[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid dn errors for valid dns?

To: <ser@germane-software.com>
Subject: Re: Invalid dn errors for valid dns?
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Fri, 28 May 2004 15:54:33 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <200405280914.32950.ser@germane-software.com>
References: <200405280914.32950.ser@germane-software.com>

Your problem has nothing to do with OpenLDAP software, but rather with
auth_ldap (improper) usage.  The "require group" directive refers to a
LDAP group, which is supposed to be of objectClass "groupOfNames" and hold
members in the attribute "member", which is DN-valued.  Your group is of
objectClass posixGroup, and has no "member" attributes; you're telling
auth_ldap to use the "memberUID" attribute as "member", which, of course
contains valid POSIX group names but no valid DN values.  This explains
the (perfectly correct) error you see.  I suggest you check auth_ldap's
documentation, or ask an Apache forum for help on how to set up the
database and use auth_ldap correctly.

p.


> Hiya,
>
> I'm having trouble getting Apache's auth_ldap to work using 'require
> group',  and I'm getting errors in the slapd logs.
>
> Everything seems to be working: ldappasswd, ldapmodify, and ldapsearch
> all  function properly.  In fact, you can hit the server yourself:
>
>   ldap://germane-software.com/cn=svnTLR,ou=Group,dc=germane-software,dc=com?*?base
>
> pam_ldap also works, as does binding from Apache using "require user".
> Everything is hunky-dory... except 'require group'.
>
> Here's the relevant slapd errors:
>
>   May 28 05:32:48 [slapd] daemon: read activity on 19
>   May 28 05:32:48 [slapd] connection_get(19)
>   May 28 05:32:48 [slapd] connection_get(19): got connid=4636
>   May 28 05:32:48 [slapd] connection_read(19): checking for input on
> id=4636 May 28 05:32:48 [slapd] ber_get_next on fd 19 failed errno=11
> (Resource
> temporarily unavailable)
>   May 28 05:32:48 [slapd] do_compare
>   May 28 05:32:48 [slapd] do_compare: invalid dn
> ("cn=svnTLR,ou=Group,dc=germane-software,dc=com")
>   May 28 05:32:48 [slapd] send_ldap_result: conn= 4636 op=5 p=3
>   May 28 05:32:48 [slapd] send_ldap_result: 34::invalid DN
>   May 28 05:32:48 [slapd] send_ldap_response: msgid=6 tag=111 err=34 May
> 28 05:32:48 [slapd] conn=4636 op=5 RESULT tag=111 err=34 text=invalid
> DN May 28 05:32:48 [slapd] daemon: select: listen=6 active_threads=1
> tvp=NULL May 28 05:32:48 [slapd] daemon: select: listen=7
> active_threads=1 tvp=NULL May 28 05:32:48 [slapd] daemon: select:
> listen=8 active_threads=1 tvp=NULL
>
> This comes after messages that say that I've successfully bound to the
> database.  I see the "invalid dn" error in there, but when I do a
> search, I  get:
>
>   germane-software private # ldapsearch -b 'dc=germane-software,dc=com'
> \ cn=svnTLR
>   # extended LDIF
>   #
>   # LDAPv3
>   # base <dc=germane-software,dc=com> with scope sub
>   # filter: cn=svnTLR
>   # requesting: ALL
>   #
>
>   # svnTLR, Group, germane-software.com
>   dn: cn=svnTLR,ou=Group,dc=germane-software,dc=com
>   objectClass: posixGroup
>   objectClass: top
>   cn: svnTLR
>   gidNumber: 5000
>   memberUid: aviram
>   memberUid: ser
>
>   # search result
>   search: 2
>   result: 0 Success
>
>   # numResponses: 2
>   # numEntries: 1
>
> And as far as I can tell, that "invalid dn" is exactly the same as the
> dn  being reported by ldapsearch.
>
> So, my question is: why is slapd reporting that the dn is invalid when
> it does  appear to be valid?  Is there some common mistake that I'm
> making here?
>
> In case you care, here's the .htaccess file I'm using to test this.
> This  works if I change "require group" to "require valid-user" or
> "require user  ser".
>
>   Options Indexes
>   AuthName "Sean's Dir"
>   AuthType basic
>   AuthLDAPURL
> "ldap://localhost/ou=People,dc=germane-software,dc=com?uid?sub";
> AuthLDAPGroupAttribute memberUID
>   AuthLDAPGroupAttributeIsDN off
>
>   #Require user mmcdole
>   Require group "cn=svnTLR,ou=Group,dc=germane-software,dc=com"
>
> Incidentally, I've tried a number of permutations of the AuthLDAPURL and
> the  group dn, including stripping the dcs and even the ou from the
> group dn, and  stripping the ou and the query part from the URL.
>
> Thanks for any pointers!
>
> --
> ### SER
> ### Deutsch|Esperanto|Francaise|Linux|XML|Java|Ruby|Aikido
> ### http://www.germane-software.com/~ser  jabber.com:ser  ICQ:83578737
> ### GPG: http://www.germane-software.com/~ser/Security/ser_public.gpg


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Invalid dn errors for valid dns?
  - From: ser@germane-software.com
- Re: Invalid dn errors for valid dns?
  - From: ser@germane-software.com

References:
- Invalid dn errors for valid dns?
  - From: "Sean E. Russell" <ser@germane-software.com>

Prev by Date: Invalid dn errors for valid dns?
Next by Date: RE: entryUUID and automagic generation of unique attributes
Index(es):
- Chronological
- Thread