Dear Directory server experts, could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you.
Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some special ACL? Lev
Lev Dudko wrote:
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you.
Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv?
Lev
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hello Rich, the OS is Fedora 9 (64) with all of the recent updates rpm -qa | grep fedora-ds fedora-ds-1.1.2-1.fc9.x86_64 fedora-ds-dsgw-1.1.1-1.fc9.x86_64 fedora-ds-admin-1.1.6-1.fc9.x86_64 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-console-1.1.2-2.fc9.noarch fedora-ds-base-1.1.3-2.fc9.x86_64
Parts of the log files for DSGW authorisation
/var/log/dirsrv/admin-serv/access
- [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200 4088 - [17/Nov/2008:23:43:46 +0300] "GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231 - [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402
/var/log/dirsrv/admin-serv/error
(here is the strange point, the marked port in this log is 443, but in reality it is 9830. I have stop apache and close 443 port at all, but in the log file it is still 443; address and ip here is the same computer which is localhost for all of the operations)
[Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received for child 12 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server www-hep.sinp.msu.ru:443, client 213.131...) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received for child 11 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server www-hep.sinp.msu.ru:443, client 213.131....)
/var/log/dirsrv/slapd-hep/access
[17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu, dc=ru" scope=2 filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))" attrs="objectClass title" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101 nentries=1 etime=1 [17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND [17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1 [17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from 127.0.0.1 to 127.0.0.1 [17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1 [17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH base="dc=sinp,dc=msu,dc=ru" scope=2 filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101 nentries=1 etime=2
/var/log/dirsrv/slapd-hep/error
[17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn="" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:ou=people,dc=sinp,dc=msu,dc=ru: container:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Client DN: [17/Nov/2008:23:43:46 +0300] NSACLPlugin - resource type:256(search target_DN ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN: uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ATTR: objectClass [17/Nov/2008:23:43:46 +0300] NSACLPlugin - rights:search [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a nonymous: cached allow by aci(2) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru ) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas s) to anonymous: cached allow by aci(2)
Just in case, the list of the configuration directories: /etc/dirsrv/admin-serv/ -rw-r--r-- 1 root root 3984 19:02 admserv.conf -rw------- 1 nobody root 16384 23:22 secmod.db -r-------- 1 nobody nobody 50 23:27 password.conf -r-------- 1 nobody nobody 4581 23:27 nss.conf -rw-r--r-- 1 root root 27061 03:39 httpd.conf -rw------- 1 root root 394016 04:52 console.conf -rw------- 1 nobody root 40 04:56 admpw -rw------- 1 nobody root 532 05:32 adm.conf -rw------- 1 nobody root 16384 23:39 key3.db -rw------- 1 nobody root 65536 23:39 cert8.db -rw------- 1 nobody root 10259 00:04 local.conf
/etc/dirsrv/dsgw/ -r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf -r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf -r-------- 1 nobody root 8875 Nov 16 22:16 default.conf -rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf -rw-r--r-- 1 root root 3192 Nov 16 23:42 dsgw-httpd.conf
One more strange point which is not connected with the main problem. In the /etc/dirsrv/admin-serv/local.conf I use only addresses access filter, not hosts. The last one is blank (looks like * does not work) configuration.nsAdminAccessAddresses: (127.0.0.1|.....) configuration.nsAdminAccessHosts:
But with restart of admin server the directive configuration.nsAdminAccessHosts: removed from local.conf and server do not start, need to add manually this directive to start the server. Looks like this is a bug.
Lev
On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
Lev Dudko wrote:
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you.
Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv?
Lev
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Lev Dudko wrote:
Hello Rich, the OS is Fedora 9 (64) with all of the recent updates rpm -qa | grep fedora-ds fedora-ds-1.1.2-1.fc9.x86_64 fedora-ds-dsgw-1.1.1-1.fc9.x86_64 fedora-ds-admin-1.1.6-1.fc9.x86_64 fedora-ds-admin-console-1.1.2-1.fc9.noarch fedora-ds-console-1.1.2-2.fc9.noarch fedora-ds-base-1.1.3-2.fc9.x86_64
Parts of the log files for DSGW authorisation
/var/log/dirsrv/admin-serv/access
- [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200
4088
- [17/Nov/2008:23:43:46 +0300]
"GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231
- [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402
/var/log/dirsrv/admin-serv/error
(here is the strange point, the marked port in this log is 443, but in reality it is 9830. I have stop apache and close 443 port at all, but in the log file it is still 443; address and ip here is the same computer which is localhost for all of the operations)
[Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received for child 12 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server www-hep.sinp.msu.ru:443, client 213.131...) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established (server www...:443, client 213.131....) [Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received for child 11 (server www...:443) [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server www-hep.sinp.msu.ru:443, client 213.131....)
Do you have some sort of proxy running? netstat -an | grep 9830 and netstat -an | grep 443
/var/log/dirsrv/slapd-hep/access
[17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu, dc=ru" scope=2 filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))" attrs="objectClass title" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101 nentries=1 etime=1 [17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND [17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1 [17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from 127.0.0.1 to 127.0.0.1 [17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" method=128 version=3 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0 filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=1 etime=0 [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0 [17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1 [17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH base="dc=sinp,dc=msu,dc=ru" scope=2 filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" [17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101 nentries=1 etime=2
What access log level are you using? I suggest using the default.
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0
This usually means "incorrect password". You can verify yourself by using ldapsearch: ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w yourpassword -s base -b ""
If you get err=49 here, this means your password is not correct.
/var/log/dirsrv/slapd-hep/error
[17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn="" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:ou=people,dc=sinp,dc=msu,dc=ru: container:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO STARTS ********* [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Client DN: [17/Nov/2008:23:43:46 +0300] NSACLPlugin - resource type:256(search target_DN ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN: uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ATTR: objectClass [17/Nov/2008:23:43:46 +0300] NSACLPlugin - rights:search [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ************ RESOURCE INFO ENDS ********* [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a nonymous: cached allow by aci(2) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru ) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2 ACL_ELEVEL:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6 ACL_ELEVEL:2 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]*** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7 ACL_ELEVEL:6 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ) [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO***************************** [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0 [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access"" [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas s) to anonymous: cached allow by aci(2)
Agh - my eyes - I think you need to change the errorlog level back to 0 - I don't think the problem is ACI related - err=49 means incorrect password.
Just in case, the list of the configuration directories: /etc/dirsrv/admin-serv/ -rw-r--r-- 1 root root 3984 19:02 admserv.conf -rw------- 1 nobody root 16384 23:22 secmod.db -r-------- 1 nobody nobody 50 23:27 password.conf -r-------- 1 nobody nobody 4581 23:27 nss.conf -rw-r--r-- 1 root root 27061 03:39 httpd.conf -rw------- 1 root root 394016 04:52 console.conf -rw------- 1 nobody root 40 04:56 admpw -rw------- 1 nobody root 532 05:32 adm.conf -rw------- 1 nobody root 16384 23:39 key3.db -rw------- 1 nobody root 65536 23:39 cert8.db -rw------- 1 nobody root 10259 00:04 local.conf
/etc/dirsrv/dsgw/ -r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf -r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf -r-------- 1 nobody root 8875 Nov 16 22:16 default.conf -rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf -rw-r--r-- 1 root root 3192 Nov 16 23:42 dsgw-httpd.conf
One more strange point which is not connected with the main problem. In the /etc/dirsrv/admin-serv/local.conf I use only addresses access filter, not hosts. The last one is blank (looks like * does not work) configuration.nsAdminAccessAddresses: (127.0.0.1|.....) configuration.nsAdminAccessHosts:
But with restart of admin server the directive configuration.nsAdminAccessHosts: removed from local.conf and server do not start, need to add manually this directive to start the server. Looks like this is a bug.
It is a feature. You cannot edit local.conf directly. You have to update that information in LDAP. local.conf is a read-only cache of the LDAP information. See - http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
Lev
On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
Lev Dudko wrote:
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you.
Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv?
Lev
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hello Rich, The answers are below.
Do you have some sort of proxy running? netstat -an | grep 9830 and netstat -an | grep 443
No, I have a direct link: netstat -an | grep 9830 tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN
netstat -an | grep 443 unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 when the apache is down (to avoid possible interferences)
netstat -an | grep 443 tcp 0 0 :::443 :::* LISTEN tcp 0 0 :::8443 :::* LISTEN unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 (apache is up)
What access log level are you using? I suggest using the default.
I will check, but I do not remember that I could change the level of access log, only the error log.
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0
This usually means "incorrect password". You can verify yourself by using ldapsearch: ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w yourpassword -s base -b ""
I use the same login and password for logging to the system, so I am sure that it is correct, but in any case the output of the command above is:
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
By the way, the browser which I use to communicate with DSGW is firefox-3.0.4-1.fc9.x86_64 and I did not have any problem with translation of my passwords to some site authorization systems.
If you get err=49 here, this means your password is not correct. Agh - my eyes - I think you need to change the errorlog level back to 0
- I don't think the problem is ACI related - err=49 means incorrect
password.
Sorry, I tried to provide all of the information which I have.
It is a feature. You cannot edit local.conf directly. You have to update that information in LDAP. local.conf is a read-only cache of the LDAP information. See - http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
Thank you for the explanation, first of all I did it from console, but with the same result (need to put something in this field to keep it). In any way I will check again that HOWTO. Lev
On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
Lev Dudko wrote:
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you.
Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv?
Lev
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Lev Dudko wrote:
Hello Rich,
The answers are below.
Do you have some sort of proxy running? netstat -an | grep 9830 and netstat -an | grep 443
No, I have a direct link:
netstat -an | grep 9830 tcp 0 0 0.0.0.0:9830 0.0.0.0:* LISTEN
netstat -an | grep 443 unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 when the apache is down (to avoid possible interferences)
netstat -an | grep 443 tcp 0 0 :::443 :::* LISTEN tcp 0 0 :::8443 :::* LISTEN unix 2 [ ACC ] STREAM LISTENING 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e unix 3 [ ] STREAM CONNECTED 1724431 (apache is up)
What access log level are you using? I suggest using the default.
I will check, but I do not remember that I could change the level of access log, only the error log.
The reason I said is that the access log does not usually log internal operations.
[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97 nentries=0 etime=0
This usually means "incorrect password". You can verify yourself by using ldapsearch: ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w yourpassword -s base -b ""
I use the same login and password for logging to the system, so I am sure that it is correct, but in any case the output of the command above is:
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
By the way, the browser which I use to communicate with DSGW is firefox-3.0.4-1.fc9.x86_64 and I did not have any problem with translation of my passwords to some site authorization systems.
Do you have any 8-bit characters in any of your passwords? I wonder if the gateway is corrupting them somehow.
If you get err=49 here, this means your password is not correct. Agh - my eyes - I think you need to change the errorlog level back to 0
- I don't think the problem is ACI related - err=49 means incorrect
password.
Sorry, I tried to provide all of the information which I have.
It is a feature. You cannot edit local.conf directly. You have to update that information in LDAP. local.conf is a read-only cache of the LDAP information. See - http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
Thank you for the explanation, first of all I did it from console, but with the same result (need to put something in this field to keep it). In any way I will check again that HOWTO. Lev
On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
Lev Dudko wrote:
Dear Directory server experts,
could you help me, please, to solve the problem with DSGW authorization. I have successfully setup FDS on Fedora 9 with setup-ds-admin.pl setup ssl with the help of script from this page: http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/ and run setup-ds-dsgw Now, the directory server works, administration server works and I can configure everything in DS and Admin server with console fedora-idm-console -a https://localhost:9830 ldap and ldaps ports are open and accept requests.
I can point my browser to https://localhost:9830 and use DSGW to search successfully, but I can not do authorization, when I try to authorize as some user (normal user, Directory Manager or admin) I got the error: Authentication Failed Authentication failed because the password you supplied is incorrect. Please click the Retry button and try again. If you have forgotten the password for this entry, a directory administrator must reset the password for you.
Of course, I am sure that the password is correct. There are no so much useful information in the log files. The executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
I have read available documentation rather careful, but did not find the answer. Looks like one of the solution is to use binddnfile directive with special text file, but it looks strange for me that it is impossible to use normal authorization in LDAP with DSGW.
Have I missed something during the configuration or forgot to add some
special ACL?
What platform? Any information in your admin server logs at /var/log/dirsrv/admin-serv?
Lev
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Do you have any 8-bit characters in any of your passwords? I wonder if the gateway is corrupting them somehow.
In the passwords there are & @ or $ characters, I am not sure is it 8-bit characters. The locale is ru_RU.UTF-8 everywhere.
You are right, I just changed the password to very simple and the authorization is successful. The reason is found, but is there a way to correct this corruption?
Lev Dudko wrote:
Do you have any 8-bit characters in any of your passwords? I wonder if the gateway is corrupting them somehow.
In the passwords there are & @ or $ characters, I am not sure is it 8-bit characters. The locale is ru_RU.UTF-8 everywhere.
You are right, I just changed the password to very simple and the
authorization is successful. The reason is found, but is there a way to correct this corruption?
I don't know. Please file a bug.
389-users@lists.fedoraproject.org