Dear all, I have configure LDAP auth, but i can't not check successfully the password. With other applications, example from a php intranet page, i can check the ldap account successfully. Have any a idea ? here the debug: __________________________________________ 13:30:17 < 4677> TECH-DBG LDAP server hcd.de.domain.net:389: initialized for 1.2.3.4 13:30:17 < 4677> config_str: s='(nil)' n='LDAPIdentifier' d='CN' 13:30:17 < 4677> config_str: result='uid' 13:30:17 < 4677> config_str: s='(nil)' n='LDAPObjectClass' d='(nil)' 13:30:17 < 4677> config_str: s='(nil)' n='LDAPAuthDN' d='(nil)' 13:30:17 < 4677> config_str: result='dc=domain,dc=net' 13:30:17 < 4677> config_str: s='(nil)' n='LDAPBaseDN' d='(nil)' 13:30:17 < 4677> config_str: result='dc=domain,dc=net' 13:30:17 < 4677> config_str: s='(nil)' n='LDAPBindDN' d='(nil)' 13:30:17 < 4677> config_str: result='uid=squidmgr,ou=applications,dc=domain,dc=net' 13:30:17 < 4677> alloc 51 (ftp-ldap.c:462): 0x8068a10 13:30:17 < 4677> config_str: s='(nil)' n='LDAPBindPW' d='(nil)' 13:30:17 < 4677> config_str: result='schalke05' 13:30:17 < 4677> TECH-DBG LDAP bind to dn='uid=squidmgr,ou=applications,dc=domain,dc=net': succeed 13:30:17 < 4677> USER-INF reading data for 'elsaest' from LDAP 13:30:17 < 4677> TECH-DBG LDAP search: base='dc=domain,dc=net' filter='(uid=elsaest)' 13:30:17 < 4677> config_str: s='(nil)' n='UserAuthType' d='(nil)' 13:30:17 < 4677> config_str: result='ldap' 13:30:17 < 4677> TECH-DBG LDAP auth: base='dc=domain,dc=net' filter='(uid=elsaest)' 13:30:17 < 4677> config_str: s='(nil)' n='LDAPAuthOKFlag' d='(nil)' 13:30:17 < 4677> config_str: result='groupMembership=cn=FTP-User,ou=groups,dc=domain,dc=net' 13:30:17 < 4677> LDAP result: checking[3:0] 'groupMembership'='cn=DNS-Admin,ou=groups,dc=domain,dc=net' 13:30:17 < 4677> LDAP result: checking[3:1] 'groupMembership'='cn=DNS-Editor,ou=groups,dc=domain,dc=net' 13:30:17 < 4677> LDAP result: checking[3:2] 'groupMembership'='cn=DNS-User,ou=groups,dc=domain,dc=net' 13:30:17 < 4677> LDAP result: checking[3:3] 'groupMembership'='cn=FTP-User,ou=groups,dc=domain,dc=net' 13:30:17 < 4677> TECH-DBG LDAP auth ok-check: 'groupMembership'='cn=FTP-User,ou=groups,dc=domain,dc=net' passed 13:30:17 < 4677> config_str: s='(nil)' n='LDAPAuthPWAttr' d='' 13:30:17 < 4677> config_str: result='userPassword' 13:30:17 < 4677> config_str: s='(nil)' n='LDAPAuthPWType' d='plain' 13:30:17 < 4677> config_str: result='plain' 13:30:17 < 4677> LDAP result: 'userPassword' - '' 13:30:17 < 4677> TECH-DBG LDAP auth pw-type[5]='plain' 13:30:17 < 4677> LDAP auth pw-check: '' ?= '123456' <------------------------------------------------- 13:30:17 < 4677> TECH-DBG LDAP auth pw-check failed 13:30:17 < 4677> USER-ERR LDAP user auth failed for elsaest from 1.2.3.4 13:30:17 < 4677> printf Cli-Ctrl 0=1.2.3.4: 20 bytes '530 Not logged in.' 13:30:17 < 4677> alloc 44 (com-socket.c:795): 0x806d3e0 13:30:17 < 4677> free 0x806d470 (ftp-client.c:1087) 13:30:17 < 4677> free 0x806d480 (ftp-client.c:1091) 13:30:17 < 4677> FD_SET Cli-Ctrl for W 13:30:17 < 4677> FD_SET Cli-Ctrl for R 13:30:17 < 4677> ll_write Cli-Ctrl 0=1.2.3.4: sent 20 bytes 13:30:17 < 4677> free 0x806d3e0 (com-socket.c:1230) 13:30:17 < 4677> ll_write Cli-Ctrl 0=1.2.3.4: 20/383 bytes 13:30:17 < 4677> client-loop ... 13:30:17 < 4677> FD_SET Cli-Ctrl for R __________________________________________________________________________________ Mit freundlichen Grüßen Kind Regards Thomas Elsaesser
On Mon, Jun 21, 2004 at 03:18:57PM +0200, Thomas.Elsaesser@henkel.com wrote:
Dear all, Hello!
I have configure LDAP auth, but i can't not check successfully the password. With other applications, example from a php intranet page, i can check the ldap account successfully. Have any a idea ?
Yes. [...]
13:30:17 < 4677> config_str: s='(nil)' n='LDAPAuthPWAttr' d='' 13:30:17 < 4677> config_str: result='userPassword' 13:30:17 < 4677> config_str: s='(nil)' n='LDAPAuthPWType' d='plain' 13:30:17 < 4677> config_str: result='plain' 13:30:17 < 4677> LDAP result: 'userPassword' - '' 13:30:17 < 4677> TECH-DBG LDAP auth pw-type[5]='plain' 13:30:17 < 4677> LDAP auth pw-check: '' ?= '123456'
You are using the attic LDAPAuthPWAttr,LDAPAuthPWType keywords.
This is compatibility stuff needed only on OpenLDAP 1.x, where
the LDAP server wasn't able to verify the passwords itself and
the proxy has to verify it itself.
Comment out the LDAPAuthPWAttr and LDAPAuthPWType options
in your config and set:
LDAPBindDN auto
or
LDAPBindDN AuthDN
This causes the proxy to search for uid=$USER bellow of
the DN specified in LDAPAuthDN and try to bind using the
relsulting DN with username and password.
If you can't / don't like a anonymous pre-bind, use:
LDAPPreBindDN uid=squidmgr,ou=applications,dc=domain,dc=net
LDAPPreBindPW ***pwd***
You can also comment out the LDAPBaseDN option, except you
want that the proxy try's to read user specific config from
LDAP as well.
Further you may use the "UserAuthMagic" feature as well to
encode auth user+password in USER / PASS ftp commands;
otherwise the ftp username and ftp password are used to
bind ldap as well.
You need / should use OpenLDAP 2.x and proxy-suite-1.9.2.2.
Kind regards,
Marius Tomaschewski
participants (2)
-
Marius Tomaschewski
-
Thomas.Elsaesser@henkel.com