[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Binding to openldap fails



Hi,

Your RDN for that object is uid=bjoern,ou=Users,dc=domain,dc=my, which is single valued.

Either configure dovecot use uid attribute as username and not cn, either change the RDN to cn=bjoern... or look into multiple values RDNs.

Use this a reference: http://www.zytrax.com/books/ldap/apa/dn-rdn.html

Regards,

Andrei

On 20.06.2012 14:31, Bjoern Wuest wrote:
Hello together,


Just to stay updated.

I tried to connect using the distinguished name
cn=<username>,ou=Users,dc=domain,dc=my .

I have changed the DN to uid=<username>,ou=Users,dc=domain,dc=my and login
works. Yet I am confused because I have set index on cn as well as uid
attribute (or is uid not an attribute but an element)?

Below is an ldif of the user "bjoern"

# bjoern, Users, domain.my
dn: uid=bjoern,ou=Users,dc=domain,dc=my
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: bjoern
uid: bjoern
uidNumber: <some number>
homeDirectory: <some path>
loginShell: /bin/bash
gecos: bjoern
description: User account
sambaSID: <some SID>
displayName: bjoern
sambaNTPassword: <some hash>
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1338641123
sambaAcctFlags: [U          ]
gidNumber: <some group id>
userPassword:: <some password>


Thank you for your support.

Bjoern


-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-
technical-bounces@OpenLDAP.org] On Behalf Of Bjoern Wuest
Sent: Monday, June 18, 2012 10:14 AM
To: openldap-technical@openldap.org
Subject: RE: Binding to openldap fails

On Sun, 17 Jun 2012, Bjoern Wuest wrote:
...
However, setting up the mail system (dovecot + postfix) I
encountered a problem new to me. When I try to bind as a "normal" user
(here:
bjoern) to LDAP it fails with wrong credentials. I can assure that I
did not mistyped the password (tried multiple times). Login to the
Linux system and samba with same credentials (i.e. bjoern and his
password) works.

Here is the part of syslog I expect to be the cause:

Jun 17 19:36:45 server slapd[23241]: <<< dnPrettyNormal:
<cn=bjoern,ou=Users,dc=domain,dc=my>,
<cn=bjoern,ou=users,dc=domain,dc=my>
Jun 17 19:36:45 server slapd[23241]: conn=1003 op=0 BIND
dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
server slapd[23241]: do_bind: version=3
dn="cn=bjoern,ou=Users,dc=domain,dc=my" method=128 Jun 17 19:36:45
server slapd[23241]:
Jun 17 19:36:45 server slapd[23241]: ==> hdb_bind: dn:
cn=bjoern,ou=Users,dc=domain,dc=my
Jun 17 19:36:45 server slapd[23241]:
bdb_dn2entry("cn=bjoern,ou=users,dc=domain,dc=my")
Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=8
active_threads=0 tvp=zero
Jun 17 19:36:45 server slapd[23241]: =>
hdb_dn2id("cn=bjoern,ou=users,dc=domain,dc=my")
Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=9
active_threads=0 tvp=zero
Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=10
active_threads=0 tvp=zero
Jun 17 19:36:45 server slapd[23241]: daemon: epoll: listen=11
active_threads=0 tvp=zero
Jun 17 19:36:45 server slapd[23241]: <= hdb_dn2id: get failed:
DB_NOTFOUND:
No matching key/data pair found (-30987)
In my experience, that sort of error from the DB library usually means
a change to the indexing or schema was made without reindexing and/or
dumping and reloading.

If you're confident that's not the case here (how confident?), then
have
you
compared that log output to the log output of a successful login?


Philip Guenther
Dear Philip,

thank you for pointing me to the index files. I have recreated all the
indexes
but without effect. Here are the indexes I have defined:

index           objectClass eq
index           cn pres,sub,eq
index           sn pres,sub,eq
index           uid pres,sub,eq
index           displayName pres,sub,eq
index           uidNumber eq
index           gidNumber eq
index           memberUid eq
index           sambaSID eq
index           sambaPrimaryGroupSID eq
index           sambaDomainName eq
index           sambaGroupType eq
index           sambaSIDList eq
index           default sub


and here are the index files created:

-rw-rw---- 1 openldap openldap    16384 Jun 18 10:01 cn.bdb
-rw-rw---- 1 openldap openldap    24576 Jun 18 10:01 __db.001
-rw-rw---- 1 openldap openldap  1236992 Jun 18 10:01 __db.002
-rw-rw---- 1 openldap openldap 20979712 Jun 18 10:01 __db.003
-rw-rw---- 1 openldap openldap   163840 Jun 18 10:01 __db.004
-rw-rw---- 1 openldap openldap  1294336 Jun 18 10:01 __db.005
-rw-rw---- 1 openldap openldap    32768 Jun 18 10:01 __db.006
-rw-rw---- 1 openldap openldap      194 Mai 20 08:55 DB_CONFIG
-rw-rw---- 1 openldap openldap    16384 Jun 18 10:01 displayName.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:00 dn2id.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 gidNumber.bdb
-rw-rw---- 1 openldap openldap    32768 Jun 18 10:00 id2entry.bdb
-rw-rw---- 1 openldap openldap 10485760 Jun 18 10:01 log.0000000001
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 memberUid.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 objectClass.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01
sambaDomainName.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 sambaGroupType.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 sambaSID.bdb
-rw------- 1 openldap openldap     8192 Jun 18 10:01 sambaSIDList.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 uid.bdb
-rw-rw---- 1 openldap openldap     8192 Jun 18 10:01 uidNumber.bdb

The indexes were created using "slapindex -f /etc/ldap/slapd.conf". The
files "dn2id.bdb" and "id2entry.dbd" are old ones because slapindex would
not create any index without them.

Yet, the problem still remains. User "bjoern" can login to linux (even
from
remote hosts) and samba, but fails to login via dovecot as well as
ldapsearch.

I further compared the syslog when doing a successful login versus an
unsuccessful login. Of course I have restarted nscd and nslcd services to
clear caches (I hope). Yet, nscd / nslcd may also explain why linux and
samba
login works. Both are done via nslcd which uses the ldap admin account to
access the ldap.

So, further indications are welcome.

If you like I can also provide you with the full slapd.conf file so you
would
be able to setup an Ubuntu 12.04 system with the same ldap configuration
in a virtual machine.


Regards
  Bjoern