Hello,
I recently had a "knowledgeable" friend work on my openldap server. he made some changes to the cofigs without backing them up and now users are unable to authenticate against this openldap 2.4 server where previously they could. I am running on FreeBSD 8.1. I am a student trying to learn and be comfortable with openLDAP.
when a user ssh's to any machine on the network that is configured to listen to this ldap server now gets an error in the LDAP logs:
Oct 29 22:49:41 LBSD2 slapd[1085]: <= bdb_equality_candidates: (uid) not indexed Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1001 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=4 BIND dn="uid=bluethundr,ou=summitnjops,ou=staff,dc=summitnjhome,dc=com" method=128 Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=4 RESULT tag=97 err=49 text= Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=5 BIND dn="" method=128 Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=5 RESULT tag=97 err=0 text=
it looks like it's failing to bind:
conn=1003 op=3 BIND dn="" method=128
and I think this error may be key but I am unsure of it's meaning:
tag=97
my ldap.conf reads as so:
host ldap.summitnjhome.com base dc=summitnjhome,dc=com scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com
And why would the uid not be indexed?
and this is the user id in LDAP:
[root@LBSD2:/home/bluethundr/txt/ldif]#cat bluethundr.ldif dn: uid=bluethundr,ou=summitnjops,ou=staff,dc=summitnjhome,dc=com uid: bluethundr cn: Timothy P. givenName: Timothy P. sn: mail: bluethundr@blah.com mailRoutingAddress: bluethundr@mail.blah.com mailHost: mail.blah.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top userPassword: {CRYPT}secret loginShell: /usr/local/bin/bash uidNumber: 1001 gidNumber: 1002 homeDirectory: /home/bluethundr gecos: Timothy P.
and these are my ACL's in slapd.conf:
access to * by read
access to attrs=userPassword by self write by anonymous auth access to * by self write by dn.children="ou=summitnjops,ou=staff,dc=summitnjhome,dc=com" write by users read by anonymous auth
access to * by self write
I would certainly appreciate any help to get this working again!
thank you
--On Saturday, October 30, 2010 8:51 AM -0400 Tim Dunphy bluethundr@gmail.com wrote:
Oct 29 22:49:41 LBSD2 slapd[1085]: <= bdb_equality_candidates: (uid) not indexed Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1001 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=4 BIND dn="uid=bluethundr,ou=summitnjops,ou=staff,dc=summitnjhome,dc=com" method=128 Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=4 RESULT tag=97 err=49 text= tag=97
Tag's are not error messages, they are information purpose.
Error messages are prefixed with "err=", in this case, your log clearly shows the wrong password was used, or the binddn is wrong, or both.
Thus the LDAP server returns "ERROR 49" very clearly in your log for connection 1002.
You likely should also create an equality index on uid, since apparently your dns are uid based.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Tim Dunphy