[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP client authentication against JDS 6.3.1 server

To: <openldap-technical@openldap.org>
Subject: OpenLDAP client authentication against JDS 6.3.1 server
From: "Cannon, Andrew C" <Andrew.Cannon@amec.com>
Date: Wed, 2 Sep 2009 14:26:24 +0100
Content-class: urn:content-classes:message
Thread-index: Acor0PfifrVI0yLvRCONFOIvKju+yQ==
Thread-topic: OpenLDAP client authentication against JDS 6.3.1 server

Title: OpenLDAP client authentication against JDS 6.3.1 server

Dear list members,

I've been fighting with this problem on and off for 6 months now (you can see some of my queries if you Google for me…) and I cannot for the life of me figure out what is going on. We are trying to get a Fedora 9 test box to authenticate against a Solaris 10 (SPARC) Sun Java Directory Server 6.3.1 box using anonymous binding and no SSL (we are on an internal, trusted network).

The JDS is running the NIS-to-LDAP script that Sun provide and can get information from the directory.

The Fedora box is running OpenLDAP client (version: openldap-clients-2.4.10-2.fc9.x86_64) and can't get any infromation from the directory after I switch to LDAP authentication from NIS authentication using system-config-authentication. NIS on the Fedora box works fine, so it isn't a network issue.

An extract from the access log on the server shows the following:

[01/Sep/2009:11:11:24 +0100] conn=2618 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.28.1.172:46682 to 172.28.1.173

[01/Sep/2009:11:11:24 +0100] conn=2618 op=0 msgId=1 - BIND dn="" method=128 version=3
[01/Sep/2009:11:11:24 +0100] conn=2618 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[01/Sep/2009:11:11:24 +0100] conn=2618 op=1 msgId=2 - SRCH base="ou=people,dc=example,dc=com" scope=1 filter="(&(objectClass=posixAccount)(uid=dmm))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass"

[01/Sep/2009:11:11:24 +0100] conn=2618 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
[01/Sep/2009:11:11:42 +0100] conn=2618 op=2 msgId=0 - RESULT err=80 tag=120 nentries=0 etime=0
[01/Sep/2009:11:11:42 +0100] conn=2618 op=-1 msgId=-1 - closing from 172.28.1.172:46682 - A1 - Client aborted connection -

[01/Sep/2009:11:11:42 +0100] conn=2618 op=-1 msgId=-1 - closed.
[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - SRCH base="ou=hosts,dc=example=com" scope=1 filter="(&(objectClass=ipHost)(cn=lin05))" attrs=ALL

[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - SORT cn uid (1)
[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - VLV 0:49999:0:0 1:1 (0)
[01/Sep/2009:11:12:01 +0100] conn=4 op=4166 msgId=4167 - RESULT err=0 tag=101 nentries=1 etime=0 notes=U
[01/Sep/2009:11:12:25 +0100] conn=4 op=4167 msgId=4168 - SRCH base="automountkey=userf,automountmapname=auto_home,dc=example,dc=com" scope=0 filter="(objectClass=automount)" attrs=ALL

[01/Sep/2009:11:12:25 +0100] conn=4 op=4167 msgId=4168 - RESULT err=0 tag=101 nentries=1 etime=0
[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - SRCH base="ou=people,dc=example=com" scope=1 filter="(&(objectClass=posixAccount)(uidNumber=254))" attrs=ALL

[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - SORT cn uid (1)
[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - VLV 0:49999:0:0 1:1 (0)
[01/Sep/2009:11:12:28 +0100] conn=4 op=4168 msgId=4169 - RESULT err=0 tag=101 nentries=1 etime=0 notes=U

Connection 2618 is from the Fedora box and is unsuccessful. Connection 4 is the NIS-to-LDAP service on the Solaris box and is successful.

I have a number of questions, but, chiefly, am I actually using anonymous binding? If I need to set a bind DN, what should it be? Can I modify the search base so that it looks more like the search given in msgid 4168?

I'm sorry for the newbie questions (especially about a JDS server) but I am really tearing my hair out over this.

I hope some of you can help.

Thanks in advance.

Andy

--
This email contains confidential information. The contents must
not be disclosed to anyone else except with the authority of the sender.
Unauthorised recipients are requested to maintain this confidentiality and
immediately advise the sender of any error or misdirection in transmission.

The following notice applies to emails originating in the UK.
E-mails sent on behalf of AMEC are sent on behalf of the relevant AMEC
company below. These are registered in England and Wales with registered
office at Booths Park, Chelford Road, Knutsford, Cheshire WA16 8QZ and
number as shown: AMEC plc 01675285, AMEC Group Limited 04612748,
AMEC Capital Projects Limited 02804109, AMEC Earth and Environmental UK
Limited 04987981, AMEC Nuclear Holdings Limited 03725076,
AMEC Nuclear M & O Limited 05664844, AMEC Nuclear UK Limited 01120437,
AMEC Nuclear International Limited 03260477, AMEC Nuclear Projects
Limited 05664962 and National Nuclear Corporation Limited 02290928
--

Prev by Date: Re: Sycrepl cookie question
Next by Date: labeledURI search result objectClass restriction
Index(es):
- Chronological
- Thread