We have OpenLDAP 2.3 running on Linux. It is set up in SASL mode authenticating against multiple ADs. Everything works fine there, which is our Production env.
We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6 in our Dev and QA env. Then, we moved the slapd.conf and slapd-meta.conf file to the new instance, and created the required users.
When we run testsaslauthd, we are successfully able to authenticate against the appropriate AD that the user is under.
testsaslauthd -u ravi@SONEPAR -p secret - WORKS
ldapsearch -x -D uid=ravi,ou=People,ou=company,dc=inside,dc=devserver,dc=com -w secret
results in: ldap_bind: Invalid credentials (49)
But when we do a ldap search or connect using LDAP Browser, the user is not able to get autheticated. We are not able to bind to the OpenLDAP by using the same credentials. I get a Invalid credentials err 49, which indcates either credentials are incorrect, which in this case its not, or the bind info is incorrect.
I seems as though the user is not able to bind to OpenLDAP 2.4 or it does not know how to. When I change the password form {SASL}ralthuru@SONEPAR to a text say "secret", it works fine.
Here is the log output from the same user authetication in OpenLDAP 2.3 and OpenLDAP 2.4:
SUCCESS - QA 2.4 - testsaslauthd -u ralthuru@SONEPAR -p secret
Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:44500 (IP=127.0.0.1:391) Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" method=128 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 RESULT tag=97 err=0 text= Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(?SMACCOUNTNAME=ralthuru))" Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH attr=dn Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND anonymous mech=implicit ssf=0 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" method=128 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 RESULT tag=97 err=0 text=
SUCCESS - QA 2.4 - login as cn=Manager/Password1 from LDAP Browser
Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 fd=12 ACCEPT from IP=10.108.138.66:64931 (IP=0.0.0.0:389) Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" method=128 Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" mech=SIMPLE ssf=0 Feb 2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 RESULT tag=97 err=0 text= Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 op=1 UNBIND Feb 2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 fd=12 closed
FAIL - QA 2.4 - login as uid=ralthuru/Sonepar123 from LDAP Browser
Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 ACCEPT from IP=10.108.138.66:64939 (IP=0.0.0.0:389) Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sdusadevl,dc=com" mthod=128 Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 RESULT tag=97 err=49 text= Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=1 UNBIND Feb 2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 closed
SUCCESS - PRODUCTION 2.3 - testsaslauthd -u ralthuru@SONEPAR -p secret
Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND anonymous mech=implicit ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" method=128 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 RESULT tag=97 err=0 text= Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))" Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH attr=dn Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND anonymous mech=implicit ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 RESULT tag=97 err=0 text=
SUCCESS - PRODUCTION 2.3 - login as uid=ralthuru/secret from LDAP Browser
eb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 fd=15 ACCEPT from IP=10.108.138.66:54298 (IP=0.0.0.0:389) Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND anonymous mech=implicit ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" method=128 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 RESULT tag=97 err=0 text= Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))" Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH attr=dn Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND anonymous mech=implicit ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 RESULT tag=97 err=0 text= Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0 Feb 3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 RESULT tag=97 err=0 text= Feb 3 10:44:47 pavfldapp01 slapd[4806]: conn=50825 op=1 UNBIND
SUCCESS - PRODUCTION 2.3 - LDAP Search command as uid=ralthuru/secret
Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 ACCEPT from IP=10.199.204.205:44578 (IP=0.0.0.0:389) Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND anonymous mech=implicit ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" method=128 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 RESULT tag=97 err=0 text= Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))" Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH attr=dn Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND anonymous mech=implicit ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 RESULT tag=97 err=0 text= Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0 Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 RESULT tag=97 err=0 text= Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SRCH base="dc=inside,dc=sonepar-us,dc=com" scope=2 deref=0 filter="(objectClass=*)" Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text= Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=2 UNBIND Feb 3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 closed
Here is the ldap.conf URI ldap://10.99.19.179 BASE dc=inside,dc=sdusadevl,dc=com TLS_REQCERT never
Here is the slapd.conf, only the relevant info: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/schema_extension.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
loglevel 256
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=inside,dc=sdusadevl,dc=com" rootdn "cn=Manager,dc=inside,dc=sdusadevl,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw xyz123
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index uniqueMember eq,pres
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
# adding to ignore error for slaptest cachesize 2000
sasl-host localhost sasl-secprops none
---------------------- Here is the slapd-meta.conf containing the AD where the user ralthuru is autheticating to: uri ldap://sdusa-dc-01.sdusadevl.com:3268/ou=SONEPAR,dc=local lastmod off suffixmassage "ou=SONEPAR,dc=local" "dc=sdusadevl,dc=com" idassert-bind bindmethod=simple binddn="CN=Vignette\, Service Account,OU=Vignette Service,OU=Vignette,OU=Enterpise Systems,DC=sdusadevl,DC=com" credentials="hiddenpassword" mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=Manager,dc=local"
I have searched across many forums, compared the set up on the OpenLDAP 2.3 and OpenLDAP 2.4 instances and cannot find any differences.
Any suggestions on how to resolve this is appreciated!
--On Tuesday, February 09, 2016 8:00 PM +0000 Ravi K Althuru ralthuru@yahoo.com wrote:
We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6
That release is nearly 6 years old. You can contact RedHat for support for any issues you have with it. Otherwise, go the path of sanity and clarity, and run a modern current release. You may want to check out the LTB project builds (http://ltb-project.org/wiki/download#openldap), or if you want builds of OpenLDAP that come with support, I would suggest contacting Symas (http://www.symas.com)
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Unfortunately this OpenLdap version is the only supported version for integration with a portal product we are using called OpenText Portal. Hence, I am trying to find a resolution to this issue. Any help is appreciated. Thanks.
On Feb 9, 2016, at 8:51 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, February 09, 2016 8:00 PM +0000 Ravi K Althuru ralthuru@yahoo.com wrote:
We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6
That release is nearly 6 years old. You can contact RedHat for support for any issues you have with it. Otherwise, go the path of sanity and clarity, and run a modern current release. You may want to check out the LTB project builds (http://ltb-project.org/wiki/download#openldap), or if you want builds of OpenLDAP that come with support, I would suggest contacting Symas (http://www.symas.com)
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
--On Wednesday, February 10, 2016 6:50 PM -0600 Ravi Althuru ralthuru@yahoo.com wrote:
Unfortunately this OpenLdap version is the only supported version for integration with a portal product we are using called OpenText Portal. Hence, I am trying to find a resolution to this issue. Any help is appreciated. Thanks.
That would be rubbish. LDAP is a protocol, your portal product should be able to communicate with any release of OpenLDAP 2.4.x.
Again, if you want support for the utterly broken, insecure rubbish shipped by RedHat, then you need to contact them for support.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Ravi Althuru wrote:
Unfortunately this OpenLdap version is the only supported version for integration with a portal product
Sorry, this is complete nonsense.
I am trying to find a resolution to this issue.
Talk to the vendor support of the portal product why it's supposed to only support a specific OpenLDAP version.
Or simply upgrade and test yourself.
Ciao, Michael.
On Feb 9, 2016, at 8:51 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, February 09, 2016 8:00 PM +0000 Ravi K Althuru ralthuru@yahoo.com wrote:
We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6
That release is nearly 6 years old. You can contact RedHat for support for any issues you have with it. Otherwise, go the path of sanity and clarity, and run a modern current release. You may want to check out the LTB project builds (http://ltb-project.org/wiki/download#openldap), or if you want builds of OpenLDAP that come with support, I would suggest contacting Symas (http://www.symas.com)
--Quanah
Without trying to understand the issue, just saying upgrade to the latest version does not really help. Yes, the portal version will support openldap 2.4.x, and I have to redo the install. But my question is that the scenario I described, works in my Opebdlap 2.3 instance and comparing between the two did not yield any differences. I am being bumped from server infrastructure people to product support people without any one trying to understand where the problem is originating at.
Sorry, this has been a frustrating experience past two weeks and I was hoping to get some support from this forum, but not this answer.
Sent from my iPhone
On Feb 11, 2016, at 3:37 AM, Michael Ströder michael@stroeder.com wrote:
Ravi Althuru wrote:
Unfortunately this OpenLdap version is the only supported version for integration with a portal product
Sorry, this is complete nonsense.
I am trying to find a resolution to this issue.
Talk to the vendor support of the portal product why it's supposed to only support a specific OpenLDAP version.
Or simply upgrade and test yourself.
Ciao, Michael.
On Feb 9, 2016, at 8:51 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, February 09, 2016 8:00 PM +0000 Ravi K Althuru ralthuru@yahoo.com wrote:
We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6
That release is nearly 6 years old. You can contact RedHat for support for any issues you have with it. Otherwise, go the path of sanity and clarity, and run a modern current release. You may want to check out the LTB project builds (http://ltb-project.org/wiki/download#openldap), or if you want builds of OpenLDAP that come with support, I would suggest contacting Symas (http://www.symas.com)
--Quanah
Ravi Althuru wrote:
But my question is that the scenario I described, works in my Opebdlap 2.3 instance and comparing between the two did not yield any differences.
Behaviour of ACL processing was changed from 2.3 to 2.4 and pseudo-attribute 'entry' and 'children' were introduced. Read about access control in man page slapd.access(5).
Not sure whether that's relevant in your case.
No, I won't debug your ACLs.
Ciao, Michael.
--On Thursday, February 11, 2016 7:19 AM -0600 Ravi Althuru ralthuru@yahoo.com wrote:
Without trying to understand the issue, just saying upgrade to the latest version does not really help. Yes, the portal version will support openldap 2.4.x, and I have to redo the install. But my question is that the scenario I described, works in my Opebdlap 2.3 instance and comparing between the two did not yield any differences. I am being bumped from server infrastructure people to product support people without any one trying to understand where the problem is originating at.
Sorry, this has been a frustrating experience past two weeks and I was hoping to get some support from this forum, but not this answer.
You can start with http://www.openldap.org/doc/admin24/appendix-upgrading.html. As already noted, there were changes to how ACLs work, and you have to adjust your ACLs accordingly. One would hope of course you had already started at the documentation about upgrading from 2.3....
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
openldap-technical@openldap.org
-
Michael Ströder -
Quanah Gibson-Mount -
Ravi Althuru -
Ravi K Althuru