[Date Prev][Date Next]
Getting more info from ldap_auth in case of a quiet failure?
- To: firstname.lastname@example.org
- Subject: Getting more info from ldap_auth in case of a quiet failure?
- From: a z <email@example.com>
- Date: Thu, 12 May 2011 18:39:15 -0600
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:reply-to:date:message-id:subject :from:to:content-type; bh=Lj3tTcsWWHywYDSRTzdiNBI9cCj4RuTyU8Dxn3Wph0M=; b=KHnDqtRqIcjh3RbgxpoDopR9M/Bn3IzUPKaCXs0SeBwQwP0qXWPl0OAk5A21CEnoTH v0SzfY2AGH7Kk//8k2vtTlzmWKF/i9Xo572VBo6zd+Ksvh60qtGjw7bjMZa0+MkvUdH0 T5A3gP9/XmZ6D9qHKxnSxEDnsIYVRIN7JbK5I=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; b=db33uNDN/xWN9AHVP8pnJ4NKxZ/WZ4MAcLrir1TmD+CjiLh2dz6stY8Fldq34J/sWV +Dd7UXizdkUh/IBFOVpQa5XVPOJI/5+M7Sf+Qj7V9W47QLnqbYm77r5Jy5mv241733Cf do/fOP2tLRzbw86976CCiasFcwtGxwxoYoVxk=
I am definitely new to the list, openLDAP, Ldap in general, nssswitch, shadow, samba etc, but heck, we all have to start somewhere.
Not really -that- new to application code, but yeah, I'm kinda young and working at an amateur/unemployed small business level, so by default yeah .. technical noob alert...
I am having problems finding out why domain login is failing:
Up until now I have had pretty good luck being able to figure out how to, for example,
Get Ldap and nsswitch running well enough that ldap authenticates my sshÂ sessions against shadow..
Get a valid sambaSID or objectClass: sambaSamAccount into an ldif without relying on the smbldap_tools library, or writing new acls to put the samba domain admin in a different ou=. (This is why I am trying to work around smbldap_tools, of course I could probably change the UID) I have been through slapd.conf loglevel -1 all day long watching it request attributes that weren't in the ldif, I cannot see yet where in smbldap_tools it decides it needs root's uid, but it goes ahead and uses it to write updates even though there is another user with write access to the right attributes)
I can join windows machines to the samba workgroup MYDOMAIN, and be given an opportunity to login to the samba server, so despite the weird unupported things I do, perhaps senselessly, I -think- I have the premise correct..
So I think this is failing on a bdb_index_read: failed (-30988) report.
If anyone is still with me, thanks a ton.
Before I go nuts enough to post the parts of slapd logging output I am pretty sure are okay, this is what the probable problems are:
It just seems that uid=testuser and objectClass=sambaSamAccount should match this con=1011 string and the next time it fails it should be for the next problem Ill have, and not this one.
May 14 00:13:34 localhost slapd => conn=1011 op=3 SRCH base="dc=MYDOMAIN,dc=com" scope=2 deref=0 filter="(&(uid=testuser)(objectClass=sambaSamAccount))"
May 13 00:13:34 localhost slapd: => slap_access_allowed: search access granted by read(=rscxd)
May 13 00:13:34 localhost slapd: => access_allowed: search access granted by read(=rscxd)
May 13 00:13:34 localhost slapd: search_candidates: base="dc=MYDOMAIN.dc=com" (0x00000001) scope=2
May 13 00:13:34 localhost slapd: <= bdb_index_read: failed (-30988)
and of course, the ldif I think it should be matching:
Again, thanks. I look forward to seeing the list traffic every day, and yet more slapd -1 logs