[prev in list] [next in list] [prev in thread] [next in thread]
List: nssldap
Subject: [nssldap] nss_ldap prblem using rootbinddn
From: "John Lane" <listmail () oceanfree ! net>
Date: 2005-02-14 23:39:38
Message-ID: NEBBLNPIODEEBMMBMLHJOEBHKPAB.listmail () oceanfree ! net
[Download RAW message or body]
Hello,
I have a functioning openLDAP server, which is configured to accept
connections over port 636 only.
I have used the PADL migration scripts to load my user password and group
information into openLDAP.
I am trying to get nss_ldap working for the root dn.
I am at the point where "getent passwd" successfully returns the users from
/etc/password and from the openLDAP server, and I now want to specify my
rootbinddn.
Issuing "getent passwd" from a non-root login, an anonymous bind takes place
and the passwd entries are returned.
If I do not define a rootbinddn in ldap.conf, Issuing "getent passwd" from a
root login, an anonymous bind takes place and the passwd entries are
returned.
If I do define a rootbinddn in ldap.conf, Issuing "getent passwd" from a
root login, the bind fails and the passwd entries are not returned.
The one that does not work seems to differ in that it does (from the logs,
below):
ldap_chase_referrals
read1msg: V2 referral chased, mark request completed, id = 1
And a little later, reports, before going on to ldap_unbind
res_errno: 49, res_error: <>, res_matched: <>
whereas the one that does not work does not do ldap_chase_referrals and
reports, before going on to ldap_search:
res_errno: 0, res_error: <>, res_matched: <>
I have no idea if that's at all relevant, but I've looked in the source code
and found 49 means "LDAP_INVALID_CREDENTIALS". From the logs I can see my
root dn being passed in along with the pasword from ldap.secret, so I have
no idea why the login request is rejected.
0000: 30 33 02 01 01 60 2e 02 01 03 04 1b 63 6e 3d 4d 03...`......cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 6a 65 6c 77 65 62 anager,dc=jelweb
0020: 2c 64 63 3d 63 6f 6d 80 0c 6d 79 73 65 63 72 65 ,dc=com..mysecre
0030: 74 70 77 64 0a tpwd.
As a separate test, this works fine:
ldapsearch -D "cn=Manager,dc=jelweb,dc=com" -H ldaps:// -w mysecretpwd
Here are my ldap and slap configuration files:
My ldap.conf:
HOST blfs.jelweb.com
BASE dc=jelweb,dc=com
TLS_CACERT /etc/ssl/certs/cacert.pem
#Following config is for nss_ldap and pam_ldap
debug 255
logdir /tmp
ssl yes
pam_password md5
rootbinddn cn=Manager,dc=jelweb,dc=com
My slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
schemacheck on
# Logging to the syslog channel LOCAL4
loglevel -1
pidfile /var/lib/run/slapd.pid
argsfile /var/lib/run/slapd.args
# TLS configuration settings
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSCertificateFile /etc/ssl/certs/servercert.pem
TLSCertificateKeyFile /etc/ssl/private/serverkey.pem
TLSVerifyClient demand
#############################################################
# LDBM database definitions
#############################################################
database ldbm
directory /var/lib/openldap-data
suffix "dc=jelweb,dc=com"
rootdn "cn=Manager,dc=jelweb,dc=com"
rootpw {SSHA}gdkikTvx3WAUm2fcC3qSu7a0unkRopZo
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
access to attrs=sambaLMPassword,sambaNTpassword
by self write
by anonymous auth
by * none
access to *
by * read
----------------------------------------------------------
I've run client side and server side with debugging, and the following
excerpts are from where the outputs differ:
If anyone can explain why my rootbind does not work I would really
appreciate it.
Debug output from "getent passwd" from root login:
----------------------------------------------------------
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
0000: 18 86 ee a8 42 46 98 87 c0 8e a4 eb c7 33 87 4a ....BF.......3.J
0010: 8f f4 4d 60 24 ed c0 c8 a6 bd de 37 e6 b5 06 8e ..M`$......7....
0020: d8 1a 42 28 e8 7a 26 8b 7d a8 09 55 a9 af 30 a8 ..B(.z&.}..U..0.
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 53 bytes to sd 5
0000: 30 33 02 01 01 60 2e 02 01 03 04 1b 63 6e 3d 4d 03...`......cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 6a 65 6c 77 65 62 anager,dc=jelweb
0020: 2c 64 63 3d 63 6f 6d 80 0c 6d 79 73 65 63 72 65 ,dc=com..mysecre
0030: 74 70 77 64 0a tpwd.
tls_write: want=122, written=122
0000: 17 03 01 00 20 e3 dd 6a a9 10 26 a8 15 f2 ea cd .... ..j..&.....
0010: d3 86 18 4d 17 00 a6 a1 fa 37 72 30 55 db d1 bc ...M.....7r0U...
0020: 6a e6 72 c5 e0 17 03 01 00 50 3a a6 bb 0d ff c2 j.r......P:.....
0030: 0e 84 1b c8 1d b5 71 c3 f3 91 df 55 ea 30 19 f5 ......q....U.0..
0040: d7 8a b7 4a b6 ba 56 ef 08 21 36 c6 d1 36 36 93 ...J..V..!6..66.
0050: 09 b0 55 dc 3e a0 8d 50 b9 94 9c a8 59 56 61 d7 ..U.>..P....YVa.
0060: 64 16 d4 b5 04 eb 78 f3 7e fd 7a 00 6e b6 ea ea d.....x.~.z.n...
0070: b4 0f 7f ac d2 df 7f 88 10 f7 ..........
ldap_write: want=53, written=53
0000: 30 33 02 01 01 60 2e 02 01 03 04 1b 63 6e 3d 4d 03...`......cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 6a 65 6c 77 65 62 anager,dc=jelweb
0020: 2c 64 63 3d 63 6f 6d 80 0c 6d 79 73 65 63 72 65 ,dc=com..mysecre
0030: 74 70 77 64 0a tpwd.
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
wait4msg (timeout 30 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 0
** Connections:
* host: blfs.jelweb.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Feb 14 19:52:53 2005
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 0
ber_get_next
tls_read: want=5, got=5
0000: 17 03 01 00 20 ....
tls_read: want=32, got=32
0000: d6 7e c0 31 86 32 d2 cf 4a 1d 2e f5 97 5b 11 30 .~.1.2..J....[.0
0010: f8 67 fe 1e d8 05 4c f4 ac 59 ef 70 07 ae a1 4a .g....L..Y.p...J
tls_read: want=5, got=5
0000: 17 03 01 00 30 ....0
tls_read: want=48, got=48
0000: f3 c8 17 0e dd 69 c5 e0 26 aa 84 d8 f8 33 a6 2b .....i..&....3.+
0010: 66 38 12 e2 16 51 59 9b c4 d5 08 51 59 14 42 ad f8...QY....QY.B.
0020: 8d 1a 3d 51 59 ff ee 4b 72 12 9e 54 22 a5 1f a3 ..=QY..Kr..T"...
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 31 04 00 04 00 .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0806d910 ptr=0x0806d910 end=0x0806d91c len=12
0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0806d910 ptr=0x0806d913 end=0x0806d91c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt ({iaa}) ber:
ber_dump: buf=0x0806d910 ptr=0x0806d913 end=0x0806d91c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ldap_chase_referrals
read1msg: V2 referral chased, mark request completed, id = 1
new result: res_errno: 49, res_error: <>, res_matched: <>
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0806d910 ptr=0x0806d913 end=0x0806d91c len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x0806d910 ptr=0x0806d91c end=0x0806d91c len=0
ldap_msgfree
ldap_unbind
ldap_free_connection
ldap_send_unbind
----------------------------------------------------------
Debug output from "getent passwd" from non-root login:
----------------------------------------------------------
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
0000: 14 03 01 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 01 00 30 ....0
tls_read: want=48, got=48
0000: 46 d2 48 46 26 02 de 43 8f 0c 51 55 f4 71 4b af F.HF&..C..QU.qK.
0010: 1a b1 0e 18 0d ed d9 54 f1 df 62 fc 91 55 9e b9 .......T..b..U..
0020: 8a 74 ba 75 d7 6c 0c 98 fc 3d 77 42 42 af c6 62 .t.u.l...=wBB..b
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful
ldap_send_server_request
ber_flush: 14 bytes to sd 5
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........
tls_write: want=90, written=90
0000: 17 03 01 00 20 1a e9 28 7c 16 7a 1d b9 c6 ea 65 .... ..(|.z....e
0010: 09 f5 59 16 bb 05 af 66 e7 44 4a b5 80 be 9b e7 ..Y....f.DJ.....
0020: 0e 3f a5 0a 99 17 03 01 00 30 8c ce d8 0a 4f 2e .?.......0....O.
0030: ad d2 36 75 98 ea 19 ff 26 bd 64 1e a0 19 1c be ..6u....&.d.....
0040: cb f1 86 c4 82 5e f1 7f 75 20 6f 08 48 61 bf 10 .....^..u o.Ha..
0050: 3d 64 c4 26 52 35 12 f0 01 b9 =d.&R5....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........
ldap_result msgid 1
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
wait4msg (timeout 30 sec, 0 usec), msgid 1
wait4msg continue, msgid 1, all 0
** Connections:
* host: blfs.jelweb.com port: 636 (default)
refcnt: 2 status: Connected
last used: Mon Feb 14 19:52:48 2005
** Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** Response Queue:
Empty
ldap_chkResponseList for msgid=1, all=0
ldap_chkResponseList returns NULL
ldap_int_select
read1msg: msgid 1, all 0
ber_get_next
tls_read: want=5, got=5
0000: 17 03 01 00 20 ....
tls_read: want=32, got=32
0000: ab 1e 83 eb bd 4f 93 0a b7 3c 7a f9 61 77 7e 8f .....O...<z.aw~.
0010: 1f 0e fc 56 33 7a c9 64 e1 86 d1 eb 3d fd d8 6a ...V3z.d....=..j
tls_read: want=5, got=5
0000: 17 03 01 00 30 ....0
tls_read: want=48, got=48
0000: b8 76 0c a0 44 28 f3 ab 47 09 c2 8a a2 cf bb 70 .v..D(..G......p
0010: e3 a9 62 6b 8b cb 45 29 9e 0c 27 50 df 30 50 29 ..bk..E)..'P.0P)
0020: e0 1f 60 39 05 43 d2 95 51 92 01 13 2a 10 75 2d ..`9.C..Q...*.u-
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 00 04 00 04 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x0806db80 ptr=0x0806db80 end=0x0806db8c len=12
0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........
ldap_read: message type bind msgid 1, original id 1
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0806db80 ptr=0x0806db83 end=0x0806db8c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
ber_scanf fmt ({iaa}) ber:
ber_dump: buf=0x0806db80 ptr=0x0806db83 end=0x0806db8c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
new result: res_errno: 0, res_error: <>, res_matched: <>
read1msg: 0 new referrals
read1msg: mark request completed, id = 1
request 1 done
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_free_connection
ldap_free_connection: refcnt 1
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_dump: buf=0x0806db80 ptr=0x0806db83 end=0x0806db8c len=9
0000: 61 07 0a 01 00 04 00 04 00 a........
ber_scanf fmt (}) ber:
ber_dump: buf=0x0806db80 ptr=0x0806db8c end=0x0806db8c len=0
ldap_msgfree
ldap_search
.....> goes on to return requested data
----------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic