[Date Prev][Date Next]
Re: Invalid dn errors for valid dns?
Your problem has nothing to do with OpenLDAP software, but rather with
auth_ldap (improper) usage. The "require group" directive refers to a
LDAP group, which is supposed to be of objectClass "groupOfNames" and hold
members in the attribute "member", which is DN-valued. Your group is of
objectClass posixGroup, and has no "member" attributes; you're telling
auth_ldap to use the "memberUID" attribute as "member", which, of course
contains valid POSIX group names but no valid DN values. This explains
the (perfectly correct) error you see. I suggest you check auth_ldap's
documentation, or ask an Apache forum for help on how to set up the
database and use auth_ldap correctly.
> I'm having trouble getting Apache's auth_ldap to work using 'require
> group', and I'm getting errors in the slapd logs.
> Everything seems to be working: ldappasswd, ldapmodify, and ldapsearch
> all function properly. In fact, you can hit the server yourself:
> pam_ldap also works, as does binding from Apache using "require user".
> Everything is hunky-dory... except 'require group'.
> Here's the relevant slapd errors:
> May 28 05:32:48 [slapd] daemon: read activity on 19
> May 28 05:32:48 [slapd] connection_get(19)
> May 28 05:32:48 [slapd] connection_get(19): got connid=4636
> May 28 05:32:48 [slapd] connection_read(19): checking for input on
> id=4636 May 28 05:32:48 [slapd] ber_get_next on fd 19 failed errno=11
> temporarily unavailable)
> May 28 05:32:48 [slapd] do_compare
> May 28 05:32:48 [slapd] do_compare: invalid dn
> May 28 05:32:48 [slapd] send_ldap_result: conn= 4636 op=5 p=3
> May 28 05:32:48 [slapd] send_ldap_result: 34::invalid DN
> May 28 05:32:48 [slapd] send_ldap_response: msgid=6 tag=111 err=34 May
> 28 05:32:48 [slapd] conn=4636 op=5 RESULT tag=111 err=34 text=invalid
> DN May 28 05:32:48 [slapd] daemon: select: listen=6 active_threads=1
> tvp=NULL May 28 05:32:48 [slapd] daemon: select: listen=7
> active_threads=1 tvp=NULL May 28 05:32:48 [slapd] daemon: select:
> listen=8 active_threads=1 tvp=NULL
> This comes after messages that say that I've successfully bound to the
> database. I see the "invalid dn" error in there, but when I do a
> search, I get:
> germane-software private # ldapsearch -b 'dc=germane-software,dc=com'
> \ cn=svnTLR
> # extended LDIF
> # LDAPv3
> # base <dc=germane-software,dc=com> with scope sub
> # filter: cn=svnTLR
> # requesting: ALL
> # svnTLR, Group, germane-software.com
> dn: cn=svnTLR,ou=Group,dc=germane-software,dc=com
> objectClass: posixGroup
> objectClass: top
> cn: svnTLR
> gidNumber: 5000
> memberUid: aviram
> memberUid: ser
> # search result
> search: 2
> result: 0 Success
> # numResponses: 2
> # numEntries: 1
> And as far as I can tell, that "invalid dn" is exactly the same as the
> dn being reported by ldapsearch.
> So, my question is: why is slapd reporting that the dn is invalid when
> it does appear to be valid? Is there some common mistake that I'm
> making here?
> In case you care, here's the .htaccess file I'm using to test this.
> This works if I change "require group" to "require valid-user" or
> "require user ser".
> Options Indexes
> AuthName "Sean's Dir"
> AuthType basic
> AuthLDAPGroupAttribute memberUID
> AuthLDAPGroupAttributeIsDN off
> #Require user mmcdole
> Require group "cn=svnTLR,ou=Group,dc=germane-software,dc=com"
> Incidentally, I've tried a number of permutations of the AuthLDAPURL and
> the group dn, including stripping the dcs and even the ou from the
> group dn, and stripping the ou and the query part from the URL.
> Thanks for any pointers!
> ### SER
> ### Deutsch|Esperanto|Francaise|Linux|XML|Java|Ruby|Aikido
> ### http://www.germane-software.com/~ser jabber.com:ser ICQ:83578737
> ### GPG: http://www.germane-software.com/~ser/Security/ser_public.gpg
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497