[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap auth does not works after openldap upgrade



On Thu, Feb 17, 2011 at 7:50 AM, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
On Wednesday, 16 February 2011 20:37:45 Leonardo Carneiro wrote:
> On Wed, Feb 16, 2011 at 8:43 AM, Andrew Findlay <
>
> andrew.findlay@skills-1st.co.uk> wrote:
> > On Tue, Feb 15, 2011 at 05:08:43PM -0200, Leonardo Carneiro wrote:

In the original question:
> Hello everyone,
>
> I upgraded my debian machine from lenny to squeeze (the new stable)
> that comes with samba 3.5.6 and openldap 2.4.23. this machines works
> primarily as a PDC.
>
> i have 3 services authenticating on ldap: samba, apache and redmine.
> samba is acting very weird, but it's kinda working, but redmine and
> apache aren't working at all.

So, I take it Apache was upgraded as well? From what version? To what version?

> > > fileserver:/etc/ldap# /usr/sbin/slapd -h ldapi:/// ldap:/// -g openldap
> >
> > -u
> >
> > > openldap -F /etc/ldap/slapd.d -d 128
> >
> > Aha! Your server is using LDAP-based config so it is ignoring the config
> > file entirely.
> >
> > > Does these changes that we are making into slapd.conf really being
> > > processed? Normally, i see just the "-F /etc/ldap/slapd.d" flag and
> > > never the "-f /etc/ldap/slapd.conf".
> >
> > I suspect the config file was converted to a config dir during the
> > Debian upgrade process, so the file is now being ignored.
> >
> > I also suspect that there may not be a valid password set on the
> > cn=config suffix, so you will not be able to manage the server through
> > LDAP either.
> >
> > One solution is to change the startup process to use the config file (-f
> > option) rather than the config dir (-F option). Once you have a file
> > that does what you want you have the option of converting it to a
> >
> > directory:
> >        Move aside the existing config directory /etc/ldap/slapd.d
> >        and make a new one with the same ownership and permissions.
> >
> >        Start slapd with both the -f and the -F options.
> >
> > If you are going to do this, I suggest adding a rootpw for the config
> > database first. Append this to your slapd.conf file:
> >
> > ########################################################################
> > database config
> >
> > rootdn "cn=config"
> > rootpw example
> > ########################################################################
> >
> > You will then be able to do normal LDAP operations on the config:
> >
> > ldapsearch -x -D cn=config -w example -b cn=config '(objectclass=*)'
> >
> > I think we're really near to success here =D.
>
> The new slapd.d was created successfully and now i can do searches
> anonymously. Searches like:
>
> ldapsearch -x -h server -D cn=config -w [passwd] -b cn=config
> ldapsearch -x -h server -b "dc=dominio,dc=com,dc=br"
>
> are working ok now. Unfortunally, services are not able to do the search
> yet. At least with the configuration that was working before the upgrade.
>
> I notice some of my services do bind as cn=root,dc=dominio,dc=com,dc=br.
> Here it is a example of the apache:
>
>                 AuthBasicProvider ldap
>                 AuthName "who are you?"
>                 AuthzLDAPAuthoritative OFF
>                 AuthLDAPURL "ldap://
> 192.168.0.2/ou=users,dc=dominio,dc=com,dc=br?uid"
>                 AuthLDAPGroupAttribute memberUid
>                 AuthLDAPGroupAttributeIsDN OFF
>                 AuthLDAPBindDN "cn=root,dc=dominio,dc=com,dc=br"
>                 AuthLDAPBindPassword "[password]"
>                 Require ldap-group
> cn=devteam,ou=groups,dc=dominio,dc=com,dc=br

If you now have Apache 2.2.x, either you have include only some of the
relevant statements, or you are missing a "Satisfy" statement, e.g. "Satisfy
All".

> In the apache log, it just seams that the apache did bind it to ldap, but
> the search results were null. It should work ok know, since i can even bind
> anonymous, write?

Show the log of the LDAP search by apache, so we can be sure.

But, when upgrading from Apache 2.0 to Apache 2.2, one thing that messed me
around for a few hours was the 'Satisfy' statement. Without it, the behaviour
didn't make sense ...

Regards,
Buchan

I don't have that "Satisfy" statement. The upgrade was from 2.2.9 to 2.2.16. I'll check the logs to see what filter apache was trying to do. In fact, i'm very noob in the syntax of the filters in ldapsearch, but everything i tried didn't work it out. I'll grab the logs and post back here.