On Tue, Mar 29, 2011 at 7:43 PM, Dan White dwhite@olp.net wrote:
On 29/03/11 14:47 -0700, sim123 wrote:
I have openLDAP server up and running and trying to integrate it with Confluence. My LDAP structure looks like
DN :: uid=123, ou=users, dc=example, dc=com uid :: 123 mail :: bjason@example.com cn :: barbara sn :: jason userPassword :: test (plain test for now)
I have another similar entry in another branch (su) for "confluence admin", I did LDAP configuration in confluence and tested the bind with confluence user. Now for every user authentication I am assuming LDAP should be able to bind on any attribute other than DN. however I can not do that. when I try
By that, I assume that you are referring to a two step process where a privileged user binds (or anonymously binds) to the server, searches for the DN of a user based on some search criteria, unbinds, and then rebinds using the returned DN, and the password submitted by the client.
If that's a correct assumption, you might want to verify that:
- The privileged user has appropriate permissions to search in your user
tree
- The client (confluence) is submitting appropriate base, scope, and filter
its search, and is retrieving the expected user DN
- The client is then binding a second time with the DN and user password
to login from confluence using mail & password, this is what I see in my
slapd.d logs :
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 48 contents: op tag 0x60, time 1301434489 ber_get_next conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>
<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>,
<uid=234,ou=su,dc=example,dc=com> do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128 bdb_dn2entry("uid=234,ou=su,dc=example,dc=com") => bdb_dn2id("dc=example,dc=com") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x4 => bdb_dn2id("uid=234,ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x7 entry_decode: "uid=234,ou=su,dc=example,dc=com" <= entry_decode(uid=234,ou=su,dc=example,dc=com) do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to "uid=234,ou=su,dc=example,dc=com" send_ldap_result: conn=1000 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 144 contents: op tag 0x63, time 1301434489 ber_get_next conn=1000 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=user,dc=example,dc=com>
<<< dnPrettyNormal: <ou=user,dc=example,dc=com>,
<ou=user,dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" ==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com" this="ou=user,dc=example,dc=com" => bdb_search bdb_dn2entry("ou=user,dc=example,dc=com") => bdb_dn2id("ou=user,dc=example,dc=com") <= bdb_dn2id: got id=0x3 entry_decode: "ou=user,dc=example,dc=com" <= entry_decode(ou=user,dc=example,dc=com) search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0
It looks like the search is not returning any entries. From your confluence server, can you perform an ldapsearch as your privileged user to see if you get any entries returned?
-- Dan White
Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it.
I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't.
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
where as ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123*) # requesting: ALL #
# 123, users, example.com dn: uid=123,ou=users,dc=example,dc=com displayName: Barbara Jason objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top mail: bjason@example.com uid: 123 userPassword:: bXJhanZhaWR5YQ== sn: Jason cn: Barbara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks