[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user authentication on attributes

On 29/03/11 14:47 -0700, sim123 wrote:
I have openLDAP server up and running and trying to integrate it with
Confluence. My LDAP structure looks like

DN :: uid=123, ou=users, dc=example, dc=com
uid :: 123
mail :: bjason@example.com
cn :: barbara
sn :: jason
userPassword :: test (plain test for now)

I have another similar entry in another branch (su) for "confluence admin",
I did LDAP configuration in confluence and tested the bind with confluence
user. Now for every user authentication I am assuming LDAP should be able to
bind on any attribute other than DN. however I can not do that. when I try

By that, I assume that you are referring to a two step process where a
privileged user binds (or anonymously binds) to the server, searches for
the DN of a user based on some search criteria, unbinds, and then rebinds
using the returned DN, and the password submitted by the client.

If that's a correct assumption, you might want to verify that:

* The privileged user has appropriate permissions to search in your user
* The client (confluence) is submitting appropriate base, scope, and filter
  its search, and is retrieving the expected user DN
* The client is then binding a second time with the DN and user password

to login from confluence using mail & password, this is what I see in my
slapd.d logs :

connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next: tag 0x30 len 48 contents:
op tag 0x60, time 1301434489
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>
<<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>,
do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128
=> bdb_dn2id("dc=example,dc=com")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x4
=> bdb_dn2id("uid=234,ou=su,dc=example,dc=com")
<= bdb_dn2id: got id=0x7
entry_decode: "uid=234,ou=su,dc=example,dc=com"
<= entry_decode(uid=234,ou=su,dc=example,dc=com)
do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to
send_ldap_result: conn=1000 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 12
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next: tag 0x30 len 144 contents:
op tag 0x63, time 1301434489
conn=1000 op=1 do_search
ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=user,dc=example,dc=com>
<<< dnPrettyNormal: <ou=user,dc=example,dc=com>, <ou=user,dc=example,dc=com>
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical)
<= get_ctrls: n=1 rc=0 err=""
==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com"
=> bdb_search
=> bdb_dn2id("ou=user,dc=example,dc=com")
<= bdb_dn2id: got id=0x3
entry_decode: "ou=user,dc=example,dc=com"
<= entry_decode(ou=user,dc=example,dc=com)
search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0

It looks like the search is not returning any entries. From your confluence
server, can you perform an ldapsearch as your privileged user to see if you
get any entries returned?

Dan White