[OGo-Users] LDAPInitialBindSpecific not working

Juuso Alasuutari users@opengroupware.org
Mon, 5 Mar 2007 15:57:45 +0200 

On Monday 05 March 2007 13:05, Adam Tauno Williams wrote:
> > > > I'm configuring OGo 1.0 to authenticate against LDAPv3 (OpenLDAP) by
> > > > using the LDAPInitialBind settings as instructed in this manual:
> > > > http://docs.opengroupware.org/Members/whitemice/wmogag/download.
> > > > Here's what I have in NSGlobalDomain.plist (don't worry, I'm only
> > > > using the root account temporarily for testing):
> > > >     LSAuthLDAPServer = "ldap.foo.bar";
> > > >     LSAuthLDAPServerRoot = "dc=foo,dc=bar";
> > > >     LSAuthLDAPServerPort = 389;
> > > >     LDAPLoginAttributeName = "uid";
> > > >     DisablePasswordModification = YES;
> > > >     LDAPInitialBindSpecific = YES;
> > > >     LDAPInitialBindDN = "uid=root,ou=people,dc=foo,dc=bar";
> > > >     LDAPInitialBindPW = "xxx";
> > > > When I enable 'allow bind_v2' in slapd.conf I am able to log in via
> > > > http://ldap.foo.bar/OpenGroupware, but without it and using the above
> > > > settings login attempts fail and nothing even appears in the LDAP
> > > > server's syslog
> > >
> > > That seems very odd: "nothing even appears in the LDAP server's syslog"
> > > What is value of the DSA's loglevel directive?  I'm on the road today,
> > > but off the top of my head I think you want 128+32+8 as a minimum in
> > > order to figure out what is going on.  Since it looks like you are on
> > > the same machine, and thus using ethereal/wireshark is probably out,
> > > you can throw in +2 if you want to see the packets.
> >
> > I tried changing the loglevel, but I'm still not getting anything in the
> > logs that looks like a response to my actions.
>
> If you make no corresponding change to your systems syslog of course you
> won't see anything additional.
> ftp://kalamazoolinux.org/pub/pdf/Timber.pdf
>
> >  When I type my name and passwd in
> > the OGo login page, it almost instantly reloads the page with the login
> > failure message "Wrong Password or User". Seems like the auth query fails
> > very quickly.
> > I have the bind user set to root, I've the slapd loglevel set to
> > 512+128+32+8,
>
> I assume that means "loglevel 680" exists in slapd.conf?

Yes, I have that setting there. Thanks for the syslog tip-off, the output is 
much easier to read when it's in its own file. Now I see that there indeed is 
some activity when I try to login:

Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: new connection on 17
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: added 17r
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on:
Mar  5 15:45:28 <hostname> slapd[22084]:
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on:
Mar  5 15:45:28 <hostname> slapd[22084]:  17r
Mar  5 15:45:28 <hostname> slapd[22084]:
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: read activity on 17
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on:
Mar  5 15:45:28 <hostname> slapd[22084]:  17r
Mar  5 15:45:28 <hostname> slapd[22084]:
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: read activity on 17
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: activity on 1 descriptors
Mar  5 15:45:28 <hostname> slapd[22084]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Mar  5 15:45:28 <hostname> slapd[22110]: daemon: removing 17


-- 
Juuso Alasuutari
      seclan.com