# LDAP authentication help

## petrjanda

Trying to get LDAP authentication to work, Im using the guide on gentoo forums

http://www.gentoo.org/doc/en/ldap-howto.xml

However when I do

```

ldapsearch -D "cn=Manager,dc=elevator,dc=com" -W -d 255

```

I get this strange error

```

pts/1 root@elevator# ldapsearch -D "cn=Manager,dc=elevator,dc=com" -W -d 255

ldap_create

Enter LDAP Password:

ldap_bind_s

ldap_simple_bind_s

ldap_sasl_bind_s

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection

ldap_int_open_connection

ldap_connect_to_host: TCP elevator:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 192.168.1.50:636

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_ndelay_on: 3

ldap_is_sock_ready: 3

ldap_ndelay_off: 3

ldap_open_defconn: successful

ldap_send_server_request

ber_flush: 49 bytes to sd 3

  0000:  30 2f 02 01 01 60 2a 02  01 03 04 1d 63 6e 3d 4d   0/...`*.....cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 65 6c 65 76 61 74   anager,dc=elevat

  0020:  6f 72 2c 64 63 3d 63 6f  6d 80 06 73 65 63 72 65   or,dc=com..secre

  0030:  74                                                 t

ldap_write: want=49, written=49

  0000:  30 2f 02 01 01 60 2a 02  01 03 04 1d 63 6e 3d 4d   0/...`*.....cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 65 6c 65 76 61 74   anager,dc=elevat

  0020:  6f 72 2c 64 63 3d 63 6f  6d 80 06 73 65 63 72 65   or,dc=com..secre

  0030:  74                                                 t

ldap_result msgid 1

ldap_chkResponseList for msgid=1, all=1

ldap_chkResponseList returns NULL

wait4msg (infinite timeout), msgid 1

wait4msg continue, msgid 1, all 1

** Connections:

* host: elevator  port: 636  (default)

  refcnt: 2  status: Connected

  last used: Fri Sep  3 01:41:43 2004

** Outstanding Requests:

 * msgid 1,  origid 1, status InProgress

   outstanding referrals 0, parent count 0

** Response Queue:

   Empty

ldap_chkResponseList for msgid=1, all=1

ldap_chkResponseList returns NULL

ldap_int_select

read1msg: msgid 1, all 1

ber_get_next

ldap_read: want=8, got=0

ber_get_next failed.

ldap_perror

ldap_bind: Can't contact LDAP server (81)

```

My slapd.conf

```

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Use crypt to hash the passwords

password-hash {crypt}

# Define SSL and TLS properties (optional)

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath    /usr/lib/openldap/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy is:

#       Allow read by all

#

# rootdn can always write!

#######################################################################

# ldbm database definitions

#######################################################################

database        ldbm

# checkpoint    32      30 # <kbyte> <min>

suffix          "dc=elevator,dc=com"

rootdn          "cn=Manager,dc=elevator,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          secret

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-ldbm

# Indices to maintain

index   objectClass     eq

```

Otherwise did everything the guide says I should do. Is there help out there for me?

----------

## weyhan

Did you enter your full domain name when you are ask for "Common Name" when you generate your certs?

In your case it should be "hostyouhaveldaprunning.elevator.com"

Also, you might want to check out http://www.monkeybox.org.uk/docs/gentoo/ldap.html

HTH

----------

## petrjanda

Used the guide you gave me and got it working  :Smile:  Now, I'd like to join samba to have ldap based authentication. Do you think you could help me out?

----------

## weyhan

 *petrjanda wrote:*   

> Used the guide you gave me and got it working 

 

Glad to hear that.

 *petrjanda wrote:*   

> Now, I'd like to join samba to have ldap based authentication. Do you think you could help me out?

 

http://www.monkeybox.org.uk/docs/gentoo/samba3.html

same site different page.   :Wink: 

Post again if you have problem.

----------

## petrjanda

 *weyhan wrote:*   

>  *petrjanda wrote:*   Used the guide you gave me and got it working  
> 
> Glad to hear that.
> 
>  *petrjanda wrote:*   Now, I'd like to join samba to have ldap based authentication. Do you think you could help me out? 
> ...

 

Ah man, I love you!!!!   :Very Happy:  Finally some good website with a sensible LDAP + Samba how to  :Smile:  :Smile: 

----------

## weyhan

 *petrjanda wrote:*   

> 
> 
> Ah man, I love you!!!!   Finally some good website with a sensible LDAP + Samba how to 

 

You are welcome.   :Laughing: 

----------

## Nicolinux

Hi,

sorry to just drop in - but I have also followed your guide and the gentoo guide and still have problems. Basicaly I do not find anything with ldapserch when not using ssl/tsl. But when using those I get a Local error (82) - something like connection refused I guess.

Thanks for helping  :Smile: 

slapd.conf

```

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

# Schemacheck

schemacheck     on

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

Loglevel 8

# Load dynamic backend modules:

# modulepath    /usr/lib/openldap/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

# Password hash

password-hash {crypt}

# Define SSL and TSL properties

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

access to dn="" by * read

access to *

       by self write

       by users read

       by anonymous auth

database        ldbm

suffix          "dc=nicolinux,dc=home"

rootdn          "cn=Manager,dc=nicolinux,dc=home"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          {MD5}ajnct/fW0woI2UMsHHHf4Q==

# The database directory MUST exist prior to running slapd AND 

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /var/lib/openldap-ldbm

# Indices to maintain

index   objectClass     eq

index   cn            pres,sub,eq

index   sn            pres,sub,eq

## uncomment these if you are storing posixAccount and

## posixGroup entries in the directory as well

index   uidNumber            eq

index   gidNumber            eq

index   memberUid            eq

#index   sambaSID             eq

#index   sambaPrimaryGroupSID eq

#index   sambaDomainName      eq

index   default              sub

# Save the time that the entry gets modified, for database #1

lastmod    on

# These access lines apply to this database only

#access to attribute=userPassword,sambaLMPassword,sambaNTPassword

access to attribute=userPassword

        by dn="cn=Manager,dc=nicolinux,dc=home" write

        by anonymous auth

        by self write

        by * none

# The admin dn has full write access

access to * by

        dn="cn=Manager,dc=nicolinux,dc=home" write

        by * read

```

ldap.conf

```

BASE            dc=nicolinux,dc=home

URI             ldap://albus.nicolinux.home

TLS_REQCERT     allow

```

Using "ldapsearch -D "cn=Manager,dc=nicolinux,dc=home" -W -d 255" gives me the following:

```

ldap_create

Enter LDAP Password: 

ldap_pvt_sasl_getmech

ldap_search

put_filter: "(objectclass=*)"

put_filter: simple

put_simple_filter: "objectclass=*"

ldap_send_initial_request

ldap_new_connection

ldap_int_open_connection

ldap_connect_to_host: TCP albus.nicolinux.home:389

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 192.168.0.2:389

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_ndelay_on: 3

ldap_is_sock_ready: 3

ldap_ndelay_off: 3

ldap_int_sasl_open: host=albus.nicolinux.home

ldap_open_defconn: successful

ldap_send_server_request

ber_flush: 64 bytes to sd 3

  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........  

  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object  

  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support  

  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms  

ldap_write: want=64, written=64

  0000:  30 3e 02 01 01 63 39 04  00 0a 01 00 0a 01 00 02   0>...c9.........  

  0010:  01 00 02 01 00 01 01 00  87 0b 6f 62 6a 65 63 74   ..........object  

  0020:  63 6c 61 73 73 30 19 04  17 73 75 70 70 6f 72 74   class0...support  

  0030:  65 64 53 41 53 4c 4d 65  63 68 61 6e 69 73 6d 73   edSASLMechanisms  

ldap_result msgid 1

ldap_chkResponseList for msgid=1, all=1

ldap_chkResponseList returns NULL

wait4msg (infinite timeout), msgid 1

wait4msg continue, msgid 1, all 1

** Connections:

* host: albus.nicolinux.home  port: 389  (default)

  refcnt: 2  status: Connected

  last used: Sun Sep 26 14:05:21 2004

** Outstanding Requests:

 * msgid 1,  origid 1, status InProgress

   outstanding referrals 0, parent count 0

** Response Queue:

   Empty

ldap_chkResponseList for msgid=1, all=1

ldap_chkResponseList returns NULL

ldap_int_select

read1msg: msgid 1, all 1

ber_get_next

ldap_read: want=8, got=8

  0000:  30 4a 02 01 01 64 45 04                            0J...dE.          

ldap_read: want=68, got=68

  0000:  00 30 41 30 3f 04 17 73  75 70 70 6f 72 74 65 64   .0A0?..supported  

  0010:  53 41 53 4c 4d 65 63 68  61 6e 69 73 6d 73 31 24   SASLMechanisms1$  

  0020:  04 04 4e 54 4c 4d 04 06  47 53 53 41 50 49 04 0a   ..NTLM..GSSAPI..  

  0030:  44 49 47 45 53 54 2d 4d  44 35 04 08 43 52 41 4d   DIGEST-MD5..CRAM  

  0040:  2d 4d 44 35                                        -MD5              

ber_get_next: tag 0x30 len 74 contents:

ber_dump: buf=0x08054a68 ptr=0x08054a68 end=0x08054ab2 len=74

  0000:  02 01 01 64 45 04 00 30  41 30 3f 04 17 73 75 70   ...dE..0A0?..sup  

  0010:  70 6f 72 74 65 64 53 41  53 4c 4d 65 63 68 61 6e   portedSASLMechan  

  0020:  69 73 6d 73 31 24 04 04  4e 54 4c 4d 04 06 47 53   isms1$..NTLM..GS  

  0030:  53 41 50 49 04 0a 44 49  47 45 53 54 2d 4d 44 35   SAPI..DIGEST-MD5  

  0040:  04 08 43 52 41 4d 2d 4d  44 35                     ..CRAM-MD5        

ldap_read: message type search-entry msgid 1, original id 1

wait4msg continue, msgid 1, all 1

** Connections:

* host: albus.nicolinux.home  port: 389  (default)

  refcnt: 2  status: Connected

  last used: Sun Sep 26 14:05:21 2004

** Outstanding Requests:

 * msgid 1,  origid 1, status InProgress

   outstanding referrals 0, parent count 0

** Response Queue:

 * msgid 1,  type 100

ldap_chkResponseList for msgid=1, all=1

ldap_chkResponseList returns NULL

ldap_int_select

read1msg: msgid 1, all 1

ber_get_next

ldap_read: want=8, got=8

  0000:  30 0c 02 01 01 65 07 0a                            0....e..          

ldap_read: want=6, got=6

  0000:  01 00 04 00 04 00                                  ......            

ber_get_next: tag 0x30 len 12 contents:

ber_dump: buf=0x080545d0 ptr=0x080545d0 end=0x080545dc len=12

  0000:  02 01 01 65 07 0a 01 00  04 00 04 00               ...e........      

ldap_read: message type search-result msgid 1, original id 1

ber_scanf fmt ({iaa) ber:

ber_dump: buf=0x080545d0 ptr=0x080545d3 end=0x080545dc len=9

  0000:  65 07 0a 01 00 04 00 04  00                        e........         

read1msg:  0 new referrals

read1msg:  mark request completed, id = 1

request 1 done

res_errno: 0, res_error: <>, res_matched: <>

ldap_free_request (origid 1, msgid 1)

ldap_free_connection

ldap_free_connection: refcnt 1

adding response id 1 type 101:

ldap_parse_result

ber_scanf fmt ({iaa) ber:

ber_dump: buf=0x080545d0 ptr=0x080545d3 end=0x080545dc len=9

  0000:  65 07 0a 01 00 04 00 04  00                        e........         

ber_scanf fmt (}) ber:

ber_dump: buf=0x080545d0 ptr=0x080545dc end=0x080545dc len=0

ldap_get_values

ber_scanf fmt ({x{{a) ber:

ber_dump: buf=0x08054a68 ptr=0x08054a6b end=0x08054ab2 len=71

  0000:  64 45 04 00 30 41 30 3f  04 17 73 75 70 70 6f 72   dE..0A0?..suppor  

  0010:  74 65 64 53 41 53 4c 4d  65 63 68 61 6e 69 73 6d   tedSASLMechanism  

  0020:  73 31 24 04 04 4e 54 4c  4d 04 06 47 53 53 41 50   s1$..NTLM..GSSAP  

  0030:  49 04 0a 44 49 47 45 53  54 2d 4d 44 35 04 08 43   I..DIGEST-MD5..C  

  0040:  52 41 4d 2d 4d 44 35                               RAM-MD5           

ber_scanf fmt ([v]) ber:

ber_dump: buf=0x08054a68 ptr=0x08054a8c end=0x08054ab2 len=38

  0000:  31 24 04 04 4e 54 4c 4d  04 06 47 53 53 41 50 49   1$..NTLM..GSSAPI  

  0010:  04 0a 44 49 47 45 53 54  2d 4d 44 35 04 08 43 52   ..DIGEST-MD5..CR  

  0020:  41 4d 2d 4d 44 35                                  AM-MD5            

ldap_msgfree

ldap_interactive_sasl_bind_s: server supports: NTLM GSSAPI DIGEST-MD5 CRAM-MD5

ldap_int_sasl_bind: NTLM GSSAPI DIGEST-MD5 CRAM-MD5

SASL/GSSAPI authentication started

ldap_perror

ldap_sasl_interactive_bind_s: Local error (82)

        additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found)

```

This error come regardless if I supply the correct password or not (or no one at all).

One thing though about the guide. You first write that one should let out the ssl part until it works. It's not clear when the ssl/tsl part is added because you comment out the TSL* things in the slapd.conf but the examples are all with the ssl certificates enabled. Maybe you could provide a handy example how one can test that the server works with and without ssl/tsl (something like "ldapsearch -x "..." and "ldapsearch -D "..." -W).

However skipping the tsl/ssl part and using "ldapsearch -x "cn=Manager,dc=nicolinux,dc=home"" I get this results:

```

# extended LDIF

#

# LDAPv3

# base <> with scope sub

# filter: cn=Manager,dc=nicolinux,dc=home

# requesting: ALL

#

# search result

search: 2

result: 32 No such object

# numResponses: 1

```

I think that means the server is not doing what it should :/

I also made sure that albus.nicolinux.home can be resolved correctly.

Thanks much

Stefan

----------

