I have an openldap 2.4 authentication system, that works smoothly with many versions of linux, and OSX 10.5. But I can't get OSX 10.4 to authenticate with it.
I was previously using openldap 2.0.27 with an identical setup, and 10.4 was able to authenticate with it.
I can su to user accounts that are in the ldap database, but when I'm required to enter a password for the user, the authentication fails.
Heres the relevant section from my logfile when I try to authenticate:
Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=dthomp))(|(cn=dthomp))))" Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SRCH attr=uid cn Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:58 owl slapd[10661]: conn=22 op=20 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SRCH attr=userPassword Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:58 owl slapd[10661]: conn=22 op=21 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:58 owl slapd[10661]: conn=22 op=22 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:58 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:58 owl slapd[10661]: conn=22 op=22 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:58 owl slapd[10661]: conn=35 fd=20 ACCEPT from IP=192.168.1.145:49405 (IP=0.0.0.0:636) Jun 6 16:03:58 owl slapd[10661]: conn=35 fd=20 closed (TLS negotiation failure) Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 ACCEPT from IP=192.168.1.145:49406 (IP=0.0.0.0:636) Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 TLS established tls_ssf=32 ssf=32 Jun 6 16:03:59 owl slapd[10661]: conn=36 op=0 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: conn=36 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jun 6 16:03:59 owl slapd[10661]: conn=36 op=1 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: SASL [conn=36] Failure: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=36 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=36 op=2 UNBIND Jun 6 16:03:59 owl slapd[10661]: conn=36 fd=20 closed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(|(uid=dthomp))(|(cn=dthomp))))" Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SRCH attr=uid cn Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SRCH attr=userPassword Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=24 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:59 owl slapd[10661]: conn=22 op=25 SRCH base="dc=mydomain,dc=gov" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=dthomp)(cn=dthomp)))" Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (uid) not indexed Jun 6 16:03:59 owl slapd[10661]: <= bdb_equality_candidates: (cn) not indexed Jun 6 16:03:59 owl slapd[10661]: conn=22 op=25 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 6 16:03:59 owl slapd[10661]: conn=37 fd=20 ACCEPT from IP=192.168.1.145:49407 (IP=0.0.0.0:636) Jun 6 16:03:59 owl slapd[10661]: conn=37 fd=20 closed (TLS negotiation failure) Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 ACCEPT from IP=192.168.1.145:49408 (IP=0.0.0.0:636) Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 TLS established tls_ssf=32 ssf=32 Jun 6 16:03:59 owl slapd[10661]: conn=38 op=0 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: conn=38 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Jun 6 16:03:59 owl slapd[10661]: conn=38 op=1 BIND dn="" method=163 Jun 6 16:03:59 owl slapd[10661]: SASL [conn=38] Failure: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=38 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database Jun 6 16:03:59 owl slapd[10661]: conn=38 op=2 UNBIND Jun 6 16:03:59 owl slapd[10661]: conn=38 fd=20 closed
I'm not sure why its trying to use sasl to authenticate, or even sure if thats the problem. I ended up creating an empty sasl database, because originally it kept trying to open one that wasn't there. Do I have to do some king of mapping from the sasl database to ldap?