Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager - openldap-technical

12 May 2008

      My access rules in the slapd.conf are the following:

access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=sysadmin,dc=mydomain,dc=com" write
        by group.exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write
        by * none
access to *
        by self write
        by dn.base="cn=sysadmin,dc=mydomain,dc=com" write
        by group.exact="cn=itmanager,ou=manager,dc=mydomain,dc=com" write
        by * read

If I don't have the following entries in a client's /etc/ldap.conf, when I login the client by using ssh I will get the "Access denied" message:

binddn cn=Manager,dc=mydomain,dc=com

bindpw secret

The ldap log is the following:

May 11 16:08:18 ldapm slapd[24629]: conn=0 fd=13 ACCEPT from IP=192.168.2.161:33801 (IP=0.0.0.0:389)
May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 BIND dn="" method=128
May 11 16:08:18 ldapm slapd[24629]: conn=0 op=0 RESULT tag=97 err=0 text=
May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))"
May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
May 11 16:08:18 ldapm slapd[24629]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))"
May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
May 11 16:08:23 ldapm slapd[24629]: conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 11 16:08:23 ldapm slapd[24629]: conn=1 fd=16 ACCEPT from IP=192.168.2.161:33802 (IP=0.0.0.0:389)
May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 BIND dn="" method=128
May 11 16:08:23 ldapm slapd[24629]: conn=1 op=0 RESULT tag=97 err=0 text=
May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)"
May 11 16:08:23 ldapm slapd[24629]: conn=1 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

If I have the binddn and bindpw using the distinguished name, Manager, the login will succeed. The ldap log is the following:
 May 11 17:22:32 ldapm slapd[24629]: conn=20 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(uid=luke_l)"
May 11 17:22:32 ldapm slapd[24629]: conn=20 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luke_l)(uniqueMember=uid=luke_l,ou=people,dc=mydomain,dc=com)))"
May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
May 11 17:22:32 ldapm slapd[24629]: <= bdb_equality_candidates: (uniqueMember) not indexed
May 11 17:22:32 ldapm slapd[24629]: conn=20 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text=
May 11 17:22:32 ldapm slapd[24629]: conn=20 op=6 UNBIND
May 11 17:22:32 ldapm slapd[24629]: conn=20 fd=18 closed
May 11 17:22:32 ldapm slapd[24629]: conn=21 fd=16 ACCEPT from IP=192.168.2.161:33816 (IP=0.0.0.0:389)
May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118
May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
May 11 17:22:32 ldapm slapd[24629]: conn=21 op=0 RESULT tag=97 err=0 text=
May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))"
May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
May 11 17:22:32 ldapm slapd[24629]: conn=21 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luke_l))"
May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
May 11 17:22:32 ldapm slapd[24629]: conn=18 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 11 17:22:32 ldapm slapd[24629]: conn=22 fd=18 ACCEPT from IP=192.168.2.161:33817 (IP=0.0.0.0:389)
May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118
May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
May 11 17:22:32 ldapm slapd[24629]: conn=22 op=0 RESULT tag=97 err=0 text=
May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))"
May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
May 11 17:22:32 ldapm slapd[24629]: conn=22 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 ACCEPT from IP=192.168.2.161:33818 (IP=0.0.0.0:389)
May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" method=118
May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 BIND dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
May 11 17:22:32 ldapm slapd[24629]: conn=23 op=0 RESULT tag=97 err=0 text=
May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH base="dc=mydomain,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10022))"
May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
May 11 17:22:32 ldapm slapd[24629]: conn=23 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 11 17:22:32 ldapm slapd[24629]: conn=23 fd=20 closed (connection lost)

What should I do to fix the problem and bind the server anonymously but get the authetication working? Thanks.

Luke
----- Original Message ----
From: Dieter Kluenter dieter@dkluenter.de
To: openldap-technical@openldap.org
Sent: Saturday, May 10, 2008 1:32:58 AM
Subject: Re: Mystery - Authentication Would Fail If Not Binding With Server By Using cn=Manager
Hi,
Luke Lee leeluke77@yahoo.com writes:
...
I am running OpenLDAP 2.3.39 on RedHat. My login authentication on a client
system will fail if I don't configure the optional binddn and bindpw by using
cn=Manager.

Can anyone please enlighten me what could cause the strange problem? Thanks!
Could you be a bit more specific and could you provide the access
rules of slapd.conf?
-Dieter
-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.

      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ