[Date Prev][Date Next] [Chronological] [Thread] [Top]

Unable to do ldapsearch, but testsaslauthd works in OpenLDAP 2.4

We have OpenLDAP 2.3 running on Linux. It is set up in SASL mode authenticating
against multiple ADs. Everything works fine there, which is our Production env. 

We recently installed a new instance of OpenLDAP 2.4.23 running on RedHat Linux 6
in our Dev and QA env. Then, we moved the slapd.conf and slapd-meta.conf file to 
the new instance, and created the required users. 

When we run testsaslauthd, we are successfully able to authenticate against the
appropriate AD that the user is under.  

testsaslauthd -u ravi@SONEPAR -p secret - WORKS

ldapsearch -x -D uid=ravi,ou=People,ou=company,dc=inside,dc=devserver,dc=com -w
secret

results in: ldap_bind: Invalid credentials (49)

But when we do a ldap search or connect using LDAP Browser, the user is not able 
to get autheticated. We are not able to bind to the OpenLDAP by using the same credentials. 
I get a Invalid credentials err 49, which indcates either credentials are incorrect,
which in this case its not, or the bind info is incorrect.

I seems as though the user is not able to bind to OpenLDAP 2.4 or it does not know how
to. When I change the password form {SASL}ralthuru@SONEPAR to a text say "secret", it works fine. 

Here is the log output from the same user authetication in OpenLDAP 2.3 and OpenLDAP 2.4:

SUCCESS - QA 2.4 - testsaslauthd -u ralthuru@SONEPAR -p secret

Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 fd=8 ACCEPT from IP=127.0.0.1:44500 (IP=127.0.0.1:391)
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" method=128
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=0 RESULT tag=97 err=0 text=
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(?SMACCOUNTNAME=ralthuru))"
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SRCH attr=dn
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND anonymous mech=implicit ssf=0
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" method=128
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 BIND dn="cn=Ravi Althuru,cn=Users,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  2 16:42:44 pabeldapd01-new slapd[65327]: conn=1000 op=2 RESULT tag=97 err=0 text=

SUCCESS - QA 2.4 - login as cn=Manager/Password1 from LDAP Browser

Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 fd=12 ACCEPT from IP=10.108.138.66:64931 (IP=0.0.0.0:389)
Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" method=128
Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 BIND dn="cn=Manager,dc=inside,dc=sdusadevl,dc=com" mech=SIMPLE ssf=0
Feb  2 16:43:09 pabeldapd01-new slapd[65323]: conn=1004 op=0 RESULT tag=97 err=0 text=
Feb  2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 op=1 UNBIND
Feb  2 16:43:12 pabeldapd01-new slapd[65323]: conn=1004 fd=12 closed

FAIL - QA 2.4 - login as uid=ralthuru/Sonepar123 from LDAP Browser

Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 ACCEPT from IP=10.108.138.66:64939 (IP=0.0.0.0:389)
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sdusadevl,dc=com" mthod=128
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=0 RESULT tag=97 err=49 text=
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 op=1 UNBIND
Feb  2 16:43:35 pabeldapd01-new slapd[65323]: conn=1005 fd=12 closed

SUCCESS - PRODUCTION 2.3 - testsaslauthd -u ralthuru@SONEPAR -p secret

Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND anonymous mech=implicit ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" method=128
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=22 RESULT tag=97 err=0 text=
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SRCH attr=dn
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=23 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND anonymous mech=implicit ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  3 10:07:35 pavfldapp01 slapd[6375]: conn=94 op=24 RESULT tag=97 err=0 text=

SUCCESS - PRODUCTION 2.3 - login as uid=ralthuru/secret from LDAP Browser

eb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 fd=15 ACCEPT from IP=10.108.138.66:54298 (IP=0.0.0.0:389)
Feb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND anonymous mech=implicit ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" method=128
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=25 RESULT tag=97 err=0 text=
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SRCH attr=dn
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=26 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND anonymous mech=implicit ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[6375]: conn=94 op=27 RESULT tag=97 err=0 text=
Feb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0
Feb  3 10:44:45 pavfldapp01 slapd[4806]: conn=50825 op=0 RESULT tag=97 err=0 text=
Feb  3 10:44:47 pavfldapp01 slapd[4806]: conn=50825 op=1 UNBIND

SUCCESS - PRODUCTION 2.3 - LDAP Search command as uid=ralthuru/secret

Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 ACCEPT from IP=10.199.204.205:44578 (IP=0.0.0.0:389)
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" method=128
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND anonymous mech=implicit ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" method=128
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 BIND dn="cn=Manager,dc=local" mech=SIMPLE ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=28 RESULT tag=97 err=0 text=
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH base="ou=SONEPAR,dc=local" scope=2 deref=0 filter="(|(uid=ralthuru)(SAMACCOUNTNAME=ralthuru))"
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SRCH attr=dn
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=29 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND anonymous mech=implicit ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" method=128
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 BIND dn="cn=Althuru\2C Ravi,ou=Accenture,ou=Consultants,ou=SONEPAR,dc=local" mech=SIMPLE ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[6375]: conn=94 op=30 RESULT tag=97 err=0 text=
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 BIND dn="uid=ralthuru,ou=Sonepar,ou=People,dc=inside,dc=sonepar-us,dc=com" mech=SIMPLE ssf=0
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=0 RESULT tag=97 err=0 text=
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SRCH base="dc=inside,dc=sonepar-us,dc=com" scope=2 deref=0 filter="(objectClass=*)"
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=1 SEARCH RESULT tag=101 err=4 nentries=500 text=
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 op=2 UNBIND
Feb  3 10:48:54 pavfldapp01 slapd[4806]: conn=50831 fd=15 closed

Here is the ldap.conf
URI ldap://10.99.19.179
BASE dc=inside,dc=sdusadevl,dc=com
TLS_REQCERT never

Here is the slapd.conf, only the relevant info:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/schema_extension.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib64/openldap

loglevel 256

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        bdb
suffix          "dc=inside,dc=sdusadevl,dc=com"
rootdn          "cn=Manager,dc=inside,dc=sdusadevl,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          xyz123

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index uniqueMember                      eq,pres

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM


# adding to ignore error for slaptest
cachesize 2000

sasl-host       localhost
sasl-secprops   none

----------------------
Here is the slapd-meta.conf containing the AD where the user ralthuru is autheticating to:
uri ldap://sdusa-dc-01.sdusadevl.com:3268/ou=SONEPAR,dc=local
lastmod off
suffixmassage   "ou=SONEPAR,dc=local" "dc=sdusadevl,dc=com"
idassert-bind bindmethod=simple
   binddn="CN=Vignette\\, Service Account,OU=Vignette Service,OU=Vignette,OU=Enterpise Systems,DC=sdusadevl,DC=com"
   credentials="hiddenpassword"
   mode=none
   flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=Manager,dc=local"


I have searched across many forums, compared the set up on the OpenLDAP 2.3 and
OpenLDAP 2.4 instances and cannot find any differences.

Any suggestions on how to resolve this is appreciated!