Hi everybody,
I spent some days reading the ebook "Ldap for rocket scientists" ( zytrax.com/books/ldap/) and I've succesfully (I think it's a success =3 ) created a VM with debian lenny and openldap running.
After that, I created another VM, running IPfire (www.ipfire.org) distro, this will be the firewall of the SMB I'm working for. Now I'm trying to authenticate the squid proxy, installed in IPFire distro, integrating it with my openldap server. A screenshot of my IPFire's webGUI and phpldapadmin webGUI can be seen at this topic: http://forum.ipfire.org/index.php?topic=3404.0
But the authentication isn't running, the browser using squid proxy keeps asking me for username and password. Suspecting that the webGUI could be making some mistake in squid config file, I started editing it's parameters manually. Right now, the ldap authentication line in my squid.conf looks like this:
*auth_param basic program /usr/lib/squid/squid_ldap_auth -D "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h 192.168.1.7 -v 3* * * *cn=admin,dc=pisolar *= my root user. * * *ou=usuarios,dc=pisolar *= the OU where my users are stored. * * I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered VM, and this is the text shown when I try to authenticate in my browser:
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 busy
slap_listener(ldap:///)
daemon: listen=8, new connection on 13 daemon: added 13r (active) listener=(nil) daemon: activity on 2 descriptors daemon: activity on: 13r daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 34 02 01 01 60 2f 02 04...`/.
ldap_read: want=46, got=46 0000: 01 03 04 20 75 69 64 3d 6c 61 6d 70 73 2c 6f 75 ... uid=lamps,ou
0010: 3d 75 73 75 61 72 69 6f 73 2c 64 63 3d 70 69 73 =usuarios,dc=pis
0020: 6f 6c 61 72 80 08 6c 34 77 64 30 67 67 30 olar..userpassword ber_get_next: tag 0x30 len 52 contents: ber_dump: buf=0xa0598a0 ptr=0xa0598a0 end=0xa0598d4 len=52 0000: 02 01 01 60 2f 02 01 03 04 20 75 69 64 3d 6c 61 ...`/.... uid=la
0010: 6d 70 73 2c 6f 75 3d 75 73 75 61 72 69 6f 73 2c mps,ou=usuarios,
0020: 64 63 3d 70 69 73 6f 6c 61 72 80 08 6c 34 77 64 dc=pisolar..userpass 0030: 30 67 67 30 word
ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero conn=0 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0xa0598a0 ptr=0xa0598a3 end=0xa0598d4 len=49 0000: 60 2f 02 01 03 04 20 75 69 64 3d 6c 61 6d 70 73 `/.... uid=lamps
0010: 2c 6f 75 3d 75 73 75 61 72 69 6f 73 2c 64 63 3d ,ou=usuarios,dc=
0020: 70 69 73 6f 6c 61 72 80 08 6c 34 77 64 30 67 67 pisolar..userpasswor 0030: 30 d
ber_scanf fmt (m}) ber: ber_dump: buf=0xa0598a0 ptr=0xa0598ca end=0xa0598d4 len=10 0000: 00 08 6c 34 77 64 30 67 67 30 ..userpassword
dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar>
=> ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar,0) <= ldap_bv2dn(uid=lamps,ou=usuarios,dc=pisolar)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=lamps,ou=usuarios,dc=pisolar)=0 <<< dnPrettyNormal: <uid=lamps,ou=usuarios,dc=pisolar>, <uid=lamps,ou=usuarios,dc=pisolar> do_bind: version=3 dn="uid=lamps,ou=usuarios,dc=pisolar" method=128 ==> bdb_bind: dn: uid=lamps,ou=usuarios,dc=pisolar bdb_dn2entry("uid=lamps,ou=usuarios,dc=pisolar") => bdb_dn2id("dc=pisolar") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0xb => bdb_dn2id("uid=lamps,ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0x10 entry_decode: "uid=lamps,ou=usuarios,dc=pisolar" <= entry_decode(uid=lamps,ou=usuarios,dc=pisolar) => access_allowed: auth access to "uid=lamps,ou=usuarios,dc=pisolar" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=pisolar <= check a_dn_pat: anonymous <= acl_mask: [2] applying none(=0) (stop) <= acl_mask: [2] mask: none(=0) => slap_access_allowed: auth access denied by none(=0) => access_allowed: no more rules send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 14 bytes to sd 13 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
daemon: activity on 1 descriptor daemon: activity on: 13r daemon: read active on 13 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(13) connection_get(13): got connid=0 connection_read(13): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 02 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0xa0039c0 ptr=0xa0039c0 end=0xa0039c5 len=5 0000: 02 01 02 42 00 ...B.
ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 13 failed errno=0 (Success) connection_read(13): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=13 for close daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_close: deferring conn=0 sd=13 conn=0 op=1 do_unbind connection_resched: attempting closing conn=0 sd=13 connection_close: conn=0 sd=13 daemon: removing 13 daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(8): daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 busy
slap_listener(ldap:///)
daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero
=================================
I tried to set a lot of different config syntaxes at squid.conf, but it always come to the same kind of problem at slapd debug: After reading the user CN and his password, slapd fails to read something else (ldap_read: want=8 error=Resource temporarily unavailable) and then it doesn't authenticates.
What I'm doing wrong? Is there any problem with my openldap server? With squid? =(
I'd like to thank you all in advance for any support, and say sorry for my broken english. =D
Am Wed, 24 Nov 2010 08:59:05 -0300 schrieb Bruno Lamps lampss@gmail.com:
Hi everybody,
I spent some days reading the ebook "Ldap for rocket scientists" ( zytrax.com/books/ldap/) and I've succesfully (I think it's a success =3 ) created a VM with debian lenny and openldap running.
After that, I created another VM, running IPfire (www.ipfire.org) distro, this will be the firewall of the SMB I'm working for. Now I'm trying to authenticate the squid proxy, installed in IPFire distro, integrating it with my openldap server. A screenshot of my IPFire's webGUI and phpldapadmin webGUI can be seen at this topic: http://forum.ipfire.org/index.php?topic=3404.0
But the authentication isn't running, the browser using squid proxy keeps asking me for username and password. Suspecting that the webGUI could be making some mistake in squid config file, I started editing it's parameters manually. Right now, the ldap authentication line in my squid.conf looks like this:
*auth_param basic program /usr/lib/squid/squid_ldap_auth -D "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h 192.168.1.7 -v 3*
*cn=admin,dc=pisolar *= my root user.
*ou=usuarios,dc=pisolar *= the OU where my users are stored.
I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered VM, and this is the text shown when I try to authenticate in my browser:
[...]
=> bdb_dn2id("ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0xb => bdb_dn2id("uid=lamps,ou=usuarios,dc=pisolar") <= bdb_dn2id: got id=0x10 entry_decode: "uid=lamps,ou=usuarios,dc=pisolar" <= entry_decode(uid=lamps,ou=usuarios,dc=pisolar) => access_allowed: auth access to "uid=lamps,ou=usuarios,dc=pisolar" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=pisolar <= check a_dn_pat: anonymous <= acl_mask: [2] applying none(=0) (stop) <= acl_mask: [2] mask: none(=0) => slap_access_allowed: auth access denied by none(=0)
[...]
check your access rules, as access to attribute usrPassword is denied, read the few lines above.
I tried to set a lot of different config syntaxes at squid.conf, but it always come to the same kind of problem at slapd debug: After reading the user CN and his password, slapd fails to read something else (ldap_read: want=8 error=Resource temporarily unavailable) and then it doesn't authenticates.
What I'm doing wrong? Is there any problem with my openldap server? With squid? =(
I think, both are misconfigured. The module squid_ldap_auth requires a parameter -u, in order to define the attribute type, which can be either uid or cn.
-Dieter
On Wednesday, 24 November 2010 12:59:05 Bruno Lamps wrote:
[snip irrelevent information]
*auth_param basic program /usr/lib/squid/squid_ldap_auth -D "cn=admin,dc=pisolar" -w "mypassword" -b "ou=usuarios,dc=pisolar" -h 192.168.1.7 -v 3*
Note that without a filter (-f option), this does DN construction, which may not be what you want ...
*cn=admin,dc=pisolar *= my root user.
*ou=usuarios,dc=pisolar *= the OU where my users are stored.
Please provide the exact DN of the user for which you are testing.
I opened slapd in debug mode (slapd -d 255) in my openldap debian-powered VM, and this is the text shown when I try to authenticate in my browser:
I assume you tried to log in with username 'lamps'
=> acl_mask: access to entry "uid=lamps,ou=usuarios,dc=pisolar", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=pisolar <= check a_dn_pat: anonymous <= acl_mask: [2] applying none(=0) (stop) <= acl_mask: [2] mask: none(=0) => slap_access_allowed: auth access denied by none(=0) => access_allowed: no more rules send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49
It seems your ACLs are not sufficient for *any* simple binds to this DN.
Please test the following on your LDAP server: $ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W
Until this command works, please don't bother with anything related to squid.
I tried to set a lot of different config syntaxes at squid.conf, but it always come to the same kind of problem at slapd debug: After reading the user CN and his password, slapd fails to read something else (ldap_read: want=8 error=Resource temporarily unavailable) and then it doesn't authenticates.
What I'm doing wrong? Is there any problem with my openldap server?
Did you ever test simple binds to your LDAP server as these users except from squid? It doesn't seem like it ...
Regards, Buchan
Hi,
Thanks Dieter Kluenter and Buchan Milne for answering to this, and everyone else that is reading this topic. =D
It seems your ACLs are not sufficient for *any* simple binds to this DN.
Please test the following on your LDAP server:
$ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W
Until this command works, please don't bother with anything related to squid.
Right, this command isn't working for any user, except cn=admin,dc=pisolar. I'm struggling with /etc/ldap/slapd.conf, to solve this. I probably tried to make the ACLs a bit too tight, and now they're choking me. =p
Did you ever test simple binds to your LDAP server as these users except
from
squid? It doesn't seem like it ...
I use this ldap base to authenticate my GLPI () system. But I think GLPI just grab all my base, using the ldap admin password, and transports it to it's mysql database. =/
I'm currently testing different ACLs in /etc/ldap/slapd.conf. Right now, these are the rules:
*access to ** *by dn="cn=admin,dc=pisolar" write* *#by anonymous none* *#by self none* *by * read* * * *access to attrs=userPassword,shadowLastChange* *by dn="cn=admin,dc=pisolar" write* *by anonymous auth* *by self write* *by * none* * * *access to dn.base="" by * read*
What kind of mistake am I doing there? =S
Once again, thank you all for helping me. ;]
Bruno Lamps lampss@gmail.com writes:
Hi,
Thanks Dieter Kluenter and Buchan Milne for answering to this, and everyone else that is reading this topic. =D
It seems your ACLs are not sufficient for *any* simple binds to this DN. Please test the following on your LDAP server: $ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W Until this command works, please don't bother with anything related to squid.Right, this command isn't working for any user, except cn=admin,dc=pisolar. I'm struggling with /etc/ldap/slapd.conf, to solve this. I probably tried to make the ACLs a bit too tight, and now they're choking me. =p
Did you ever test simple binds to your LDAP server as these users except from squid? It doesn't seem like it ...I use this ldap base to authenticate my GLPI () system. But I think GLPI just grab all my base, using the ldap admin password, and transports it to it's mysql database. =/
I'm currently testing different ACLs in /etc/ldap/slapd.conf. Right now, these are the rules:
access to * by dn="cn=admin,dc=pisolar" write #by anonymous none #by self none by * read
access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=pisolar" write by anonymous auth by self write by * none
access to dn.base="" by * read
What kind of mistake am I doing there? =S
man slapd.access(5) http://www.openldap.org/doc/admin24/access-control.html http://www.openldap.org/faq/data/cache/189.html
-Dieter
Solved!
I used the tip written in http://www.openldap.org/faq/data/cache/320.html, as Dieter Kluenter recommended:
access to attr=userpassword by self =xw by anonymous auth
access to * by self write by users read
Now I can go back to squid and DansGuardian tunning. =D
Thanks Dieter and Buchan. ;D
On Fri, Nov 26, 2010 at 10:53 AM, Dieter Kluenter dieter@dkluenter.dewrote:
Bruno Lamps lampss@gmail.com writes:
Hi,
Thanks Dieter Kluenter and Buchan Milne for answering to this, and
everyone else that is reading this topic. =D
It seems your ACLs are not sufficient for *any* simple binds to thisDN.
Please test the following on your LDAP server: $ ldapwhoami -x -D uid=lamps,ou=usuarios,dc=pisolar -W Until this command works, please don't bother with anything relatedto squid.
Right, this command isn't working for any user, except
cn=admin,dc=pisolar. I'm struggling with /etc/ldap/slapd.conf, to
solve this. I probably tried to make the ACLs a bit too tight, and now
they're choking me. =p
Did you ever test simple binds to your LDAP server as these usersexcept from
squid? It doesn't seem like it ...I use this ldap base to authenticate my GLPI () system. But I think GLPI
just grab all my base, using the ldap admin
password, and transports it to it's mysql database. =/
I'm currently testing different ACLs in /etc/ldap/slapd.conf. Right now,
these are the rules:
access to * by dn="cn=admin,dc=pisolar" write #by anonymous none #by self none by * read
access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=pisolar" write by anonymous auth by self write by * none
access to dn.base="" by * read
What kind of mistake am I doing there? =S
man slapd.access(5) http://www.openldap.org/doc/admin24/access-control.html http://www.openldap.org/faq/data/cache/189.html
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E
openldap-technical@openldap.org
-
Bruno Lamps -
Buchan Milne -
Dieter Kluenter