----- Original Message ----
From: Pierangelo Masarati <ando@sys-net.it>
To: Luke Lee <leeluke77@yahoo.com>
Cc: openldap-technical@openldap.org
Sent: Friday, May 16, 2008 2:52:22 PM
Subject: Re: Lgoin failed if URI in client's ldap.conf is used
> I am running OpenLDAP 2.3.39 on a RedHat server. I am encountering a user
> ssh login failure on an LDAP client if I use the URI based way to specify
> the LDAP servers in the client's /etc/ldap.conf and
> /etc/openldap/ldap.conf files. I don't have such a problem if I use the
> host based way. A snip of the configurations and the ldap.log on the ldapm
> is the following:
> /etc/ldap.conf:
> uri ldap://ldapm.mydomain.com ldap://ldapsl.mydomain.com
> /etc/openldap/ldap.conf:
> URI ldap://ldapm.mydomain.com ldap://ldapsl..
mydomain.comThere's probably a typo in the last URI above; don't know if it's related
to your issue, though
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat:
> cn=admin,dc=mydomain,dc=com
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted
> by read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to
> "uid=luke_l,ou=People,dc=mydomain,dc=com" "uid" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr uid
> May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state
> (uid)
> May 16 14:16:33
ldapm slapd[27604]: => acl_mask: access to entry
> "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "uid" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat:
> cn=admin,dc=mydomain,dc=com
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted
> by read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to
> "uid=luke_l,ou=People,dc=mydomain,dc=com" "userPassword" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_get: [1] attr
userPassword
> May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state
> (userPassword)
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry
> "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "userPassword" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: anonymous
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] applying auth(=xd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] mask: auth(=xd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access denied
> by auth(=xd)
> May 16 14:16:33 ldapm slapd[27604]: send_search_entry: conn 35 access to
> attribute userPassword, value #0 not allowed
You only have "auth" access to the
userPassword attribute (which sounds
reasonable) but the client is trying to "read" the password. I suspect a
misconfiguration of the client, which tries to auth by internally
comparing userPassword values instead of using an LDAP bind operation.
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to
> "uid=luke_l,ou=People,dc=mydomain,dc=com" "shadowLastChange" requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr shadowLastChange
> May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state
> (shadowLastChange)
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry
> "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "shadowLastChange"
> requested
> May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0)
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self
> May 16 14:16:33 ldapm
slapd[27604]: <= check a_dn_pat:
> cn=admin,dc=mydomain,dc=com
> May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: *
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd)
> (stop)
> May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd)
> May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted
> by read(=rscxd)
>
> Can anyone please help resolve the above problem? Thanks a lot!
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email:
pierangelo.masarati@sys-net.it---------------------------------------