1:51 p.m.
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW
authorization.
I have successfully setup FDS on Fedora 9 with
setup-ds-admin.pl
setup ssl with the help of script from this page:
http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
and run setup-ds-dsgw
Now, the directory server works, administration server works and
I can configure everything in DS and Admin server with console
fedora-idm-console -a https://localhost:9830
ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to
search successfully,
but I can not do authorization, when I try to authorize as some user
(normal user, Directory Manager or admin) I got the error:
Authentication Failed
Authentication failed because the password you supplied is incorrect.
Please click the Retry button and try again. If you have forgotten the
password for this entry, a directory administrator must reset the
password for you.
Of course, I am sure that the password is correct. There are no so much
useful information in the log files. The
executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the
answer. Looks like one of the solution is to use binddnfile directive
with special text file, but it looks strange for me that it is
impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
Lev
2:21 p.m.
Lev Dudko wrote:
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW
authorization.
I have successfully setup FDS on Fedora 9 with
setup-ds-admin.pl
setup ssl with the help of script from this page:
http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
and run setup-ds-dsgw
Now, the directory server works, administration server works and
I can configure everything in DS and Admin server with console
fedora-idm-console -a https://localhost:9830
ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to
search successfully,
but I can not do authorization, when I try to authorize as some user
(normal user, Directory Manager or admin) I got the error:
Authentication Failed
Authentication failed because the password you supplied is incorrect.
Please click the Retry button and try again. If you have forgotten the
password for this entry, a directory administrator must reset the
password for you.
Of course, I am sure that the password is correct. There are no so much
useful information in the log files. The
executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the
answer. Looks like one of the solution is to use binddnfile directive
with special text file, but it looks strange for me that it is
impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
What platform?
Any information in your admin server logs at /var/log/dirsrv/admin-serv?
Lev
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
3:24 p.m.
Hello Rich,
the OS is Fedora 9 (64) with all of the recent updates
rpm -qa | grep fedora-ds
fedora-ds-1.1.2-1.fc9.x86_64
fedora-ds-dsgw-1.1.1-1.fc9.x86_64
fedora-ds-admin-1.1.6-1.fc9.x86_64
fedora-ds-admin-console-1.1.2-1.fc9.noarch
fedora-ds-console-1.1.2-2.fc9.noarch
fedora-ds-base-1.1.3-2.fc9.x86_64
Parts of the log files for DSGW authorisation
/var/log/dirsrv/admin-serv/access
- [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200
4088
- [17/Nov/2008:23:43:46 +0300]
"GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231
- [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402
/var/log/dirsrv/admin-serv/error
(here is the strange point, the marked port in this log is 443, but in
reality it is 9830. I have stop apache and close 443 port at all, but in
the log file it is still 443; address and ip here is the same computer
which is localhost for all of the operations)
[Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established
(server www...:443, client 213.131....)
[Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received
for child 12 (server www...:443)
[Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server
www-hep.sinp.msu.ru:443, client 213.131...)
[Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established
(server www...:443, client 213.131....)
[Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received
for child 11 (server www...:443)
[Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server
www-hep.sinp.msu.ru:443, client 213.131....)
/var/log/dirsrv/slapd-hep/access
[17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4
[17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128
version=3
[17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu,
dc=ru" scope=2
filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))"
attrs="objectClass title"
[17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY
dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
[17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101
nentries=1 etime=1
[17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND
[17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1
[17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from
127.0.0.1 to 127.0.0.1
[17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4
[17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128
version=3
[17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People,
dc=sinp, dc=msu, dc=ru" method=128 version=3
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH
base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0
filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY
dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48
nentries=1 etime=0
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD
dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru"
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48
nentries=0 etime=0
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
nentries=0 etime=0
[17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1
[17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH
base="dc=sinp,dc=msu,dc=ru" scope=2
filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass"
[17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY
dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
[17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101
nentries=1 etime=2
/var/log/dirsrv/slapd-hep/error
[17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn=""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for
update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for
update:ou=people,dc=sinp,dc=msu,dc=ru: container:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO STARTS
*********
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Client DN:
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - resource type:256(search target_DN )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:
uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ATTR: objectClass
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - rights:search
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO ENDS
*********
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous
access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl
ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access",
acidn="dc=sinp,dc=msu,dc=ru"
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous
access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a
nonymous: cached allow by aci(2)
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous
access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru
) to anonymous: allowed by aci(2): aciname= "Enable anonymous access",
acidn="dc=sinp,dc=msu,dc=ru"
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous
access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas
s) to anonymous: cached allow by aci(2)
Just in case, the list of the configuration directories:
/etc/dirsrv/admin-serv/
-rw-r--r-- 1 root root 3984 19:02 admserv.conf
-rw------- 1 nobody root 16384 23:22 secmod.db
-r-------- 1 nobody nobody 50 23:27 password.conf
-r-------- 1 nobody nobody 4581 23:27 nss.conf
-rw-r--r-- 1 root root 27061 03:39 httpd.conf
-rw------- 1 root root 394016 04:52 console.conf
-rw------- 1 nobody root 40 04:56 admpw
-rw------- 1 nobody root 532 05:32 adm.conf
-rw------- 1 nobody root 16384 23:39 key3.db
-rw------- 1 nobody root 65536 23:39 cert8.db
-rw------- 1 nobody root 10259 00:04 local.conf
/etc/dirsrv/dsgw/
-r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf
-r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf
-r-------- 1 nobody root 8875 Nov 16 22:16 default.conf
-rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf
-rw-r--r-- 1 root root 3192 Nov 16 23:42 dsgw-httpd.conf
One more strange point which is not connected with the main problem. In
the /etc/dirsrv/admin-serv/local.conf
I use only addresses access filter, not hosts. The last one is blank
(looks like * does not work)
configuration.nsAdminAccessAddresses: (127.0.0.1|.....)
configuration.nsAdminAccessHosts:
But with restart of admin server the directive configuration.nsAdminAccessHosts: removed
from local.conf
and server do not start, need to add manually this directive to start the server. Looks
like this is a bug.
Lev
On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
Lev Dudko wrote:
> Dear Directory server experts,
> could you help me, please, to solve the problem with DSGW
> authorization.
> I have successfully setup FDS on Fedora 9 with
> setup-ds-admin.pl
> setup ssl with the help of script from this page:
> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
> and run setup-ds-dsgw
> Now, the directory server works, administration server works and
> I can configure everything in DS and Admin server with console
> fedora-idm-console -a https://localhost:9830
> ldap and ldaps ports are open and accept requests.
>
> I can point my browser to https://localhost:9830 and use DSGW to
> search successfully,
> but I can not do authorization, when I try to authorize as some user
> (normal user, Directory Manager or admin) I got the error:
> Authentication Failed
> Authentication failed because the password you supplied is incorrect.
> Please click the Retry button and try again. If you have forgotten the
> password for this entry, a directory administrator must reset the
> password for you.
>
> Of course, I am sure that the password is correct. There are no so much
> useful information in the log files. The
> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
>
> I have read available documentation rather careful, but did not find the
> answer. Looks like one of the solution is to use binddnfile directive
> with special text file, but it looks strange for me that it is
> impossible to use normal authorization in LDAP with DSGW.
>
> Have I missed something during the configuration or forgot to add some
> special ACL?
>
What platform?
Any information in your admin server logs at /var/log/dirsrv/admin-serv?
> Lev
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Lev V. Dudko e-mail:dudko@fnal.gov
t. +41(22)7670778 http://top.sinp.msu.ru
3:36 p.m.
Lev Dudko wrote:
Hello Rich,
the OS is Fedora 9 (64) with all of the recent updates
rpm -qa | grep fedora-ds
fedora-ds-1.1.2-1.fc9.x86_64
fedora-ds-dsgw-1.1.1-1.fc9.x86_64
fedora-ds-admin-1.1.6-1.fc9.x86_64
fedora-ds-admin-console-1.1.2-1.fc9.noarch
fedora-ds-console-1.1.2-2.fc9.noarch
fedora-ds-base-1.1.3-2.fc9.x86_64
Parts of the log files for DSGW authorisation
/var/log/dirsrv/admin-serv/access
- [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200
4088
- [17/Nov/2008:23:43:46 +0300]
"GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231
- [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402
/var/log/dirsrv/admin-serv/error
(here is the strange point, the marked port in this log is 443, but in
reality it is 9830. I have stop apache and close 443 port at all, but in
the log file it is still 443; address and ip here is the same computer
which is localhost for all of the operations)
[Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established
(server www...:443, client 213.131....)
[Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received
for child 12 (server www...:443)
[Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server
www-hep.sinp.msu.ru:443, client 213.131...)
[Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established
(server www...:443, client 213.131....)
[Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received
for child 11 (server www...:443)
[Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server
www-hep.sinp.msu.ru:443, client 213.131....)
Do you have some sort of proxy running?
netstat -an | grep 9830
and
netstat -an | grep 443
/var/log/dirsrv/slapd-hep/access
[17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4
[17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128
version=3
[17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu,
dc=ru" scope=2
filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))"
attrs="objectClass title"
[17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY
dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
[17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101
nentries=1 etime=1
[17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND
[17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1
[17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from
127.0.0.1 to 127.0.0.1
[17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4
[17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128
version=3
[17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People,
dc=sinp, dc=msu, dc=ru" method=128 version=3
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH
base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0
filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY
dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48
nentries=1 etime=0
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD
dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru"
[17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48
nentries=0 etime=0
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
nentries=0 etime=0
[17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1
[17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH
base="dc=sinp,dc=msu,dc=ru" scope=2
filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass"
[17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY
dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
[17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101
nentries=1 etime=2
What access log level are you using? I suggest using the default.
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
nentries=0 etime=0
This usually means "incorrect password". You can verify yourself by
using ldapsearch:
ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w
yourpassword -s base -b ""
If you get err=49 here, this means your password is not correct.
/var/log/dirsrv/slapd-hep/error
[17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn=""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for
update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for
update:ou=people,dc=sinp,dc=msu,dc=ru: container:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO STARTS
*********
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Client DN:
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - resource type:256(search target_DN )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:
uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ATTR: objectClass
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - rights:search
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO ENDS
*********
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable
anonymous access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl
ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access",
acidn="dc=sinp,dc=msu,dc=ru"
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable
anonymous access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a
nonymous: cached allow by aci(2)
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable
anonymous access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru
) to anonymous: allowed by aci(2): aciname= "Enable anonymous access",
acidn="dc=sinp,dc=msu,dc=ru"
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable
anonymous access"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr
acltxt target_attr_not allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrators Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration
Administrator"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE
Group"]***
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add
self target_attr acltxt allow_rule )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for
entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable
anonymous access""
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache
[17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on
entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas
s) to anonymous: cached allow by aci(2)
Agh - my eyes - I think you need to change the errorlog level back to 0
- I don't think the problem is ACI related - err=49 means incorrect
password.
Just in case, the list of the configuration directories:
/etc/dirsrv/admin-serv/
-rw-r--r-- 1 root root 3984 19:02 admserv.conf
-rw------- 1 nobody root 16384 23:22 secmod.db
-r-------- 1 nobody nobody 50 23:27 password.conf
-r-------- 1 nobody nobody 4581 23:27 nss.conf
-rw-r--r-- 1 root root 27061 03:39 httpd.conf
-rw------- 1 root root 394016 04:52 console.conf
-rw------- 1 nobody root 40 04:56 admpw
-rw------- 1 nobody root 532 05:32 adm.conf
-rw------- 1 nobody root 16384 23:39 key3.db
-rw------- 1 nobody root 65536 23:39 cert8.db
-rw------- 1 nobody root 10259 00:04 local.conf
/etc/dirsrv/dsgw/
-r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf
-r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf
-r-------- 1 nobody root 8875 Nov 16 22:16 default.conf
-rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf
-rw-r--r-- 1 root root 3192 Nov 16 23:42 dsgw-httpd.conf
One more strange point which is not connected with the main problem. In
the /etc/dirsrv/admin-serv/local.conf
I use only addresses access filter, not hosts. The last one is blank
(looks like * does not work)
configuration.nsAdminAccessAddresses: (127.0.0.1|.....)
configuration.nsAdminAccessHosts:
But with restart of admin server the directive configuration.nsAdminAccessHosts: removed
from local.conf
and server do not start, need to add manually this directive to start the server. Looks
like this is a bug.
It is a feature. You cannot edit local.conf directly. You have to
update that information in LDAP. local.conf is a read-only cache of the
LDAP information. See -
http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
Lev
On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
> Lev Dudko wrote:
>
>> Dear Directory server experts,
>> could you help me, please, to solve the problem with DSGW
>> authorization.
>> I have successfully setup FDS on Fedora 9 with
>> setup-ds-admin.pl
>> setup ssl with the help of script from this page:
>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
>> and run setup-ds-dsgw
>> Now, the directory server works, administration server works and
>> I can configure everything in DS and Admin server with console
>> fedora-idm-console -a https://localhost:9830
>> ldap and ldaps ports are open and accept requests.
>>
>> I can point my browser to https://localhost:9830 and use DSGW to
>> search successfully,
>> but I can not do authorization, when I try to authorize as some user
>> (normal user, Directory Manager or admin) I got the error:
>> Authentication Failed
>> Authentication failed because the password you supplied is incorrect.
>> Please click the Retry button and try again. If you have forgotten the
>> password for this entry, a directory administrator must reset the
>> password for you.
>>
>> Of course, I am sure that the password is correct. There are no so much
>> useful information in the log files. The
>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
>>
>> I have read available documentation rather careful, but did not find the
>> answer. Looks like one of the solution is to use binddnfile directive
>> with special text file, but it looks strange for me that it is
>> impossible to use normal authorization in LDAP with DSGW.
>>
>> Have I missed something during the configuration or forgot to add some
>> special ACL?
>>
>>
> What platform?
> Any information in your admin server logs at /var/log/dirsrv/admin-serv?
>
>> Lev
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
4:15 p.m.
Hello Rich,
The answers are below.
Do you have some sort of proxy running?
netstat -an | grep 9830
and
netstat -an | grep 443
>
No, I have a direct link:
netstat -an | grep 9830
tcp 0 0 0.0.0.0:9830 0.0.0.0:*
LISTEN
netstat -an | grep 443
unix 2 [ ACC ] STREAM LISTENING
4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
unix 3 [ ] STREAM CONNECTED 1724431
when the apache is down (to avoid possible interferences)
netstat -an | grep 443
tcp 0 0 :::443 :::*
LISTEN
tcp 0 0 :::8443 :::*
LISTEN
unix 2 [ ACC ] STREAM LISTENING
4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
unix 3 [ ] STREAM CONNECTED 1724431
(apache is up)
What access log level are you using? I suggest using the default.
I will check, but I do not remember that I could change the level of
access log, only the error log.
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
nentries=0 etime=0
This usually means "incorrect password". You can verify yourself by
using ldapsearch:
ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w
yourpassword -s base -b ""
I use the same login and password for logging to the system, so I am
sure that it is correct, but in any case the output of the command above
is:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
By the way, the browser which I use to communicate with DSGW is
firefox-3.0.4-1.fc9.x86_64
and I did not have any problem with translation of my passwords to some
site authorization systems.
If you get err=49 here, this means your password is not correct.
Agh - my eyes - I think you need to change the errorlog level back to 0
- I don't think the problem is ACI related - err=49 means incorrect
password.
Sorry, I tried to provide all of the information which I have.
It is a feature. You cannot edit local.conf directly. You have to
update that information in LDAP. local.conf is a read-only cache of the
LDAP information. See -
http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
Thank you for the explanation, first of all I did it from console,
but with the same result (need to put something in this field to keep
it). In any way I will check again that HOWTO.
Lev
>
> On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
>
>> Lev Dudko wrote:
>>
>>> Dear Directory server experts,
>>> could you help me, please, to solve the problem with DSGW
>>> authorization.
>>> I have successfully setup FDS on Fedora 9 with
>>> setup-ds-admin.pl
>>> setup ssl with the help of script from this page:
>>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
>>> and run setup-ds-dsgw
>>> Now, the directory server works, administration server works and
>>> I can configure everything in DS and Admin server with console
>>> fedora-idm-console -a https://localhost:9830
>>> ldap and ldaps ports are open and accept requests.
>>>
>>> I can point my browser to https://localhost:9830 and use DSGW to
>>> search successfully,
>>> but I can not do authorization, when I try to authorize as some user
>>> (normal user, Directory Manager or admin) I got the error:
>>> Authentication Failed
>>> Authentication failed because the password you supplied is incorrect.
>>> Please click the Retry button and try again. If you have forgotten the
>>> password for this entry, a directory administrator must reset the
>>> password for you.
>>>
>>> Of course, I am sure that the password is correct. There are no so much
>>> useful information in the log files. The
>>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
>>>
>>> I have read available documentation rather careful, but did not find the
>>> answer. Looks like one of the solution is to use binddnfile directive
>>> with special text file, but it looks strange for me that it is
>>> impossible to use normal authorization in LDAP with DSGW.
>>>
>>> Have I missed something during the configuration or forgot to add some
>>> special ACL?
>>>
>>>
>> What platform?
>> Any information in your admin server logs at /var/log/dirsrv/admin-serv?
>>
>>> Lev
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
5:04 p.m.
Lev Dudko wrote:
Hello Rich,
The answers are below.
> Do you have some sort of proxy running?
> netstat -an | grep 9830
> and
> netstat -an | grep 443
>
>
>
No, I have a direct link:
netstat -an | grep 9830
tcp 0 0 0.0.0.0:9830 0.0.0.0:*
LISTEN
netstat -an | grep 443
unix 2 [ ACC ] STREAM LISTENING
4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
unix 3 [ ] STREAM CONNECTED 1724431
when the apache is down (to avoid possible interferences)
netstat -an | grep 443
tcp 0 0 :::443 :::*
LISTEN
tcp 0 0 :::8443 :::*
LISTEN
unix 2 [ ACC ] STREAM LISTENING
4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
unix 3 [ ] STREAM CONNECTED 1724431
(apache is up)
> What access log level are you using? I suggest using the default.
>
>
I will check, but I do not remember that I could change the level of
access log, only the error log.
The reason I said is that the access log does not usually log internal
operations.
> [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
> nentries=0 etime=0
>
> This usually means "incorrect password". You can verify yourself by
> using ldapsearch:
> ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w
> yourpassword -s base -b ""
>
>
I use the same login and password for logging to the system, so I am
sure that it is correct, but in any case the output of the command above
is:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
By the way, the browser which I use to communicate with DSGW is
firefox-3.0.4-1.fc9.x86_64
and I did not have any problem with translation of my passwords to some
site authorization systems.
Do you have any 8-bit characters in any of your passwords? I wonder if
the gateway is corrupting them somehow.
> If you get err=49 here, this means your password is not correct.
> Agh - my eyes - I think you need to change the errorlog level back to 0
> - I don't think the problem is ACI related - err=49 means incorrect
> password.
>
Sorry, I tried to provide all of the information which I have.
> It is a feature. You cannot edit local.conf directly. You have to
> update that information in LDAP. local.conf is a read-only cache of the
> LDAP information. See -
> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
>
Thank you for the explanation, first of all I did it from console,
but with the same result (need to put something in this field to keep
it). In any way I will check again that HOWTO.
Lev
>> On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
>>
>>
>>> Lev Dudko wrote:
>>>
>>>
>>>> Dear Directory server experts,
>>>> could you help me, please, to solve the problem with DSGW
>>>> authorization.
>>>> I have successfully setup FDS on Fedora 9 with
>>>> setup-ds-admin.pl
>>>> setup ssl with the help of script from this page:
>>>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
>>>> and run setup-ds-dsgw
>>>> Now, the directory server works, administration server works and
>>>> I can configure everything in DS and Admin server with console
>>>> fedora-idm-console -a https://localhost:9830
>>>> ldap and ldaps ports are open and accept requests.
>>>>
>>>> I can point my browser to https://localhost:9830 and use DSGW to
>>>> search successfully,
>>>> but I can not do authorization, when I try to authorize as some user
>>>> (normal user, Directory Manager or admin) I got the error:
>>>> Authentication Failed
>>>> Authentication failed because the password you supplied is incorrect.
>>>> Please click the Retry button and try again. If you have forgotten the
>>>> password for this entry, a directory administrator must reset the
>>>> password for you.
>>>>
>>>> Of course, I am sure that the password is correct. There are no so much
>>>> useful information in the log files. The
>>>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
>>>>
>>>> I have read available documentation rather careful, but did not find the
>>>> answer. Looks like one of the solution is to use binddnfile directive
>>>> with special text file, but it looks strange for me that it is
>>>> impossible to use normal authorization in LDAP with DSGW.
>>>>
>>>> Have I missed something during the configuration or forgot to add
some
>>>> special ACL?
>>>>
>>>>
>>>>
>>> What platform?
>>> Any information in your admin server logs at /var/log/dirsrv/admin-serv?
>>>
>>>
>>>> Lev
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users(a)redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>
5:13 p.m.
Do you have any 8-bit characters in any of your passwords? I wonder
if
the gateway is corrupting them somehow.
>
In the passwords there are & @ or $ characters, I am not sure is it
8-bit characters.
The locale is ru_RU.UTF-8 everywhere.
You are right, I just changed the password to very simple and the
authorization is successful. The reason is found, but is there a way to
correct this corruption?
5:32 p.m.
Lev Dudko wrote:
> Do you have any 8-bit characters in any of your passwords? I
wonder if
> the gateway is corrupting them somehow.
>
>>
>>
In the passwords there are & @ or $ characters, I am not sure is it
8-bit characters.
The locale is ru_RU.UTF-8 everywhere.
You are right, I just changed the password to very simple and the
authorization is successful. The reason is found, but is there a way to
correct this corruption?
I don't know. Please file a bug.
5638
days inactive
5638
days old
389-users@lists.fedoraproject.org
7 comments
2 participants
participants (2)
-
Lev Dudko -
Rich Megginson