[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unable to perform authenticated binds

To: openldap-technical@openldap.org
Subject: Re: unable to perform authenticated binds
From: Tim Dunphy <bluethundr@gmail.com>
Date: Fri, 5 Nov 2010 15:06:35 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=ewdXsphiiQm5q2uR+FjeIbS94OpyVI8H+vNbo0jZwbc=; b=xdUTufCllNYQzA8nVxfGUoJLS7Ari2pb7W1Nd8s6uSicNCb9K8+658NPedRCNiNpTc TMiDyFTmwV+UJ1c+KudF5iIJQ87GVH1JBC1lsLCloxp488sgR4IDrK/NjoA/1sEbyU9A p/6Rtjz3PAXb/knHlQ3Akoz2LnoMlUxrkhVyI=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=tQWEFUW2hXzEutJ1p2tWQa8L9qiI2ZnnbyaBc7azW/Gl4bSmrmFQkqWWrjLAyEauNB UET51PK/KVHBgF9bKpPNAdqIrcKOhRDTbT6ER7WwutQ9QtsnKUqQ5UpbdbPgJsTOg35o OJpvLabH9p2SWrvrRqi0k9ERPocszYPW51EPU=
In-reply-to: <A0F33B6CF3BD8BBB3210B0E3@192.168.1.17>
References: <6C447584419BFE4E83D46E88F813148644B24A09B0@EXCH07-05.apollogrp.edu> <C707F62D290D86791B34D08F@192.168.1.17> <AANLkTi=9WP0hZ5+o47GqkNcdhMZqbCic9-aFB6peUJcJ@mail.gmail.com> <AANLkTi=6hCcBLrs_nQnOERphQtkS=cva72x=FfuDGkOQ@mail.gmail.com> <12B926CE65E9311D1234E794@192.168.1.17> <4CD20FA6.4090104@symas.com> <AANLkTimKRNuW5JpKV0MSE6h6HA_NFEAKJ87AQf0=GYvf@mail.gmail.com> <96D7262E957C5B215A3DA6AE@192.168.1.17> <AANLkTim6NXhBn6EYJ83y6nvRop7Q7T=D65Mj2vQPFBLc@mail.gmail.com> <9DE4A06C33703E10B79D30B1@192.168.1.17> <AANLkTin0NNPbGBjDiRs8oAnjpGs5MhKeKpUSeQ34-0co@mail.gmail.com> <E1666FA7E158E9AB5DB4A4DD@192.168.1.17> <AANLkTi=U0uj=v6cinAVZNd8oaoqR6eYMnkMeEdSuDDBh@mail.gmail.com> <E28E35C4B1735CAA77812C26@192.168.1.17> <AANLkTikscaAuPPf0etxyu+3caJ22hKB5jxd170S9bcKw@mail.gmail.com> <A0F33B6CF3BD8BBB3210B0E3@192.168.1.17>

Hey guys,

 And sorry to Quanah for the type-o. ;)

 At any rate thanks for the ldapsearch. It did return a ton of
information on the attributes defined in my schema:

 [root@ldap2 ~]# ldapsearch -x -h ldap.acadaca.net -s base -b
"cn=subschema" + | more
# extended LDIF
#
# LDAPv3
# base <cn=subschema> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

# Subschema
dn: cn=Subschema
structuralObjectClass: subentry
createTimestamp: 20101105183240Z
modifyTimestamp: 20101105183240Z
ldapSyntaxes: ( 1.3.6.1.1.16.1 DESC 'UUID' )
ldapSyntaxes: ( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' )
ldapSyntaxes: ( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Netgroup Triple' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' X-BIN
 ARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )


However, nothing shows up under the search regarding sudoRole.

[root@ldap ldif]# ldapsearch -x -h ldap.acadaca.net -s base -b
"cn=subschema" | grep sudoRole
[root@ldap ldif]#

This is curious to me as the sudoers.schema file (which has sudoRole
defined) is most definitely entered correctly into my slapd.conf file.


# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/misc.schema
inlcude         /etc/openldap/schema/sudoers.schema
include         /etc/openldap/schema/openldap.schema


I checked the modes and permissions on sudoers.schema:

[root@ldap ~]# ls -l /etc/openldap/schema/sudoers.schema
-r--r--r-- 1 ldap ldap 1655 Nov  4 18:38 /etc/openldap/schema/sudoers.schema


But when I try to add this LDIF entry to my directory:

 # defaults, sudoers, Services, acadaca.net
dn: cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here



I am still getting this error:

[root@ldap ldif]# ldapadd -h ldap.acadaca.net -a -W -x -D
"cn=Manager,dc=acadaca,dc=net" -f /home/tim/txt/ldif/acadaca2.ldif
Enter LDAP Password:
adding new entry "cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net"
ldapadd: Invalid syntax (21)
	additional info: objectClass: value #1 invalid per syntax


And these errors in the logs:

Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on:
Nov  5 15:00:33 ldap slapd[4429]:
Nov  5 15:00:33 ldap slapd[4429]: slap_listener_activate(7):
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7 busy
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: >>> slap_listener(ldap:///)
Nov  5 15:00:33 ldap slapd[4429]: daemon: listen=7, new connection on 12
Nov  5 15:00:33 ldap slapd[4429]: daemon: added 12r (active) listener=(nil)
Nov  5 15:00:33 ldap slapd[4429]: conn=5 fd=12 ACCEPT from
IP=75.101.129.124:55873 (IP=0.0.0.0:389)
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on 2 descriptors
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on:
Nov  5 15:00:33 ldap slapd[4429]:  12r
Nov  5 15:00:33 ldap slapd[4429]:
Nov  5 15:00:33 ldap slapd[4429]: daemon: read active on 12
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: connection_get(12)
Nov  5 15:00:33 ldap slapd[4429]: connection_get(12): got connid=5
Nov  5 15:00:33 ldap slapd[4429]: connection_read(12): checking for
input on id=5
Nov  5 15:00:33 ldap slapd[4429]: do_bind
Nov  5 15:00:33 ldap slapd[4429]: >>> dnPrettyNormal:
<cn=Manager,dc=acadaca,dc=net>
Nov  5 15:00:33 ldap slapd[4429]: <<< dnPrettyNormal:
<cn=Manager,dc=acadaca,dc=net>, <cn=manager,dc=acadaca,dc=net>
Nov  5 15:00:33 ldap slapd[4429]: do_bind: version=3
dn="cn=Manager,dc=acadaca,dc=net" method=128
Nov  5 15:00:33 ldap slapd[4429]: conn=5 op=0 BIND
dn="cn=Manager,dc=acadaca,dc=net" method=128
Nov  5 15:00:33 ldap slapd[4429]: ==> bdb_bind: dn: cn=Manager,dc=acadaca,dc=net
Nov  5 15:00:33 ldap slapd[4429]: conn=5 op=0 BIND
dn="cn=Manager,dc=acadaca,dc=net" mech=SIMPLE ssf=0
Nov  5 15:00:33 ldap slapd[4429]: do_bind: v3 bind:
"cn=Manager,dc=acadaca,dc=net" to "cn=Manager,dc=acadaca,dc=net"
Nov  5 15:00:33 ldap slapd[4429]: send_ldap_result: conn=5 op=0 p=3
Nov  5 15:00:33 ldap slapd[4429]: send_ldap_result: err=0 matched="" text=""
Nov  5 15:00:33 ldap slapd[4429]: send_ldap_response: msgid=1 tag=97 err=0
Nov  5 15:00:33 ldap slapd[4429]: conn=5 op=0 RESULT tag=97 err=0 text=
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on:
Nov  5 15:00:33 ldap slapd[4429]:
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on:
Nov  5 15:00:33 ldap slapd[4429]:  12r
Nov  5 15:00:33 ldap slapd[4429]:
Nov  5 15:00:33 ldap slapd[4429]: daemon: read active on 12
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: connection_get(12)
Nov  5 15:00:33 ldap slapd[4429]: connection_get(12): got connid=5
Nov  5 15:00:33 ldap slapd[4429]: connection_read(12): checking for
input on id=5
Nov  5 15:00:33 ldap slapd[4429]: do_add
Nov  5 15:00:33 ldap slapd[4429]: >>> dnPrettyNormal:
<cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net>
Nov  5 15:00:33 ldap slapd[4429]: <<< dnPrettyNormal:
<cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net>,
<cn=defaults,ou=sudoers,ou=services,dc=acadaca,dc=net>
Nov  5 15:00:33 ldap slapd[4429]: do_add: dn
(cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net)
Nov  5 15:00:33 ldap slapd[4429]: conn=5 op=1 ADD
dn="cn=defaults,ou=sudoers,ou=Services,dc=acadaca,dc=net"
Nov  5 15:00:33 ldap slapd[4429]: send_ldap_result: conn=5 op=1 p=3
Nov  5 15:00:33 ldap slapd[4429]: send_ldap_result: err=21 matched=""
text="objectClass: value #1 invalid per syntax"
Nov  5 15:00:33 ldap slapd[4429]: send_ldap_response: msgid=2 tag=105 err=21
Nov  5 15:00:33 ldap slapd[4429]: conn=5 op=1 RESULT tag=105 err=21
text=objectClass: value #1 invalid per syntax
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on:
Nov  5 15:00:33 ldap slapd[4429]:
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on:
Nov  5 15:00:33 ldap slapd[4429]:  12r
Nov  5 15:00:33 ldap slapd[4429]:
Nov  5 15:00:33 ldap slapd[4429]: daemon: read active on 12
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: connection_get(12)
Nov  5 15:00:33 ldap slapd[4429]: connection_get(12): got connid=5
Nov  5 15:00:33 ldap slapd[4429]: connection_read(12): checking for
input on id=5
Nov  5 15:00:33 ldap slapd[4429]: ber_get_next on fd 12 failed errno=0 (Success)
Nov  5 15:00:33 ldap slapd[4429]: connection_read(12): input error=-2
id=5, closing.
Nov  5 15:00:33 ldap slapd[4429]: connection_closing: readying conn=5
sd=12 for close
Nov  5 15:00:33 ldap slapd[4429]: connection_close: deferring conn=5 sd=-1
Nov  5 15:00:33 ldap slapd[4429]: do_unbind
Nov  5 15:00:33 ldap slapd[4429]: conn=5 op=2 UNBIND
Nov  5 15:00:33 ldap slapd[4429]: connection_resched: attempting
closing conn=5 sd=12
Nov  5 15:00:33 ldap slapd[4429]: connection_close: conn=5 sd=-1
Nov  5 15:00:33 ldap slapd[4429]: daemon: removing 12
Nov  5 15:00:33 ldap slapd[4429]: conn=5 fd=12 closed
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on 1 descriptor
Nov  5 15:00:33 ldap slapd[4429]: daemon: activity on:
Nov  5 15:00:33 ldap slapd[4429]:
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=7
active_threads=0 tvp=NULL
Nov  5 15:00:33 ldap slapd[4429]: daemon: epoll: listen=8
active_threads=0 tvp=NULL

And as mentioned this exact schema configuration is working fine under
OpenLDAP 2.4 under FreeBSD and behaving as you saw under OpenLDAP 2.3
CentOS 5.4

And everything looks correct to me. Any further ideas on why this isn't working?

Thanks!




On Thu, Nov 4, 2010 at 6:03 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> --On Thursday, November 04, 2010 5:47 PM -0400 Tim Dunphy
> <bluethundr@gmail.com> wrote:
>
>> however when I do a search for sudoRole it doesn't seem to show up
>>
>> [root@ldap openldap]# ldapsearch -b '' -s base '(objectclass=*)'
>> sudoRole -x -W -D "cn=Manager,dc=acadaca,dc=net"
>
> That is not a valid search of the cn=subschema entry.  I would note you fail
> to offer a -h or -H option, so who knows what LDAP server it is talking to.
>
> ldapsearch -x -h zre-ldap001 -s base -b "cn=subschema" +
>
> for example, searches the subschema entry on my system.
>
>
> And my name has only one "n" in it.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
>



-- 
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!

Follow-Ups:
- Re: unable to perform authenticated binds
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Re: unable to perform authenticated binds
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: unable to perform authenticated binds
  - From: Tim Dunphy <bluethundr@gmail.com>
- Re: unable to perform authenticated binds
  - From: Tim Dunphy <bluethundr@gmail.com>
- Re: unable to perform authenticated binds
  - From: Howard Chu <hyc@symas.com>
- Re: unable to perform authenticated binds
  - From: Tim Dunphy <bluethundr@gmail.com>
- Re: unable to perform authenticated binds
  - From: Tim Dunphy <bluethundr@gmail.com>
- Re: unable to perform authenticated binds
  - From: Tim Dunphy <bluethundr@gmail.com>
- Re: unable to perform authenticated binds
  - From: Tim Dunphy <bluethundr@gmail.com>

Prev by Date: loglevel question / problem
Next by Date: Re: Re: Issue with OpenLDAP shared libraries complie on AIX 6.1 using IBM xL Compiler
Index(es):
- Chronological
- Thread