[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unable to retrieve the authFilterId attribute from the openldap server

To: openldap-technical@openldap.org
Subject: Re: Unable to retrieve the authFilterId attribute from the openldap server
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Mon, 06 Jul 2009 16:06:16 +0200
In-reply-to: <200907060611.n666BlGR023854@az33smr01.freescale.net> (Navin's message of "Mon, 06 Jul 2009 11:52:20 +0530")
References: <200907060611.n666BlGR023854@az33smr01.freescale.net>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

Navin <navin.kumar@freescale.com> writes:

> Hi,
>
> I am new to LDAP. Hence kindly do excuse if any of my terminology is
> different.
>
> Issue:
> -----
> I installed the openldap server through debian package. ie. did NOT get the source.
> Was able to add the record and display them.
> ie. the slaptest worked fine and also could able to search the database with ldapsearch
> command also.

[...]
> # The base of your directory in database #1
> suffix          "dc=example,dc=com"
>
> # rootdn directive for specifying a superuser on the database. This is needed
> # for syncrepl.
> rootdn          "cn=admin,dc=example,dc=com"
> rootpw          secret123
> # Where the database file are physically stored for database #1
> directory       "/var/lib/ldap"
[...]
> # These access lines apply to database #1 only
> access to attrs=userPassword,shadowLastChange
>         by dn="cn=admin,dc=nodomain" write

Is this the content of your slapd.conf? Because this access rule will
have no effect, compare the 'by' rule with the suffix.

> attributetype ( 1.3.6.1.4.1.3317.4.3.1.9
>         NAME ( 'authFilterId' )
>         DESC 'radiusSchema: authFilterId'
>         EQUALITY  caseIgnoreIA5Match
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>         SINGLE-VALUE )
>
> objectclass ( 2.16.840.1.113730.3.2.222
>     NAME 'auth'
>     DESC 'Authentication database'
>     SUP top
>     STRUCTURAL
>         MUST (
>                 uid $ userPassword $ authFilterId))

Note that objectclass auth is structural.
>
> LDAP ldif file: init.ldif
[...]
> dn: uid=fsmith,ou=people,dc=example,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: radiusprofile

objectclass radiusprofile is unknown, this should be auth.

> uid: fsmith
> sn: Smith
> givenName: Fred
> cn: Fred Smith
> displayName: Fred Smith
> uidNumber: 1001
> gidNumber: 1001
> userPassword: secret123
> gecos: Fred Smith
> loginShell: /bin/bash
> homeDirectory: /home/fsmith
> shadowExpire: -1
> shadowFlag: 0
> shadowWarning: 7
> shadowMin: 8
> shadowMax: 999999
> shadowLastChange: 10877
> mail: fsmith@example.com
> authFilterId: fsmith
> initials: FS
>
> Added the above records using the command:
> $ slapadd -l init.ldif
> Added successfully no errors on the command line.
>
> When i searched the database using the command
> $ ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)'
>
> I was able to see all the details present in the init.ldif file
> except the FilterId field:
>
> authFilterId: fsmith
[...]

When adding this entry you should have received an error, because
authFilterId is not an attribute type of the object classes assigned
to this entry.
Please be aware, that due to the fact that objectclass auth is
structural you cannot add the objectclass to this entry.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: Unable to retrieve the authFilterId attribute from the openldap server
  - From: Michael Ströder <michael@stroeder.com>

References:
- Unable to retrieve the authFilterId attribute from the openldap server
  - From: Navin <navin.kumar@freescale.com>

Prev by Date: Max number of failed attempts to connect
Next by Date: Re: Max number of failed attempts to connect
Index(es):
- Chronological
- Thread