[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with simple LDAP authentication



Hi all,
I'm totally new to (Open)LDAP world and I'm trying to set a set up a test server.
I'm currently using CentOs 4 with along with the openLDAP shipped with that linux distro.
the ldap server is working and I'm able to write and read data.
The problem I'm facing is setting up a simple DN/passowrd authentication mechanism.
Here is my slapd.conf


# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema


# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

#pidfile        //var/run/slapd.pid
#argsfile       //var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile     /var/lib/ldap/master-slapd.replog

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

password-hash {MD5}
database        ldbm
suffix          "dc=progetto-sole,dc=it"
#suffix         "o=My Organization Name,c=US"
rootdn          "cn=Manager,dc=progetto-sole,dc=it"
#rootdn         "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
access to attr=userPassword
       by dn="cn=Manager,dc=progetto-sole,dc=it" write
       by self write
       by * read
access to *
       by dn="cn=Manager,dc=progetto-sole,dc=it"  write
       by dn="cn=sole,dc=progetto-sole,dc=it" read
       by users read
       by self write
       by * read
# rootpw                {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
#       bindmethod=sasl saslmech=GSSAPI
#       authcId=host/ldap-master.example.com@EXAMPLE.COM
loglevel -1

and here is the .ldif file contatinig the user to be authenticated

dn: cn=sole,dc=progetto-sole,dc=it
cn: sole
sn: sole
uid: sole
objectclass: top
objectclass: inetOrgPerson
userPassword: {MD5}d8e7124a5142b544af071ef02bfa505c

I try to connect using this dn:
cn=sole,dc=progetto-sole,dc=it
along with the relative password
but I always get the "invalid login credential" message.
Here is the ldap log content:

Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7
Dec 9 17:05:20 linux slapd[3781]: connection_get(7)
Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5
Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for input on id=5
Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=11 (Resource temporarily unavailable)
Dec 9 17:05:20 linux slapd[3781]: do_bind
Dec 9 17:05:20 linux slapd[3781]: do_bind: version=3 dn="cn=sole,dc=progetto-sole,dc=it" method=128
Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 BIND dn="CN=SOLE,DC=PROGETTO-SOLE,DC=IT" method=128
Dec 9 17:05:20 linux slapd[3781]: ==> ldbm_back_bind: dn: cn=sole,dc=progetto-sole,dc=it
Dec 9 17:05:20 linux slapd[3781]: dn2entry_r: dn: "CN=SOLE,DC=PROGETTO-SOLE,DC=IT"
Dec 9 17:05:20 linux slapd[3781]: => dn2id( "CN=SOLE,DC=PROGETTO-SOLE,DC=IT" )
Dec 9 17:05:20 linux slapd[3781]: ====> cache_find_entry_dn2id("CN=SOLE,DC=PROGETTO-SOLE,DC=IT"): 15 (1 tries)
Dec 9 17:05:20 linux slapd[3781]: <= dn2id 15 (in cache)
Dec 9 17:05:20 linux slapd[3781]: => id2entry_r( 15 )
Dec 9 17:05:20 linux slapd[3781]: ====> cache_find_entry_id( 15 ) "cn=sole,dc=progetto-sole,dc=it" (found) (1 tries)
Dec 9 17:05:20 linux slapd[3781]: <= id2entry_r( 15 ) 0xa07a858 (cache)
Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access to "cn=sole,dc=progetto-sole,dc=it" "userPassword" requested
Dec 9 17:05:20 linux slapd[3781]: => acl_get: [1] check attr userPassword
Dec 9 17:05:20 linux slapd[3781]: <= acl_get: [1] acl cn=sole,dc=progetto-sole,dc=it attr: userPassword
Dec 9 17:05:20 linux slapd[3781]: => acl_mask: access to entry "cn=sole,dc=progetto-sole,dc=it", attr "userPassword" requested
Dec 9 17:05:20 linux slapd[3781]: => acl_mask: to all values by "", (=n)
Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: cn=Manager,dc=progetto-sole,dc=it
ec 9 17:05:20 linux slapd[3781]: => string_expand: pattern: cn=Manager,dc=progetto-sole,dc=it
Dec 9 17:05:20 linux slapd[3781]: => string_expand: expanded: cn=Manager,dc=progetto-sole,dc=it
Dec 9 17:05:20 linux slapd[3781]: => regex_matches: string:
Dec 9 17:05:20 linux slapd[3781]: => regex_matches: rc: 1 no matches
Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: self
Dec 9 17:05:20 linux slapd[3781]: <= check a_dn_pat: *
Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] applying read (=rscx) (stop)
Dec 9 17:05:20 linux slapd[3781]: <= acl_mask: [3] mask: read (=rscx)
Dec 9 17:05:20 linux slapd[3781]: => access_allowed: auth access granted by read (=rscx)
Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: conn=5 op=0 p=3
Dec 9 17:05:20 linux slapd[3781]: send_ldap_result: 49::
Dec 9 17:05:20 linux slapd[3781]: send_ldap_response: msgid=1 tag=97 err=49
Dec 9 17:05:20 linux slapd[3781]: conn=5 op=0 RESULT tag=97 err=49 text=
Dec 9 17:05:20 linux slapd[3781]: ====> cache_return_entry_r( 15 ): returned (0)
Dec 9 17:05:20 linux slapd[3781]: daemon: select: listen=6 active_threads=1 tvp=NULL
Dec 9 17:05:20 linux slapd[3781]: daemon: activity on 1 descriptors
Dec 9 17:05:20 linux slapd[3781]: daemon: activity on:
Dec 9 17:05:20 linux slapd[3781]: 7r
Dec 9 17:05:20 linux slapd[3781]:
Dec 9 17:05:20 linux slapd[3781]: daemon: read activity on 7
Dec 9 17:05:20 linux slapd[3781]: connection_get(7)
Dec 9 17:05:20 linux slapd[3781]: connection_get(7): got connid=5
Dec 9 17:05:20 linux slapd[3781]: connection_read(7): checking for input on id=5
Dec 9 17:05:20 linux slapd[3781]: ber_get_next on fd 7 failed errno=0 (Success)
Dec 9 17:05:20 linux slapd[3781]: connection_read(7): input error=-2 id=5, closing.


The followng command lists the SASL mechanism (althoung I think the auth metod I'm tesing is not involving SASL)
[root@linux openldap]# ldapsearch -H ldap://localhost/ -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI


Can anyone help me?
I'm not able to understand why Ican't login.
Thanks in advance,
	Giovanni

--

----------------------------------------
Giovanni Cuccu
Sw Engineer@dianoema.it
Dianoema S.p.A.
Via de' Carracci 93 40131 Bologna
Tel: 051-7098211   051-4193911
e-mail:gcuccu@dianoema.it
----------------------------------------
No man does it all by himself,
I said young man,
put your pride on the shelf
----------------------------------------