I am running OpenLDAP 2.3.39 on a RedHat server. I am encountering a user ssh login failure on an LDAP client if I use the URI based way to specify the LDAP servers in the client's /etc/ldap.conf and /etc/openldap/ldap.conf files. I don't have such a problem if I use the host based way. A snip of the configurations and the ldap.log on the ldapm is the following: /etc/ldap.conf: uri ldap://ldapm.mydomain.com ldap://ldapsl.mydomain.com /etc/openldap/ldap.conf: URI ldap://ldapm.mydomain.com ldap://ldapsl..mydomain.com May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: * May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "uid" requested May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr uid May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (uid) May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "uid" requested May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0) May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: * May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "userPassword" requested May 16 14:16:33 ldapm slapd[27604]: => acl_get: [1] attr userPassword May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (userPassword) May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "userPassword" requested May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0) May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: anonymous May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] applying auth(=xd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] mask: auth(=xd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access denied by auth(=xd) May 16 14:16:33 ldapm slapd[27604]: send_search_entry: conn 35 access to attribute userPassword, value #0 not allowed May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "shadowLastChange" requested May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr shadowLastChange May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (shadowLastChange) May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "shadowLastChange" requested May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0) May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: * May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd) Can anyone please help resolve the above problem? Thanks a lot! Luke
I am running OpenLDAP 2.3.39 on a RedHat server. I am encountering a user ssh login failure on an LDAP client if I use the URI based way to specify the LDAP servers in the client's /etc/ldap.conf and /etc/openldap/ldap.conf files. I don't have such a problem if I use the host based way. A snip of the configurations and the ldap.log on the ldapm is the following: /etc/ldap.conf: uri ldap://ldapm.mydomain.com ldap://ldapsl.mydomain.com /etc/openldap/ldap.conf: URI ldap://ldapm.mydomain.com ldap://ldapsl..mydomain.com
There's probably a typo in the last URI above; don't know if it's related to your issue, though
May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: * May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "uid" requested May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr uid May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (uid) May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "uid" requested May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0) May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: * May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "userPassword" requested May 16 14:16:33 ldapm slapd[27604]: => acl_get: [1] attr userPassword May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (userPassword) May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "userPassword" requested May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0) May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: anonymous May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] applying auth(=xd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [2] mask: auth(=xd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access denied by auth(=xd) May 16 14:16:33 ldapm slapd[27604]: send_search_entry: conn 35 access to attribute userPassword, value #0 not allowed
You only have "auth" access to the userPassword attribute (which sounds reasonable) but the client is trying to "read" the password. I suspect a misconfiguration of the client, which tries to auth by internally comparing userPassword values instead of using an LDAP bind operation.
May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access to "uid=luke_l,ou=People,dc=mydomain,dc=com" "shadowLastChange" requested May 16 14:16:33 ldapm slapd[27604]: => acl_get: [2] attr shadowLastChange May 16 14:16:33 ldapm slapd[27604]: access_allowed: no res from state (shadowLastChange) May 16 14:16:33 ldapm slapd[27604]: => acl_mask: access to entry "uid=luke_l,ou=People,dc=mydomain,dc=com", attr "shadowLastChange" requested May 16 14:16:33 ldapm slapd[27604]: => acl_mask: to value by "", (=0) May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: self May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: cn=admin,dc=mydomain,dc=com May 16 14:16:33 ldapm slapd[27604]: <= check a_dn_pat: * May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] applying read(=rscxd) (stop) May 16 14:16:33 ldapm slapd[27604]: <= acl_mask: [4] mask: read(=rscxd) May 16 14:16:33 ldapm slapd[27604]: => access_allowed: read access granted by read(=rscxd)
Can anyone please help resolve the above problem? Thanks a lot!
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-technical@openldap.org
-
Luke Lee -
Pierangelo Masarati