I have openLDAP server up and running and trying to integrate it with Confluence. My LDAP structure looks like
DN :: uid=123, ou=users, dc=example, dc=com uid :: 123 mail :: bjason@example.com cn :: barbara sn :: jason userPassword :: test (plain test for now)
I have another similar entry in another branch (su) for "confluence admin", I did LDAP configuration in confluence and tested the bind with confluence user. Now for every user authentication I am assuming LDAP should be able to bind on any attribute other than DN. however I can not do that. when I try to login from confluence using mail & password, this is what I see in my slapd.d logs :
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 48 contents: op tag 0x60, time 1301434489 ber_get_next conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>
<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>, <uid=234,ou=su,dc=example,dc=com> do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128 bdb_dn2entry("uid=234,ou=su,dc=example,dc=com") => bdb_dn2id("dc=example,dc=com") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x4 => bdb_dn2id("uid=234,ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x7 entry_decode: "uid=234,ou=su,dc=example,dc=com" <= entry_decode(uid=234,ou=su,dc=example,dc=com) do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to "uid=234,ou=su,dc=example,dc=com" send_ldap_result: conn=1000 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 144 contents: op tag 0x63, time 1301434489 ber_get_next conn=1000 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=user,dc=example,dc=com>
<<< dnPrettyNormal: <ou=user,dc=example,dc=com>, <ou=user,dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" ==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com" this="ou=user,dc=example,dc=com" => bdb_search bdb_dn2entry("ou=user,dc=example,dc=com") => bdb_dn2id("ou=user,dc=example,dc=com") <= bdb_dn2id: got id=0x3 entry_decode: "ou=user,dc=example,dc=com" <= entry_decode(ou=user,dc=example,dc=com) search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_dn2idl("ou=user,dc=example,dc=com") <= bdb_dn2idl: id=2 first=3 last=6 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read 2 candidates <= bdb_equality_candidates: id=2, first=6, last=7 => bdb_equality_candidates (cn) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 bdb_search_candidates: id=0 first=3 last=0 bdb_search: no candidates send_ldap_result: conn=1000 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 12
I guess I should be able to do LDAP_BIND with any attribute and LDAP should be able to search user's DN based on the attribute and authenticate him as I have laready provided valid DN and password (for confluence user), am I right here? Please let me know if its doable (should be) and what am I missing here ? I tried searching for this but couldn't find it on the web. Thanks for the help and support.
-simon
On 29/03/11 14:47 -0700, sim123 wrote:
I have openLDAP server up and running and trying to integrate it with Confluence. My LDAP structure looks like
DN :: uid=123, ou=users, dc=example, dc=com uid :: 123 mail :: bjason@example.com cn :: barbara sn :: jason userPassword :: test (plain test for now)
I have another similar entry in another branch (su) for "confluence admin", I did LDAP configuration in confluence and tested the bind with confluence user. Now for every user authentication I am assuming LDAP should be able to bind on any attribute other than DN. however I can not do that. when I try
By that, I assume that you are referring to a two step process where a privileged user binds (or anonymously binds) to the server, searches for the DN of a user based on some search criteria, unbinds, and then rebinds using the returned DN, and the password submitted by the client.
If that's a correct assumption, you might want to verify that:
* The privileged user has appropriate permissions to search in your user tree * The client (confluence) is submitting appropriate base, scope, and filter its search, and is retrieving the expected user DN * The client is then binding a second time with the DN and user password
to login from confluence using mail & password, this is what I see in my slapd.d logs :
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 48 contents: op tag 0x60, time 1301434489 ber_get_next conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>
<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>, <uid=234,ou=su,dc=example,dc=com> do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128 bdb_dn2entry("uid=234,ou=su,dc=example,dc=com") => bdb_dn2id("dc=example,dc=com") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x4 => bdb_dn2id("uid=234,ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x7 entry_decode: "uid=234,ou=su,dc=example,dc=com" <= entry_decode(uid=234,ou=su,dc=example,dc=com) do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to "uid=234,ou=su,dc=example,dc=com" send_ldap_result: conn=1000 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 144 contents: op tag 0x63, time 1301434489 ber_get_next conn=1000 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=user,dc=example,dc=com>
<<< dnPrettyNormal: <ou=user,dc=example,dc=com>, <ou=user,dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" ==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com" this="ou=user,dc=example,dc=com" => bdb_search bdb_dn2entry("ou=user,dc=example,dc=com") => bdb_dn2id("ou=user,dc=example,dc=com") <= bdb_dn2id: got id=0x3 entry_decode: "ou=user,dc=example,dc=com" <= entry_decode(ou=user,dc=example,dc=com) search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0
It looks like the search is not returning any entries. From your confluence server, can you perform an ldapsearch as your privileged user to see if you get any entries returned?
On Tue, Mar 29, 2011 at 7:43 PM, Dan White dwhite@olp.net wrote:
On 29/03/11 14:47 -0700, sim123 wrote:
I have openLDAP server up and running and trying to integrate it with Confluence. My LDAP structure looks like
DN :: uid=123, ou=users, dc=example, dc=com uid :: 123 mail :: bjason@example.com cn :: barbara sn :: jason userPassword :: test (plain test for now)
I have another similar entry in another branch (su) for "confluence admin", I did LDAP configuration in confluence and tested the bind with confluence user. Now for every user authentication I am assuming LDAP should be able to bind on any attribute other than DN. however I can not do that. when I try
By that, I assume that you are referring to a two step process where a privileged user binds (or anonymously binds) to the server, searches for the DN of a user based on some search criteria, unbinds, and then rebinds using the returned DN, and the password submitted by the client.
If that's a correct assumption, you might want to verify that:
- The privileged user has appropriate permissions to search in your user
tree
- The client (confluence) is submitting appropriate base, scope, and filter
its search, and is retrieving the expected user DN
- The client is then binding a second time with the DN and user password
to login from confluence using mail & password, this is what I see in my
slapd.d logs :
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 48 contents: op tag 0x60, time 1301434489 ber_get_next conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>
<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>,
<uid=234,ou=su,dc=example,dc=com> do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128 bdb_dn2entry("uid=234,ou=su,dc=example,dc=com") => bdb_dn2id("dc=example,dc=com") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x4 => bdb_dn2id("uid=234,ou=su,dc=example,dc=com") <= bdb_dn2id: got id=0x7 entry_decode: "uid=234,ou=su,dc=example,dc=com" <= entry_decode(uid=234,ou=su,dc=example,dc=com) do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to "uid=234,ou=su,dc=example,dc=com" send_ldap_result: conn=1000 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 144 contents: op tag 0x63, time 1301434489 ber_get_next conn=1000 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=user,dc=example,dc=com>
<<< dnPrettyNormal: <ou=user,dc=example,dc=com>,
<ou=user,dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" ==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com" this="ou=user,dc=example,dc=com" => bdb_search bdb_dn2entry("ou=user,dc=example,dc=com") => bdb_dn2id("ou=user,dc=example,dc=com") <= bdb_dn2id: got id=0x3 entry_decode: "ou=user,dc=example,dc=com" <= entry_decode(ou=user,dc=example,dc=com) search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0
It looks like the search is not returning any entries. From your confluence server, can you perform an ldapsearch as your privileged user to see if you get any entries returned?
-- Dan White
Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it.
I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't.
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
where as ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123*) # requesting: ALL #
# 123, users, example.com dn: uid=123,ou=users,dc=example,dc=com displayName: Barbara Jason objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top mail: bjason@example.com uid: 123 userPassword:: bXJhanZhaWR5YQ== sn: Jason cn: Barbara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks
On 30/03/11 04:36 -0700, sim123 wrote:
On Tue, Mar 29, 2011 at 7:43 PM, Dan White dwhite@olp.net wrote:
It looks like the search is not returning any entries. From your confluence server, can you perform an ldapsearch as your privileged user to see if you get any entries returned?
Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it.
I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't.
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
where as ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123*) # requesting: ALL #
# 123, users, example.com dn: uid=123,ou=users,dc=example,dc=com displayName: Barbara Jason objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top mail: bjason@example.com uid: 123 userPassword:: bXJhanZhaWR5YQ== sn: Jason cn: Barbara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks
My guess is that you're running into a bdb/hdb indexing problem. Try adding an index in your slapd.conf/slapd-config for uid (if it doesn't exist), and then rebuild your indexes using slapindex.
See the man pages for slapd-bdb/slapd-hdb and slapindex for details.
On Wed, Mar 30, 2011 at 7:49 AM, Dan White dwhite@olp.net wrote:
On 30/03/11 04:36 -0700, sim123 wrote:
On Tue, Mar 29, 2011 at 7:43 PM, Dan White dwhite@olp.net wrote:
It looks like the search is not returning any entries. From your confluence server, can you perform an ldapsearch as your privileged user to see if you get any entries returned?
Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it.
I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't.
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
where as ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123*) # requesting: ALL #
# 123, users, example.com dn: uid=123,ou=users,dc=example,dc=com displayName: Barbara Jason objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top mail: bjason@example.com uid: 123 userPassword:: bXJhanZhaWR5YQ== sn: Jason cn: Barbara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks
My guess is that you're running into a bdb/hdb indexing problem. Try adding an index in your slapd.conf/slapd-config for uid (if it doesn't exist), and then rebuild your indexes using slapindex.
See the man pages for slapd-bdb/slapd-hdb and slapindex for details.
-- Dan White
Thanks for your response, its index, I recreated the index and cane do ldapsearch.
Confluence is doing the three step process you described i.e Init session and bind with confluence user, search for dn and bind with dn. For some reason I see search can not find anything and log says:
bdb_nidex_read: failed (-30988) ---- bdb_search: no candidates
I had it working once!! don't know what magic happend that time ... posting logs incase there is any clue there :
*Success Logs* slap_listener_activate(8):
slap_listener(ldap:///)
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 43 contents: op tag 0x60, time 1301501949 ber_get_next conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <cn=Manager,dc=example,dc=com>
<<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>, <cn=manager, dc=example,dc=com> *do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128* do_bind: v3 bind: "cn=Manager,dc=example,dc=com" to "cn=Manager, dc=example,dc=com" send_ldap_result: conn=1000 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 120 contents: op tag 0x63, time 1301501949 ber_get_next conn=1000 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => bdb_search bdb_dn2entry("ou=users,dc=example,dc=com") => bdb_dn2id("dc=example,dc=com") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=users,dc=example,dc=com") <= bdb_dn2id: got id=0x3 entry_decode: "ou=users,dc=example,dc=com" <= entry_decode(ou=users,dc=example,dc=com) search_candidates: base="ou=users,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_dn2idl("ou=users,dc=example,dc=com") <= bdb_dn2idl: id=2 first=3 last=6 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read 2 candidates <= bdb_equality_candidates: id=2, first=6, last=7 => bdb_equality_candidates (cn) => key_read <= bdb_index_read 1 candidates <= bdb_equality_candidates: id=1, first=6, last=6 bdb_search_candidates: id=1 first=6 last=6 *entry_decode: "uid=123,ou=users,dc=example,dc=com"* <= entry_decode(uid=123,ou=users,dc=example,dc=com) => bdb_dn2id("uid=123,ou=users,dc=example,dc=com") <= bdb_dn2id: got id=0x6 *=> send_search_entry: conn 1000 dn="uid=123,ou=users,dc=example,dc=com"* ber_flush2: 265 bytes to sd 12 <= send_search_entry: conn 1000 exit. send_ldap_result: conn=1000 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 12 slap_listener_activate(8):
slap_listener(ldap:///)
connection_get(15): got connid=1001 connection_read(15): checking for input on id=1001 ber_get_next ber_get_next: tag 0x30 len 52 contents: op tag 0x60, time 1301501949 ber_get_next conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=123,ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <uid=123,ou=users,dc=example,dc=com>, <uid=123,ou=users, dc=example,dc=com> *do_bind: version=3 dn="uid=123,ou=users,dc=example,dc=com" method=128* bdb_dn2entry("uid=123,ou=users,dc=example,dc=com") do_bind: v3 bind: "uid=123,ou=users,dc=example,dc=com" to "uid=123,ou=users,dc=example,dc=com" send_ldap_result: conn=1001 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 15 connection_get(15): got connid=1001 connection_read(15): checking for input on id=1001 ber_get_next ber_get_next: tag 0x30 len 34 contents: op tag 0x42, time 1301501968 ber_get_next ber_get_next on fd 15 failed errno=0 (Success) conn=1001 op=1 do_unbind connection_close: conn=1001 sd=15
*Failure log*
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 118 contents: op tag 0x63, time 1301512406 ber_get_next conn=1000 op=2 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=users, dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => bdb_search bdb_dn2entry("ou=users,dc=example,dc=com") search_candidates: base="ou=users,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_dn2idl("ou=users,dc=example,dc=com") <= bdb_dn2idl: id=2 first=3 last=6 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read 2 candidates <= bdb_equality_candidates: id=2, first=6, last=7 => bdb_equality_candidates (cn) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 bdb_search_candidates: id=0 first=3 last=0 *bdb_search: no candidates* send_ldap_result: conn=1000 op=2 p=3 send_ldap_response: msgid=3 tag=101 err=0 ber_flush2: 14 bytes to sd 12
Thanks
On Wed, Mar 30, 2011 at 12:18 PM, sim123 Sim3159@gmail.com wrote:
On Wed, Mar 30, 2011 at 7:49 AM, Dan White dwhite@olp.net wrote:
On 30/03/11 04:36 -0700, sim123 wrote:
On Tue, Mar 29, 2011 at 7:43 PM, Dan White dwhite@olp.net wrote:
It looks like the search is not returning any entries. From your confluence server, can you perform an ldapsearch as your privileged user to see if you get any entries returned?
Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it.
I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't.
ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
where as ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123*) # requesting: ALL #
# 123, users, example.com dn: uid=123,ou=users,dc=example,dc=com displayName: Barbara Jason objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top mail: bjason@example.com uid: 123 userPassword:: bXJhanZhaWR5YQ== sn: Jason cn: Barbara
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks
My guess is that you're running into a bdb/hdb indexing problem. Try adding an index in your slapd.conf/slapd-config for uid (if it doesn't exist), and then rebuild your indexes using slapindex.
See the man pages for slapd-bdb/slapd-hdb and slapindex for details.
-- Dan White
Thanks for your response, its index, I recreated the index and cane do ldapsearch.
Confluence is doing the three step process you described i.e Init session and bind with confluence user, search for dn and bind with dn. For some reason I see search can not find anything and log says:
bdb_nidex_read: failed (-30988)
bdb_search: no candidates
I had it working once!! don't know what magic happend that time ... posting logs incase there is any clue there :
*Success Logs* slap_listener_activate(8):
slap_listener(ldap:///)
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 43 contents: op tag 0x60, time 1301501949 ber_get_next conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <cn=Manager,dc=example,dc=com>
<<< dnPrettyNormal: <cn=Manager,dc=example,dc=com>, <cn=manager,dc=example,dc=com> *do_bind: version=3 dn="cn=Manager,dc=example,dc=com" method=128* do_bind: v3 bind: "cn=Manager,dc=example,dc=com" to "cn=Manager,dc=example,dc=com" send_ldap_result: conn=1000 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 12 connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 120 contents: op tag 0x63, time 1301501949 ber_get_next conn=1000 op=1 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => bdb_search bdb_dn2entry("ou=users,dc=example,dc=com") => bdb_dn2id("dc=example,dc=com") <= bdb_dn2id: got id=0x1 => bdb_dn2id("ou=users,dc=example,dc=com") <= bdb_dn2id: got id=0x3 entry_decode: "ou=users,dc=example,dc=com" <= entry_decode(ou=users,dc=example,dc=com) search_candidates: base="ou=users,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_dn2idl("ou=users,dc=example,dc=com") <= bdb_dn2idl: id=2 first=3 last=6 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read 2 candidates <= bdb_equality_candidates: id=2, first=6, last=7 => bdb_equality_candidates (cn) => key_read <= bdb_index_read 1 candidates <= bdb_equality_candidates: id=1, first=6, last=6 bdb_search_candidates: id=1 first=6 last=6 *entry_decode: "uid=123,ou=users,dc=example,dc=com"* <= entry_decode(uid=123,ou=users,dc=example,dc=com) => bdb_dn2id("uid=123,ou=users,dc=example,dc=com") <= bdb_dn2id: got id=0x6 *=> send_search_entry: conn 1000 dn="uid=123,ou=users,dc=example,dc=com"* ber_flush2: 265 bytes to sd 12 <= send_search_entry: conn 1000 exit. send_ldap_result: conn=1000 op=1 p=3 send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 12 slap_listener_activate(8):
slap_listener(ldap:///)
connection_get(15): got connid=1001 connection_read(15): checking for input on id=1001 ber_get_next ber_get_next: tag 0x30 len 52 contents: op tag 0x60, time 1301501949 ber_get_next conn=1001 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=123,ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <uid=123,ou=users,dc=example,dc=com>, <uid=123,ou=users,dc=example,dc=com> *do_bind: version=3 dn="uid=123,ou=users,dc=example,dc=com" method=128* bdb_dn2entry("uid=123,ou=users,dc=example,dc=com") do_bind: v3 bind: "uid=123,ou=users,dc=example,dc=com" to "uid=123,ou=users,dc=example,dc=com" send_ldap_result: conn=1001 op=0 p=3 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 15 connection_get(15): got connid=1001 connection_read(15): checking for input on id=1001 ber_get_next ber_get_next: tag 0x30 len 34 contents: op tag 0x42, time 1301501968 ber_get_next ber_get_next on fd 15 failed errno=0 (Success) conn=1001 op=1 do_unbind connection_close: conn=1001 sd=15
*Failure log*
connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 118 contents: op tag 0x63, time 1301512406 ber_get_next conn=1000 op=2 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=users,dc=example,dc=com>
<<< dnPrettyNormal: <ou=users,dc=example,dc=com>, <ou=users,dc=example,dc=com> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: => get_ctrls ber_scanf fmt ({m) ber: => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) <= get_ctrls: n=1 rc=0 err="" => bdb_search bdb_dn2entry("ou=users,dc=example,dc=com") search_candidates: base="ou=users,dc=example,dc=com" (0x00000003) scope=2 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 => bdb_dn2idl("ou=users,dc=example,dc=com") <= bdb_dn2idl: id=2 first=3 last=6 => bdb_equality_candidates (objectClass) => key_read <= bdb_index_read 2 candidates <= bdb_equality_candidates: id=2, first=6, last=7 => bdb_equality_candidates (cn) => key_read <= bdb_index_read: failed (-30988) <= bdb_equality_candidates: id=0, first=0, last=0 bdb_search_candidates: id=0 first=3 last=0 *bdb_search: no candidates* send_ldap_result: conn=1000 op=2 p=3 send_ldap_response: msgid=3 tag=101 err=0 ber_flush2: 14 bytes to sd 12
Thanks
Sorry for long logs above, I just found out I can use cn field for logging in and it works fine, however uid field doesn't work, I have index on cn and uid so not sure why uid doesn't work.
Thanks.
Simon,
sim123 schrieb am 29.03.2011 23:47 Uhr:
I have openLDAP server up and running and trying to integrate it with Confluence. My LDAP structure looks like [...] I guess I should be able to do LDAP_BIND with any attribute and LDAP should be able to search user's DN based on the attribute and authenticate him as I have laready provided valid DN and password (for confluence user), am I right here?
If you think "LDAP should be able to search ..." means "slapd does automatically search for the DN corresponding to the attribute you supply and binds with the DN" then: no.
Please let me know if its doable (should be) and what am I missing here ? I tried searching for this but couldn't find it on the web. Thanks for the help and support.
From my experience a few applications are still dumb and imply the user attribute is the rdn and only try to bind as userattribute=user,base=baseDN. All other do a search for attribute under base and bind in a second step with the found DN value. I don't know about Confluence.
Marc
openldap-technical@openldap.org
-
Dan White -
Marc Patermann -
sim123