Hi everyone, I have successfully installed cyrus-sasl-2.1.23 and openldap-2.3.27 plus BerkeleyDB.4.3 in my RHEL5.2 server. After the installation, i used saslpasswd2 -c to create an admin user:
saslpasswd2 -c admin
After that, I thought of doing a search on the database with the command : ldapsearch -H ldap:///localhost -Y DIGEST-MD5 -d 2 -U admin but it returned an error of : ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
When i did a check on /etc/, the sasldb2 file is there. I do not know and understand why it cannot find this user. Did i miss out anything. Below is excerpt from my slapd.conf file
password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=synabase-dev5.synamatixdev.com,cn=DIGEST-MD5,cn=auth ldap:///dc=synamatixdev,dc=com??sub?uid=$1 authz-regexp uid=(.*),cn=synabase-dev5.synamatixdev.com,cn=DIGEST-MD5,cn=auth uid=$1
Under rootpw, i typed the password in clear text, for eg, the password i create for admin was root. Hence it looks like: rootpw root
Did i do anything wrong? Where is the error?
Hope to receive some help. I have been trying to install openldap with cyrus for 4 months but to no avail :(
Seau Yeen Su wrote:
I have successfully installed cyrus-sasl-2.1.23 and openldap-2.3.27 plus BerkeleyDB.4.3 in my RHEL5.2 server. After the installation, i used saslpasswd2 -c to create an admin user:
saslpasswd2 -c admin
Do you actually have an entry with (uid=admin) in your LDAP server?
After that, I thought of doing a search on the database with the command : ldapsearch -H ldap:///localhost -Y DIGEST-MD5 -d 2 -U admin but it returned an error of : ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
When i did a check on /etc/, the sasldb2 file is there. I do not know and understand why it cannot find this user. Did i miss out anything. Below is excerpt from my slapd.conf file
password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=synabase-dev5.synamatixdev.com http://synabase-dev5.synamatixdev.com,cn=DIGEST-MD5,cn=auth ldap:///dc=synamatixdev,dc=com??sub?uid=$1 authz-regexp uid=(.*),cn=synabase-dev5.synamatixdev.com http://synabase-dev5.synamatixdev.com,cn=DIGEST-MD5,cn=auth uid=$1
You don't need /etc/sasldb2 if you want to use authz-regexp. Simply create an LDAP entry with below your search root dc=synamatixdev,dc=com with attribute uid set to admin and userPassword set in clear-text.
Ciao, Michael.
Hi Michael, Surprisingly, I had to remove the cn=synamatixdev.com in the authz-regexp statement below then only it can match and look for the admin id i created with saslpasswd -c
authz-regexp uid=(.*),cn=digest-md5,cn=auth cn=Manager,dc=synamatixdev,dc=com
However, when i tried to add my users using ldfi format, i encounter some problems.
First, it's the schema issue. When i included inetorgperson schema, it keeps on throwing messages about certain audio, homePhone objectClass structural object not existing. So, i removed all those objects ldap complains and i managed to start my slapd.
After that, when i tried to add my user with the ldif format as below:
dn: ou=people,dc=synamatixdev,dc=com ou: people objectClass: organizationalunit objectClass: inetorgperson
dn: uid=user1,ou=people,dc=synamatixdev,dc=com uid: user1 cn: Mary cn: Mary Terry objectClass: inetorgperson objectClass: account objectClass: top objectClass: shadowAccount sn: Terry userPassword: user123
I receive the error message below when i tried to add with slapadd: str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38) I am not very sure about the objectClass allowed for OpenLdap 2.3.27. Why does it say there's invalid value for attributeType? PLease help, thanks!
2009/8/6 Michael Ströder michael@stroeder.com
Seau Yeen Su wrote:
I have successfully installed cyrus-sasl-2.1.23 and openldap-2.3.27 plus BerkeleyDB.4.3 in my RHEL5.2 server. After the installation, i used saslpasswd2 -c to create an admin user:
saslpasswd2 -c admin
Do you actually have an entry with (uid=admin) in your LDAP server?
After that, I thought of doing a search on the database with the command
:
ldapsearch -H ldap:///localhost -Y DIGEST-MD5 -d 2 -U admin but it returned an error of : ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
When i did a check on /etc/, the sasldb2 file is there. I do not know and understand why it cannot find this user. Did i miss out anything. Below is excerpt from my slapd.conf file
password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=synabase-dev5.synamatixdev.com http://synabase-dev5.synamatixdev.com,cn=DIGEST-MD5,cn=auth ldap:///dc=synamatixdev,dc=com??sub?uid=$1 authz-regexp uid=(.*),cn=synabase-dev5.synamatixdev.com http://synabase-dev5.synamatixdev.com,cn=DIGEST-MD5,cn=auth uid=$1
You don't need /etc/sasldb2 if you want to use authz-regexp. Simply create an LDAP entry with below your search root dc=synamatixdev,dc=com with attribute uid set to admin and userPassword set in clear-text.
Ciao, Michael.
-- Michael Ströder E-Mail: michael@stroeder.com http://www.stroeder.com
Seau Yeen Su seauyeen@mgrc.com.my writes:
Hi Michael,
[...]
However, when i tried to add my users using ldfi format, i encounter some problems.
First, it's the schema issue. When i included inetorgperson schema, it keeps on throwing messages about certain audio, homePhone objectClass structural object not existing. So, i removed all those objects ldap complains and i managed to start my slapd.
read the comments in inetorgperson.schema, in particular about 'Depends upon'.
After that, when i tried to add my user with the ldif format as below:
dn: ou=people,dc=synamatixdev,dc=com ou: people objectClass: organizationalunit objectClass: inetorgperson
why do you wnat to add objectclass inetorgperson to this entry?
dn: uid=user1,ou=people,dc=synamatixdev,dc=com uid: user1 cn: Mary cn: Mary Terry objectClass: inetorgperson objectClass: account objectClass: top objectClass: shadowAccount sn: Terry userPassword: user123
I receive the error message below when i tried to add with slapadd: str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38) I am not very sure about the objectClass allowed for OpenLdap 2.3.27. Why does it say there's invalid value for attributeType? PLease help, thanks!
Read about structural objectclasses and their requirements, in particular RFC 4512, section 2.4.2. Objectclass inetorgperson and objectclass account are both of type structural, but belong to different objectclass chains.
-Dieter
Seau Yeen Su wrote:
authz-regexp uid=(.*),cn=digest-md5,cn=auth cn=Manager,dc=synamatixdev,dc=com
Without trying myself this IMO maps *every* user authenticated by SASL bind with DIGEST-MD5 to account cn=Manager,dc=synamatixdev,dc=com. If that's a privileged account this is very dangerous!
I had overlooked the malformed HTTP URLs in your authz-regexp. You should try something like this (all in one line):
authz-regexp "uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5|ntlm|plain|login|gssapi),cn=auth" "ldap:///ou=schulung,dc=stroeder,dc=local??sub?(uid=$1)"
Add users with attribute 'uid' set and clear-text password in attribute 'userPassword' and you're done.
However, when i tried to add my users using ldfi format, i encounter some problems.
First, it's the schema issue. When i included inetorgperson schema, it keeps on throwing messages about certain audio, homePhone objectClass structural object not existing. So, i removed all those objects ldap complains and i managed to start my slapd.
You should not tweak schema files installed by OpenLDAP's 'make install'. You should rather import them in the right order because some depend on others.
After that, when i tried to add my user with the ldif format as below:
dn: ou=people,dc=synamatixdev,dc=com ou: people objectClass: organizationalunit objectClass: inetorgperson
dn: uid=user1,ou=people,dc=synamatixdev,dc=com uid: user1 cn: Mary cn: Mary Terry objectClass: inetorgperson objectClass: account objectClass: top objectClass: shadowAccount sn: Terry userPassword: user123
I receive the error message below when i tried to add with slapadd: str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
That means that one of the object classes used is not present in the schema, here 'account' I guess. Also not that 'inetOrgPerson' and 'account' are both STRUCTURAL with different inheritance chain and therefore cannot be used together. Simply use this one:
------------------------------ snip ------------------------------ dn: uid=user1,ou=people,dc=synamatixdev,dc=com uid: user1 cn: Mary cn: Mary Terry objectClass: top objectClass: inetorgperson sn: Terry userPassword: user123
------------------------------ snip ------------------------------
I am not very sure about the objectClass allowed for OpenLdap 2.3.27. Why does it say there's invalid value for attributeType? PLease help, thanks!
Maybe you did not include the schema file where the object class used in your entry is defined.
Ciao, Michael.
On Thursday, 6 August 2009 08:52:52 Seau Yeen Su wrote:
Hi everyone, I have successfully installed cyrus-sasl-2.1.23 and openldap-2.3.27 plus BerkeleyDB.4.3 in my RHEL5.2 server.
BTW, Red Hat finally got around to updating OpenLDAP, to 2.3.43, in RHEL 5.3. I would really recommend that, if you are going to stick with Red Hat's packages, that you upgrade to these packages they have provided.
Of course, Red Hat's OpenLDAP packages for RHEL 5.2 compile against an internal copy of Berkeley DB (4.2 IIRC), not 4.3 ....
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Dieter Kluenter -
Michael Ströder -
Seau Yeen Su