nss_ldap problem using rootbinddn

Hello,

I have a functioning openLDAP server, which is configured to accept

connections over port 636 only.

I have used the PADL migration scripts to load my user password and group

information into openLDAP.

I am trying to get nss_ldap working for the root dn.

I am at the point where "getent passwd" successfully returns the users from

/etc/password and from the openLDAP server, and I now want to specify my

rootbinddn.

Issuing "getent passwd" from a non-root login, an anonymous bind takes place

and the passwd entries are returned.

If I do not define a rootbinddn in ldap.conf, Issuing "getent passwd" from a

root login, an anonymous bind takes place and the passwd entries are

returned.

If I do define a rootbinddn in ldap.conf, Issuing "getent passwd" from a

root login, the bind fails and the passwd entries are not returned.

The one that does not work seems to differ in that it does (from the logs,

below):

ldap_chase_referrals

read1msg: V2 referral chased, mark request completed, id = 1

And a little later, reports, before going on to ldap_unbind

res_errno: 49, res_error: <>, res_matched: <>

whereas the one that does not work does not do ldap_chase_referrals and

reports, before going on to ldap_search:

res_errno: 0, res_error: <>, res_matched: <>

I have no idea if that's at all relevant, but I've looked in the source code

and found 49 means "LDAP_INVALID_CREDENTIALS". From the logs I can see my

root dn being passed in along with the pasword from ldap.secret, so I have

no idea why the login request is rejected.

0000: 30 33 02 01 01 60 2e 02 01 03 04 1b 63 6e 3d 4d 03...`......cn=M

0010: 61 6e 61 67 65 72 2c 64 63 3d 6a 65 6c 77 65 62 anager,dc=jelweb

0020: 2c 64 63 3d 63 6f 6d 80 0c 6d 79 73 65 63 72 65 ,dc=com..mysecre

0030: 74 70 77 64 0a tpwd.

As a separate test, this works fine:

ldapsearch -D "cn=Manager,dc=jelweb,dc=com" -H ldaps:// -w mysecretpwd

Software versions:

OpenLDAP 2.2.20, nss_ldap 233, pam_ldap 176, Migrationtools-46, openssl
0.9.7

Here are my ldap and slap configuration files:

My ldap.conf:

HOST blfs.jelweb.com

BASE dc=jelweb,dc=com

TLS_CACERT /etc/ssl/certs/cacert.pem

#Following config is for nss_ldap and pam_ldap

debug 255

logdir /tmp

ssl yes

pam_password md5

rootbinddn cn=Manager,dc=jelweb,dc=com



My slapd.conf:

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/samba.schema

schemacheck on

# Logging to the syslog channel LOCAL4

loglevel -1

pidfile /var/lib/run/slapd.pid

argsfile /var/lib/run/slapd.args

# TLS configuration settings

TLSCipherSuite HIGH:MEDIUM:+SSLv2

TLSCACertificateFile /etc/ssl/certs/cacert.pem

TLSCertificateFile /etc/ssl/certs/servercert.pem

TLSCertificateKeyFile /etc/ssl/private/serverkey.pem

TLSVerifyClient demand



#############################################################

# LDBM database definitions

#############################################################

database ldbm

directory /var/lib/openldap-data

suffix "dc=jelweb,dc=com"

rootdn "cn=Manager,dc=jelweb,dc=com"

rootpw {SSHA}gdkikTvx3WAUm2fcC3qSu7a0unkRopZo

index objectClass,uidNumber,gidNumber eq

index cn,sn,uid,displayName pres,sub,eq

index memberUid,mail,givenname eq,subinitial

index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq

access to attrs=sambaLMPassword,sambaNTpassword

by self write

by anonymous auth

by * none

access to *

by * read

----------------------------------------------------------





I've run client side and server side with debugging, and the following

excerpts are from where the outputs differ:

If anyone can explain why my rootbind does not work I would really

appreciate it.



Debug output from "getent passwd" from root login:

----------------------------------------------------------

TLS trace: SSL_connect:SSLv3 flush data

tls_read: want=5, got=5

0000: 14 03 01 00 01 .....

tls_read: want=1, got=1

0000: 01 .

tls_read: want=5, got=5

0000: 16 03 01 00 30 ....0

tls_read: want=48, got=48

0000: 18 86 ee a8 42 46 98 87 c0 8e a4 eb c7 33 87 4a ....BF.......3.J

0010: 8f f4 4d 60 24 ed c0 c8 a6 bd de 37 e6 b5 06 8e ..M`$......7....

0020: d8 1a 42 28 e8 7a 26 8b 7d a8 09 55 a9 af 30 a8 ..B(.z&.}..U..0.

TLS trace: SSL_connect:SSLv3 read finished A

ldap_open_defconn: successful

ldap_send_server_request

ber_flush: 53 bytes to sd 5

0000: 30 33 02 01 01 60 2e 02 01 03 04 1b 63 6e 3d 4d 03...`......cn=M

0010: 61 6e 61 67 65 72 2c 64 63 3d 6a 65 6c 77 65 62 anager,dc=jelweb

0020: 2c 64 63 3d 63 6f 6d 80 0c 6d 79 73 65 63 72 65 ,dc=com..mysecre

0030: 74 70 77 64 0a tpwd.

tls_write: want=122, written=122

0000: 17 03 01 00 20 e3 dd 6a a9 10 26 a8 15 f2 ea cd .... ..j..&.....

0010: d3 86 18 4d 17 00 a6 a1 fa 37 72 30 55 db d1 bc ...M.....7r0U...

0020: 6a e6 72 c5 e0 17 03 01 00 50 3a a6 bb 0d ff c2 j.r......P:.....

0030: 0e 84 1b c8 1d b5 71 c3 f3 91 df 55 ea 30 19 f5 ......q....U.0..

0040: d7 8a b7 4a b6 ba 56 ef 08 21 36 c6 d1 36 36 93 ...J..V..!6..66.

0050: 09 b0 55 dc 3e a0 8d 50 b9 94 9c a8 59 56 61 d7 ..U.>..P....YVa.

0060: 64 16 d4 b5 04 eb 78 f3 7e fd 7a 00 6e b6 ea ea d.....x.~.z.n...

0070: b4 0f 7f ac d2 df 7f 88 10 f7 ..........

ldap_write: want=53, written=53

0000: 30 33 02 01 01 60 2e 02 01 03 04 1b 63 6e 3d 4d 03...`......cn=M

0010: 61 6e 61 67 65 72 2c 64 63 3d 6a 65 6c 77 65 62 anager,dc=jelweb

0020: 2c 64 63 3d 63 6f 6d 80 0c 6d 79 73 65 63 72 65 ,dc=com..mysecre

0030: 74 70 77 64 0a tpwd.

ldap_result msgid 1

ldap_chkResponseList for msgid=1, all=0

ldap_chkResponseList returns NULL

wait4msg (timeout 30 sec, 0 usec), msgid 1

wait4msg continue, msgid 1, all 0

** Connections:

* host: blfs.jelweb.com port: 636 (default)

refcnt: 2 status: Connected

last used: Mon Feb 14 19:52:53 2005

** Outstanding Requests:

* msgid 1, origid 1, status InProgress

outstanding referrals 0, parent count 0

** Response Queue:

Empty

ldap_chkResponseList for msgid=1, all=0

ldap_chkResponseList returns NULL

ldap_int_select

read1msg: msgid 1, all 0

ber_get_next

tls_read: want=5, got=5

0000: 17 03 01 00 20 ....

tls_read: want=32, got=32

0000: d6 7e c0 31 86 32 d2 cf 4a 1d 2e f5 97 5b 11 30 .~.1.2..J....[.0

0010: f8 67 fe 1e d8 05 4c f4 ac 59 ef 70 07 ae a1 4a .g....L..Y.p...J

tls_read: want=5, got=5

0000: 17 03 01 00 30 ....0

tls_read: want=48, got=48

0000: f3 c8 17 0e dd 69 c5 e0 26 aa 84 d8 f8 33 a6 2b .....i..&....3.+

0010: 66 38 12 e2 16 51 59 9b c4 d5 08 51 59 14 42 ad f8...QY....QY.B.

0020: 8d 1a 3d 51 59 ff ee 4b 72 12 9e 54 22 a5 1f a3 ..=QY..Kr..T"...

ldap_read: want=8, got=8

0000: 30 0c 02 01 01 61 07 0a 0....a..

ldap_read: want=6, got=6

0000: 01 31 04 00 04 00 .1....

ber_get_next: tag 0x30 len 12 contents:

ber_dump: buf=0x0806d910 ptr=0x0806d910 end=0x0806d91c len=12

0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....

ldap_read: message type bind msgid 1, original id 1

ber_scanf fmt ({iaa) ber:

ber_dump: buf=0x0806d910 ptr=0x0806d913 end=0x0806d91c len=9

0000: 61 07 0a 01 31 04 00 04 00 a...1....

ber_scanf fmt ({iaa}) ber:

ber_dump: buf=0x0806d910 ptr=0x0806d913 end=0x0806d91c len=9

0000: 61 07 0a 01 31 04 00 04 00 a...1....

ldap_chase_referrals

read1msg: V2 referral chased, mark request completed, id = 1

new result: res_errno: 49, res_error: <>, res_matched: <>

read1msg: 0 new referrals

read1msg: mark request completed, id = 1

request 1 done

res_errno: 49, res_error: <>, res_matched: <>

ldap_free_request (origid 1, msgid 1)

ldap_free_connection

ldap_free_connection: refcnt 1

ldap_parse_result

ber_scanf fmt ({iaa) ber:

ber_dump: buf=0x0806d910 ptr=0x0806d913 end=0x0806d91c len=9

0000: 61 07 0a 01 31 04 00 04 00 a...1....

ber_scanf fmt (}) ber:

ber_dump: buf=0x0806d910 ptr=0x0806d91c end=0x0806d91c len=0

ldap_msgfree

ldap_unbind

ldap_free_connection

ldap_send_unbind

----------------------------------------------------------



Debug output from "getent passwd" from non-root login:

----------------------------------------------------------

TLS trace: SSL_connect:SSLv3 flush data

tls_read: want=5, got=5

0000: 14 03 01 00 01 .....

tls_read: want=1, got=1

0000: 01 .

tls_read: want=5, got=5

0000: 16 03 01 00 30 ....0

tls_read: want=48, got=48

0000: 46 d2 48 46 26 02 de 43 8f 0c 51 55 f4 71 4b af F.HF&..C..QU.qK.

0010: 1a b1 0e 18 0d ed d9 54 f1 df 62 fc 91 55 9e b9 .......T..b..U..

0020: 8a 74 ba 75 d7 6c 0c 98 fc 3d 77 42 42 af c6 62 .t.u.l...=wBB..b

TLS trace: SSL_connect:SSLv3 read finished A

ldap_open_defconn: successful

ldap_send_server_request

ber_flush: 14 bytes to sd 5

0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........

tls_write: want=90, written=90

0000: 17 03 01 00 20 1a e9 28 7c 16 7a 1d b9 c6 ea 65 .... ..(|.z....e

0010: 09 f5 59 16 bb 05 af 66 e7 44 4a b5 80 be 9b e7 ..Y....f.DJ.....

0020: 0e 3f a5 0a 99 17 03 01 00 30 8c ce d8 0a 4f 2e .?.......0....O.

0030: ad d2 36 75 98 ea 19 ff 26 bd 64 1e a0 19 1c be ..6u....&.d.....

0040: cb f1 86 c4 82 5e f1 7f 75 20 6f 08 48 61 bf 10 .....^..u o.Ha..

0050: 3d 64 c4 26 52 35 12 f0 01 b9 =d.&R5....

ldap_write: want=14, written=14

0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........

ldap_result msgid 1

ldap_chkResponseList for msgid=1, all=0

ldap_chkResponseList returns NULL

wait4msg (timeout 30 sec, 0 usec), msgid 1

wait4msg continue, msgid 1, all 0

** Connections:

* host: blfs.jelweb.com port: 636 (default)

refcnt: 2 status: Connected

last used: Mon Feb 14 19:52:48 2005

** Outstanding Requests:

* msgid 1, origid 1, status InProgress

outstanding referrals 0, parent count 0

** Response Queue:

Empty

ldap_chkResponseList for msgid=1, all=0

ldap_chkResponseList returns NULL

ldap_int_select

read1msg: msgid 1, all 0

ber_get_next

tls_read: want=5, got=5

0000: 17 03 01 00 20 ....

tls_read: want=32, got=32

0000: ab 1e 83 eb bd 4f 93 0a b7 3c 7a f9 61 77 7e 8f .....O...<z.aw~.

0010: 1f 0e fc 56 33 7a c9 64 e1 86 d1 eb 3d fd d8 6a ...V3z.d....=..j

tls_read: want=5, got=5

0000: 17 03 01 00 30 ....0

tls_read: want=48, got=48

0000: b8 76 0c a0 44 28 f3 ab 47 09 c2 8a a2 cf bb 70 .v..D(..G......p

0010: e3 a9 62 6b 8b cb 45 29 9e 0c 27 50 df 30 50 29 ..bk..E)..'P.0P)

0020: e0 1f 60 39 05 43 d2 95 51 92 01 13 2a 10 75 2d ..`9.C..Q...*.u-

ldap_read: want=8, got=8

0000: 30 0c 02 01 01 61 07 0a 0....a..

ldap_read: want=6, got=6

0000: 01 00 04 00 04 00 ......

ber_get_next: tag 0x30 len 12 contents:

ber_dump: buf=0x0806db80 ptr=0x0806db80 end=0x0806db8c len=12

0000: 02 01 01 61 07 0a 01 00 04 00 04 00 ...a........

ldap_read: message type bind msgid 1, original id 1

ber_scanf fmt ({iaa) ber:

ber_dump: buf=0x0806db80 ptr=0x0806db83 end=0x0806db8c len=9

0000: 61 07 0a 01 00 04 00 04 00 a........

ber_scanf fmt ({iaa}) ber:

ber_dump: buf=0x0806db80 ptr=0x0806db83 end=0x0806db8c len=9

0000: 61 07 0a 01 00 04 00 04 00 a........

new result: res_errno: 0, res_error: <>, res_matched: <>

read1msg: 0 new referrals

read1msg: mark request completed, id = 1

request 1 done

res_errno: 0, res_error: <>, res_matched: <>

ldap_free_request (origid 1, msgid 1)

ldap_free_connection

ldap_free_connection: refcnt 1

ldap_parse_result

ber_scanf fmt ({iaa) ber:

ber_dump: buf=0x0806db80 ptr=0x0806db83 end=0x0806db8c len=9

0000: 61 07 0a 01 00 04 00 04 00 a........

ber_scanf fmt (}) ber:

ber_dump: buf=0x0806db80 ptr=0x0806db8c end=0x0806db8c len=0

ldap_msgfree

ldap_search

.....> goes on to return requested data

----------------------------------------------------------