 >>> schrieb Leonardo Carneiro <chesterman86(a)gmail.com&gt;: >>> >>> On Thu, Feb 17, 2011 at 9:09 AM, Andrew Findlay < >>>> andrew.findlay(a)skills-1st.co.uk&gt; wrote: >>>> >>>> On Wed, Feb 16, 2011 at 03:29:45PM -0800, Howard Chu wrote: >>>>> >>>>> [...] >>> >>>> Here is the search that Apache is doing. Note that "usuarios" in the >>>> search means "users" in portuguese. It doesn't seems even to check if >>>> the user really does part of the group defined in the apache config. >>>> >>>> [...] >>> >>>> filter="(&(objectClass=*)(uid=lscarneiro))" >>>> Feb 17 11:11:39 fileserver slapd[2054]: conn=1014 op=1 SRCH attr=uid >>>> Feb 17 11:11:39 fileserver slapd[2054]: <= bdb_equality_candidates: >>>> (uid) not indexed >>>> Feb 17 11:11:39 fileserver slapd[2054]: conn=1014 op=1 ENTRY >>>> dn="uid=lscarneiro,ou=usuarios,dc=dominio,dc=com,dc=br" >>>> >>> >>> here uid=lscarneiro has been found >>> >>> Feb 17 11:11:39 fileserver slapd[2054]: conn=1014 op=1 SEARCH RESULT >>>> tag=101 err=0 nentries=1 text= >>>> Feb 17 11:11:39 fileserver slapd[2054]: conn=1014 op=2 BIND anonymous >>>> mech=implicit ssf=0 >>>> Feb 17 11:11:39 fileserver slapd[2054]: conn=1014 op=2 BIND >>>> dn="uid=lscarneiro,ou=Usuarios,dc=dominio,dc=com,dc=br" method=128 >>>> Feb 17 11:11:39 fileserver slapd[2054]: conn=1014 op=2 RESULT tag=97 >>>> err=49 text= >>>> >>> >>> invalid credentials were presented >>> >> >> Or insufficient access or any other error that would not be disclosed >> occurred. >> >> p. >> > Hi guys. i saw something interesting now look at here: > > fileserver:/etc/ldap/slapd.d# smbldap-usershow lscarneiro | grep > userPassword > userPassword: {CRYPT}$1$IDz3CwLp$r5MsSU8QyMyoHUv8r.eqi. > fileserver:/etc/ldap/slapd.d# ldapsearch -v -LLL -h 192.168.0.2 -b > "dc=dominio,dc=com,dc=br" -D "cn=root,dc=dominio,dc=com,dc=br" -w > [password] > "(uid=lscarneiro)" > ldap_initialize( ldap://192.168.0.2 ) > filter: (uid=lscarneiro) > requesting: All userApplication attributes > userPassword:: e0NSWVBUfSQxJElEejNDd0xwJHI1TXNTVThReU15b0hVdjhyLmVxaS4= > > I think this explains why every single bind that i try with users other > than > cn=root gives me "invalid credentials". Is my assumption correct? Anyone > knows why this passwords are not matching? The two passwords match perfectly; only, the latter is base64-encoded for LDIF presentation (as indicated by the double colon ('::')). I suggest you run slapd with -d acl in order to see whether the authentication failure is related to access control, incorrect password or so. p. Thanks for the tip Masarati