| View previous topic :: View next topic |
| Author |
Message |
cloc3
Advocate
Joined: 13 Jan 2004
Posts: 4810
Location: http://www.gentoo-users.org/user/cloc3/
|
 Posted: Sun May 03, 2009 3:32 pm Post subject: [ldap] no auth access to anonymous queries |
 |
|
I think my authentication openldap server does not respond correctly to
anonymous queries.
for example:
| Code: |
gentoo-live ~ # su - ldap_user
I have no name!@gentoo-live ~ $
|
as you see, the root user binds as admin, and works well, but the ldap_user binds as
anonymous, with no answer.
this is my slapd.conf:
| Code: |
gentoo_server etc # grep -v ^# /etc/openldap/slapd.conf|grep -v ^$
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
logfile /var/log/openldap/slapd.log
loglevel 0
modulepath /usr/lib/openldap/openldap/
moduleload back_hdb
database hdb
suffix "dc=paschini,dc=edu"
password-hash {CRYPT}
rootdn "cn=admin,dc=paschini,dc=edu"
rootpw {SSHA}**************************
directory "/var/lib/openldap-data"
index sn,uid pres,eq,approx
index objectClass,uidNumber,gidNumber,memberUid eq
index cn,mail,givenname eq,subinitial
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange,loginShell
by dn="cn=admin,dc=paschini,dc=edu" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=paschini,dc=edu" write
by anonymous auth
by * read
access to dn.base=""
by anonymous auth
by * read
|
this is the log output for whoami command for the user_ldap (4005 is the ldap_user's uidNumber):
| Code: |
>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 12
daemon: added 12r (active) listener=(nil)
conn=0 fd=12 ACCEPT from IP=192.168.0.18:33629 (IP=0.0.0.0:389)
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 60 07 02 0....`..
ldap_read: want=6, got=6
0000: 01 03 04 00 80 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x99bd370 ptr=0x99bd370 end=0x99bd37c len=12
0000: 02 01 01 60 07 02 01 03 04 00 80 00 ...`........
do_bind
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x99bd370 ptr=0x99bd373 end=0x99bd37c len=9
0000: 60 07 02 01 03 04 00 80 00 `........
ber_scanf fmt (m}) ber:
ber_dump: buf=0x99bd370 ptr=0x99bd37a end=0x99bd37c len=2
0000: 00 00 ..
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
conn=0 op=0 BIND dn="" method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
conn=0 op=0 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 81 d0 02 01 02 63 81 0.....c.
ldap_read: want=203, got=203
0000: ca 04 1c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d ...ou=People,dc=
0010: 70 61 73 63 68 69 6e 69 2c 64 63 3d 65 64 75 0a paschini,dc=edu.
0020: 01 01 0a 01 00 02 01 01 02 01 1e 01 01 00 a0 30 ...............0
0030: a3 1b 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 ....objectClass.
0040: 0c 70 6f 73 69 78 41 63 63 6f 75 6e 74 a3 11 04 .posixAccount...
0050: 09 75 69 64 4e 75 6d 62 65 72 04 04 34 30 30 35 .uidNumber..4005
0060: 30 69 04 03 75 69 64 04 0c 75 73 65 72 50 61 73 0i..uid..userPas
0070: 73 77 6f 72 64 04 09 75 69 64 4e 75 6d 62 65 72 sword..uidNumber
0080: 04 09 67 69 64 4e 75 6d 62 65 72 04 02 63 6e 04 ..gidNumber..cn.
0090: 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a .homeDirectory..
00a0: 6c 6f 67 69 6e 53 68 65 6c 6c 04 05 67 65 63 6f loginShell..geco
00b0: 73 04 0b 64 65 73 63 72 69 70 74 69 6f 6e 04 0b s..description..
00c0: 6f 62 6a 65 63 74 43 6c 61 73 73 objectClass
ber_get_next: tag 0x30 len 208 contents:
ber_dump: buf=0x99bdc48 ptr=0x99bdc48 end=0x99bdd18 len=208
0000: 02 01 02 63 81 ca 04 1c 6f 75 3d 50 65 6f 70 6c ...c....ou=Peopl
0010: 65 2c 64 63 3d 70 61 73 63 68 69 6e 69 2c 64 63 e,dc=paschini,dc
0020: 3d 65 64 75 0a 01 01 0a 01 00 02 01 01 02 01 1e =edu............
0030: 01 01 00 a0 30 a3 1b 04 0b 6f 62 6a 65 63 74 43 ....0....objectC
0040: 6c 61 73 73 04 0c 70 6f 73 69 78 41 63 63 6f 75 lass..posixAccou
0050: 6e 74 a3 11 04 09 75 69 64 4e 75 6d 62 65 72 04 nt....uidNumber.
0060: 04 34 30 30 35 30 69 04 03 75 69 64 04 0c 75 73 .40050i..uid..us
0070: 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 64 4e erPassword..uidN
0080: 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 65 72 umber..gidNumber
0090: 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72 65 63 74 ..cn..homeDirect
00a0: 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65 6c 6c 04 ory..loginShell.
00b0: 05 67 65 63 6f 73 04 0b 64 65 73 63 72 69 70 74 .gecos..descript
00c0: 69 6f 6e 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 ion..objectClass
do_search
ber_scanf fmt ({miiiib) ber:
ber_dump: buf=0x99bdc48 ptr=0x99bdc4b end=0x99bdd18 len=205
0000: 63 81 ca 04 1c 6f 75 3d 50 65 6f 70 6c 65 2c 64 c....ou=People,d
0010: 63 3d 70 61 73 63 68 69 6e 69 2c 64 63 3d 65 64 c=paschini,dc=ed
0020: 75 0a 01 01 0a 01 00 02 01 01 02 01 1e 01 01 00 u...............
0030: a0 30 a3 1b 04 0b 6f 62 6a 65 63 74 43 6c 61 73 .0....objectClas
0040: 73 04 0c 70 6f 73 69 78 41 63 63 6f 75 6e 74 a3 s..posixAccount.
0050: 11 04 09 75 69 64 4e 75 6d 62 65 72 04 04 34 30 ...uidNumber..40
0060: 30 35 30 69 04 03 75 69 64 04 0c 75 73 65 72 50 050i..uid..userP
0070: 61 73 73 77 6f 72 64 04 09 75 69 64 4e 75 6d 62 assword..uidNumb
0080: 65 72 04 09 67 69 64 4e 75 6d 62 65 72 04 02 63 er..gidNumber..c
0090: 6e 04 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72 79 n..homeDirectory
00a0: 04 0a 6c 6f 67 69 6e 53 68 65 6c 6c 04 05 67 65 ..loginShell..ge
00b0: 63 6f 73 04 0b 64 65 73 63 72 69 70 74 69 6f 6e cos..description
00c0: 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 ..objectClass
>>> dnPrettyNormal: <ou=People,dc=paschini,dc=edu>
=> ldap_bv2dn(ou=People,dc=paschini,dc=edu,0)
<= ldap_bv2dn(ou=People,dc=paschini,dc=edu)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=People,dc=paschini,dc=edu)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=paschini,dc=edu)=0
<<< dnPrettyNormal: <ou=People,dc=paschini,dc=edu>,
<ou=people,dc=paschini,dc=edu>
SRCH "ou=People,dc=paschini,dc=edu" 1 0 1 30 0
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
ber_dump: buf=0x99bdc48 ptr=0x99bdc7d end=0x99bdd18 len=155
0000: a3 1b 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 ....objectClass.
0010: 0c 70 6f 73 69 78 41 63 63 6f 75 6e 74 a3 11 04 .posixAccount...
0020: 09 75 69 64 4e 75 6d 62 65 72 04 04 34 30 30 35 .uidNumber..4005
0030: 30 69 04 03 75 69 64 04 0c 75 73 65 72 50 61 73 0i..uid..userPas
0040: 73 77 6f 72 64 04 09 75 69 64 4e 75 6d 62 65 72 sword..uidNumber
0050: 04 09 67 69 64 4e 75 6d 62 65 72 04 02 63 6e 04 ..gidNumber..cn.
0060: 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a .homeDirectory..
0070: 6c 6f 67 69 6e 53 68 65 6c 6c 04 05 67 65 63 6f loginShell..geco
0080: 73 04 0b 64 65 73 63 72 69 70 74 69 6f 6e 04 0b s..description..
0090: 6f 62 6a 65 63 74 43 6c 61 73 73 objectClass
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
ber_dump: buf=0x99bdc48 ptr=0x99bdc9a end=0x99bdd18 len=126
0000: 00 11 04 09 75 69 64 4e 75 6d 62 65 72 04 04 34 ....uidNumber..4
0010: 30 30 35 30 69 04 03 75 69 64 04 0c 75 73 65 72 0050i..uid..user
0020: 50 61 73 73 77 6f 72 64 04 09 75 69 64 4e 75 6d Password..uidNum
0030: 62 65 72 04 09 67 69 64 4e 75 6d 62 65 72 04 02 ber..gidNumber..
0040: 63 6e 04 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72 cn..homeDirector
0050: 79 04 0a 6c 6f 67 69 6e 53 68 65 6c 6c 04 05 67 y..loginShell..g
0060: 65 63 6f 73 04 0b 64 65 73 63 72 69 70 74 69 6f ecos..descriptio
0070: 6e 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 n..objectClass
end get_filter 0
end get_filter_list
end get_filter 0
filter: (&(objectClass=posixAccount)(uidNumber=4005))
ber_scanf fmt ({M}}) ber:
ber_dump: buf=0x99bdc48 ptr=0x99bdcad end=0x99bdd18 len=107
0000: 00 69 04 03 75 69 64 04 0c 75 73 65 72 50 61 73 .i..uid..userPas
0010: 73 77 6f 72 64 04 09 75 69 64 4e 75 6d 62 65 72 sword..uidNumber
0020: 04 09 67 69 64 4e 75 6d 62 65 72 04 02 63 6e 04 ..gidNumber..cn.
0030: 0d 68 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a .homeDirectory..
0040: 6c 6f 67 69 6e 53 68 65 6c 6c 04 05 67 65 63 6f loginShell..geco
0050: 73 04 0b 64 65 73 63 72 69 70 74 69 6f 6e 04 0b s..description..
0060: 6f 62 6a 65 63 74 43 6c 61 73 73 objectClass
attrs: uid userPassword uidNumber gidNumber cn homeDirectory loginShell
gecos description objectClass
conn=0 op=1 SRCH base="ou=People,dc=paschini,dc=edu" scope=1 deref=0
filter="(&(objectClass=posixAccount)(uidNumber=4005))"
conn=0 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory
loginShell gecos description objectClass
==> limits_get: conn=0 op=1 dn="[anonymous]"
=> hdb_search
bdb_dn2entry("ou=people,dc=paschini,dc=edu")
=> hdb_dn2id("dc=paschini,dc=edu")
<= hdb_dn2id: got id=0x1
=> hdb_dn2id("ou=people,dc=paschini,dc=edu")
<= hdb_dn2id: got id=0x2
entry_decode: ""
<= entry_decode()
search_candidates: base="ou=people,dc=paschini,dc=edu" (0x00000002) scope=1
=> hdb_dn2idl("ou=people,dc=paschini,dc=edu")
=> bdb_filter_candidates
AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [5941c014]
<= bdb_index_read 309 candidates
<= bdb_equality_candidates: id=309, first=6, last=373
<= bdb_filter_candidates: id=309 first=6 last=373
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (uidNumber)
=> key_read
bdb_idl_fetch_key: [d9358a8a]
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=6 last=0
<= bdb_filter_candidates: id=0 first=6 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=6 last=0
<= bdb_filter_candidates: id=0 first=6 last=0
bdb_search_candidates: id=0 first=6 last=0
hdb_search: no candidates
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_flush: 14 bytes to sd 12
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=12 for close
connection_close: conn=0 sd=12
daemon: removing 12
conn=0 fd=12 closed (connection lost)
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
|
what may it be wrong?
_________________
vu vu vu
gentù
mi piaci tu |
|
| Back to top |
|
 |
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Mon May 04, 2009 9:41 am Post subject: |
|
|
here's what mine looks like:
| Code: | access to attrs=userPassword
by self write
by anonymous auth
by dn="uid=root,ou=people,dc=asdf,dc=ca" write
by * none
access to *
by self write
by dn="uid=root,ou=people,dc=asdf,dc=ca" write
by * read
database ldbm
checkpoint 32 30
suffix "dc=asdf,dc=ca"
rootdn "cn=Manager,dc=asdf,dc=ca"
rootpw {MD5}**************************
directory /var/lib/openldap-data
index objectClass eq
loglevel 64
|
looks like you've got all the right schemas loaded... so that's good. i'm guessing it's either an ACL issue or the ldap.conf/nsswitch.conf isn't set up right.
can you run "getent passwd | grep root" as root, and get two root responses? (providing you added root to ldap)
cheers
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
cloc3
Advocate
Joined: 13 Jan 2004
Posts: 4810
Location: http://www.gentoo-users.org/user/cloc3/
|
| Posted: Mon May 04, 2009 1:42 pm Post subject: |
|
|
| bunder wrote: | i'm guessing it's either an ACL issue or the ldap.conf/nsswitch.conf isn't set up right.
|
this is the important part of mine nsswitch.conf:
| Code: |
passwd: files ldap
group: files ldap
shadow: files ldap
|
| bunder wrote: |
can you run "getent passwd | grep root" as root, and get two root responses? (providing you added root to ldap)
|
| Code: |
s939 ~ # getent passwd | grep root
root:x:0:0:root:/root:/bin/bash
operator:x:11:0:operator:/root:/bin/bash
|
it's from files. no root user is defined in ldap database.
the root user binds to ldap database between this ldap.conf line:
| Code: | s939 ~ # cat /etc/ldap.conf|grep rootbinddn
rootbinddn cn=admin,dc=paschini,dc=edu
|
commenting it, root does no more bind to ldap database:
| Code: |
s939 ~ # whoami; su - ldap_user
root
Unknown id: ldap_user
|
pay attention to the answer: Unknown id
the expected behaviour should be a successfull login with a warning such as su: Permission denied (Ignored)
_________________
vu vu vu
gentù
mi piaci tu |
|
| Back to top |
|
|
cloc3
Advocate
Joined: 13 Jan 2004
Posts: 4810
Location: http://www.gentoo-users.org/user/cloc3/
|
| Posted: Tue May 05, 2009 7:42 am Post subject: |
|
|
I've found the real origin of my problem.
it depends from nscd.
I'm using an "embedded" system for a usb live image.
the root file system is an aufs mount with a read-only branch from a squashfs disk-image and a rw one from tmpfs.
I don't know why, but the nscd daemon, in this envinronment, makes correctly its own socket, but failes all write accesses.
enabling debug, I can see the errors.
a simple workaround exists:
add a line in /etc/fstab to mount /var/run in tmpfs, with mode=755.
in this way, ldap works fine, too.
_________________
vu vu vu
gentù
mi piaci tu |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
