[Date Prev][Date Next] [Chronological] [Thread] [Top]

Invalid dn errors for valid dns?


I'm having trouble getting Apache's auth_ldap to work using 'require group', 
and I'm getting errors in the slapd logs.

Everything seems to be working: ldappasswd, ldapmodify, and ldapsearch all 
function properly.  In fact, you can hit the server yourself:


pam_ldap also works, as does binding from Apache using "require user".  
Everything is hunky-dory... except 'require group'.

Here's the relevant slapd errors:

  May 28 05:32:48 [slapd] daemon: read activity on 19
  May 28 05:32:48 [slapd] connection_get(19)
  May 28 05:32:48 [slapd] connection_get(19): got connid=4636
  May 28 05:32:48 [slapd] connection_read(19): checking for input on id=4636
  May 28 05:32:48 [slapd] ber_get_next on fd 19 failed errno=11 (Resource 
temporarily unavailable) 
  May 28 05:32:48 [slapd] do_compare
  May 28 05:32:48 [slapd] do_compare: invalid dn  
  May 28 05:32:48 [slapd] send_ldap_result: conn= 4636 op=5 p=3
  May 28 05:32:48 [slapd] send_ldap_result: 34::invalid DN
  May 28 05:32:48 [slapd] send_ldap_response: msgid=6 tag=111 err=34
  May 28 05:32:48 [slapd] conn=4636 op=5 RESULT tag=111 err=34 text=invalid DN
  May 28 05:32:48 [slapd] daemon: select: listen=6 active_threads=1 tvp=NULL
  May 28 05:32:48 [slapd] daemon: select: listen=7 active_threads=1 tvp=NULL
  May 28 05:32:48 [slapd] daemon: select: listen=8 active_threads=1 tvp=NULL

This comes after messages that say that I've successfully bound to the 
database.  I see the "invalid dn" error in there, but when I do a search, I 

  germane-software private # ldapsearch -b 'dc=germane-software,dc=com' \
  # extended LDIF
  # LDAPv3
  # base <dc=germane-software,dc=com> with scope sub
  # filter: cn=svnTLR
  # requesting: ALL
  # svnTLR, Group, germane-software.com
  dn: cn=svnTLR,ou=Group,dc=germane-software,dc=com
  objectClass: posixGroup
  objectClass: top
  cn: svnTLR
  gidNumber: 5000
  memberUid: aviram
  memberUid: ser
  # search result
  search: 2
  result: 0 Success
  # numResponses: 2
  # numEntries: 1

And as far as I can tell, that "invalid dn" is exactly the same as the dn 
being reported by ldapsearch.

So, my question is: why is slapd reporting that the dn is invalid when it does 
appear to be valid?  Is there some common mistake that I'm making here?

In case you care, here's the .htaccess file I'm using to test this.  This 
works if I change "require group" to "require valid-user" or "require user 

  Options Indexes
  AuthName "Sean's Dir"
  AuthType basic
  AuthLDAPURL "ldap://localhost/ou=People,dc=germane-software,dc=com?uid?sub";
  AuthLDAPGroupAttribute memberUID
  AuthLDAPGroupAttributeIsDN off

  #Require user mmcdole
  Require group "cn=svnTLR,ou=Group,dc=germane-software,dc=com"

Incidentally, I've tried a number of permutations of the AuthLDAPURL and the 
group dn, including stripping the dcs and even the ou from the group dn, and 
stripping the ou and the query part from the URL.

Thanks for any pointers!

### SER   
### Deutsch|Esperanto|Francaise|Linux|XML|Java|Ruby|Aikido
### http://www.germane-software.com/~ser  jabber.com:ser  ICQ:83578737 
### GPG: http://www.germane-software.com/~ser/Security/ser_public.gpg