Analyzing the LDAP log file, I noticed that the invalid dn appears to
be:
dn ("cn=Test User+gidNumber=1000+homeDirectory=/home/test+loginShell=/
bin/bash+shadowLastChange=15337+shadowMax=99999+shadowMin=
+shadowWarning=7+uid=test
+uidNumber=1003",ou=people,dc=mydomain,dc=com)
I'm wondering why the dn includes every attribute encased in quotes,
and then the ou=people,dc=mydomain,dc=com? Is it supposed to do this?
Shouldn't it just be "uid=test,ou=people,dc=mydomain,dc=com"?
On Feb 20, 3:36 pm, Chad <c...@pur-logic.com> wrote:
> Also, here is the log output from OpenLDAP that shows a little better
> the query:
>
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 fd=13 ACCEPT from
> IP=7.7.7.7:30696 (IP=0.0.0.0:636)
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 fd=13 TLS established
> tls_ssf=128 ssf=128
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 op=0 BIND
> dn="cn=Manager,dc=mydomain,dc=com" method=128
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 op=0 BIND
> dn="cn=Manager,dc=mydomain,dc=com" mech=SIMPLE ssf=0
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 op=0 RESULT tag=97
> err=0 text=
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 op=1 SRCH
> base="ou=people,dc=mydomain,dc=com" scope=2 deref=3
> filter="(uid=test)"
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 op=2 UNBIND
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4184 fd=13 closed
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4185 fd=13 ACCEPT from
> IP=7.7.7.7:32872 (IP=0.0.0.0:636)
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4185 fd=13 TLS established
> tls_ssf=128 ssf=128
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4185 op=0 do_bind: invalid
> dn ("cn=Test User+gidNumber=1000+homeDirectory=/home/test+loginShell=/
> bin/bash+shadowLastChange=15337+shadowMax=99999+shadowMin=
> +shadowWarning=7+uid=test
> +uidNumber=1003",ou=people,dc=mydomain,dc=com)
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4185 op=0 RESULT tag=97
> err=34 text=invalid DN
> Feb 20 11:29:44 mydomain slapd[1912]: conn=4185 fd=13 closed
> (connection lost)
>
> On Feb 20, 1:37 pm, Chad <c...@pur-logic.com> wrote:
>
>
>
>
>
>
>
> > Hello:
>
> > I have an OpenLDAP server running ldaps. It's a very simple and basic
> > configuration that I use for identity management for linux boxes. My
> > structure is as follows:
>
> > Root DSE
> > dc=mydomain,dc=com
> > ou=group
> > <entry>
> > objectClass: posixGroup
> > cn: admins
> > gidNumber: 1001
> > memberUid: test
>
> > ou=people
> > objectClass: account
> > objectClass: posixAccount
> > objectClass: shadowAccont
> > cn: Test User
> > gidNumber: 1000
> > uid: test
> > homeDirectory: /home/test
> > uidNumber: 1003
> > loginShell: /bin/bash
> > userPassword: {SSHA} hashed password
>
> > I'm able to correctly configure the settings and connect to the server
> > in the configuration screen using the following parameters:
>
> > Server: ldaps://mydomain.com:636
> > root DN: dc=mydomain,dc=com
> > User search base: ou=people
> > User search filter: uid={0}
> > Group search base: ou=group
> > Manager DN: cn=Manager,dc=purlogic,dc=biz
> > Manager Password: <the correct password>
>
> > I know I'm correctly connecting this way as I don't see any red error
> > messages and I can see the connection happen in my JBoss logs.
>
> > I check the "Logged in users can do anything" radio button and click
> > "Save". However, when I try and login with the test user, it says
> > login failed. My JBoss log outputs the following error message:
>
> > -----------------------------------------------------------
>
> > 09:32:55,258 INFO [hudson.security.AuthenticationProcessingFilter2]
> > Login attempt failed:
> > org.acegisecurity.AuthenticationServiceException: Failed to obtain
> > InitialDirContext due to unexpected exception; nested exception is
> > javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN];
> > nested exception is org.acegisecurity.ldap.LdapDataAccessException:
> > Failed to obtain InitialDirContext due to unexpected exception; nested
> > exception is javax.naming.InvalidNameException: [LDAP: error code 34 -
> > invalid DN]
> > at
> > org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(Ld
> > apAuthenticationProvider.java:
> > 238) [:]
> > at
> > org.acegisecurity.providers.dao.AbstractUserDetailsAuthenticationProvider.a
> > uthenticate(AbstractUserDetailsAuthenticationProvider.java:
> > 119) [:]
> > at
> > org.acegisecurity.providers.ProviderManager.doAuthentication(ProviderManage
> > r.java:
> > 195) [:]
> > at
> > org.acegisecurity.AbstractAuthenticationManager.authenticate(AbstractAuthen
> > ticationManager.java:
> > 45) [:]
> > at
> > org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentic
> > ation(AuthenticationProcessingFilter.java:
> > 71) [:]
> > at
> > org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFi
> > lter.java:
> > 252) [:]
> > at hudson.security.ChainedServletFilter
> > $1.doFilter(ChainedServletFilter.java:87) [:]
> > at
> > org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessi
> > ngFilter.java:
> > 173) [:]
> > at hudson.security.ChainedServletFilter
> > $1.doFilter(ChainedServletFilter.java:87) [:]
> > at
> > jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:61) [:]
> > at hudson.security.ChainedServletFilter
> > $1.doFilter(ChainedServletFilter.java:87) [:]
> > at
> > org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(Http
> > SessionContextIntegrationFilter.java:
> > 249) [:]
> > at
> > hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionCo
> > ntextIntegrationFilter2.java:
> > 66) [:]
> > at hudson.security.ChainedServletFilter
> > $1.doFilter(ChainedServletFilter.java:87) [:]
> > at
> > hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:
> > 76) [:]
> > at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:
> > 164) [:]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicatio
> > nFilterChain.java:
> > 274) [:6.0.0.Final]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterC
> > hain.java:
> > 242) [:6.0.0.Final]
> > at
> > hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:
> > 81) [:]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicatio
> > nFilterChain.java:
> > 274) [:6.0.0.Final]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterC
> > hain.java:
> > 242) [:6.0.0.Final]
> > at
> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.j
> > ava:
> > 275) [:6.0.0.Final]
> > at
> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.j
> > ava:
> > 191) [:6.0.0.Final]
> > at
> > org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssoc
> > iationValve.java:
> > 181) [:6.0.0.Final]
> > at
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBas
> > e.java:
> > 501) [:6.0.0.Final]
> > at org.jboss.modcluster.catalina.CatalinaContext
> > $RequestListenerValve.event(CatalinaContext.java:285) [:1.1.0.Final]
> > at org.jboss.modcluster.catalina.CatalinaContext
> > $RequestListenerValve.invoke(CatalinaContext.java:261) [:1.1.0.Final]
> > at
> > org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java
> > :
> > 88) [:6.0.0.Final]
> > at
> > org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(Secu
> > rityContextEstablishmentValve.java:
> > 100) [:6.0.0.Final]
> > at
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:
> > 127) [:6.0.0.Final]
> > at
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:
> > 102) [:6.0.0.Final]
> > at
> > org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnect
> > ionValve.java:
> > 158) [:6.0.0.Final]
> > at
> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.jav
> > a:
> > 109) [:6.0.0.Final]
> > at
> > org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke
> > (ActiveRequestResponseCacheValve.java:
> > 53) [:6.0.0.Final]
> > at
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> > 362) [:6.0.0.Final]
> > at
> > org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:504) [:
> > 6.0.0.Final]
> > at org.apache.coyote.ajp.AjpProtocol
> > $AjpConnectionHandler.process(AjpProtocol.java:437) [:6.0.0.Final]
> > at org.apache.tomcat.util.net.JIoEndpoint
> > $Worker.run(JIoEndpoint.java:951) [:6.0.0.Final]
> > at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]
> > Caused by: org.acegisecurity.ldap.LdapDataAccessException: Failed to
> > obtain InitialDirContext due to unexpected exception; nested exception
> > is javax.naming.InvalidNameException: [LDAP: error code 34 - invalid
> > DN]
> > at
> > org.acegisecurity.ldap.DefaultInitialDirContextFactory.connect(DefaultIniti
> > alDirContextFactory.java:
> > 193) [:]
> > at
> > org.acegisecurity.ldap.DefaultInitialDirContextFactory.newInitialDirContext
> > (DefaultInitialDirContextFactory.java:
> > 261) [:]
> > at
> > org.acegisecurity.ldap.LdapTemplate.execute(LdapTemplate.java:123) [:]
> > at
> > org.acegisecurity.ldap.LdapTemplate.retrieveEntry(LdapTemplate.java:
> > 165) [:]
> > at
> > org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.bindWithDn
> > (BindAuthenticator.java:
> > 87) [:]
> > at
> > org.acegisecurity.providers.ldap.authenticator.BindAuthenticator.authentica
> > te(BindAuthenticator.java:
> > 72) [:]
> > at
> > org.acegisecurity.providers.ldap.authenticator.BindAuthenticator2.authentic
> > ate(BindAuthenticator2.java:
> > 49) [:]
> > at
> > org.acegisecurity.providers.ldap.LdapAuthenticationProvider.retrieveUser(Ld
> > apAuthenticationProvider.java:
> > 233) [:]
> > ... 38
>
> ...
>
> read more »
