On Tue, Mar 29, 2011 at 7:43 PM, Dan White <[email protected]> wrote: > On 29/03/11 14:47 -0700, sim123 wrote: > >> I have openLDAP server up and running and trying to integrate it with >> Confluence. My LDAP structure looks like >> >> DN :: uid=123, ou=users, dc=example, dc=com >> uid :: 123 >> mail :: [email protected] >> cn :: barbara >> sn :: jason >> userPassword :: test (plain test for now) >> >> I have another similar entry in another branch (su) for "confluence >> admin", >> I did LDAP configuration in confluence and tested the bind with confluence >> user. Now for every user authentication I am assuming LDAP should be able >> to >> bind on any attribute other than DN. however I can not do that. when I try >> > > By that, I assume that you are referring to a two step process where a > privileged user binds (or anonymously binds) to the server, searches for > the DN of a user based on some search criteria, unbinds, and then rebinds > using the returned DN, and the password submitted by the client. > > If that's a correct assumption, you might want to verify that: > > * The privileged user has appropriate permissions to search in your user > tree > * The client (confluence) is submitting appropriate base, scope, and filter > its search, and is retrieving the expected user DN > * The client is then binding a second time with the DN and user password > > > to login from confluence using mail & password, this is what I see in my >> slapd.d logs : >> >> connection_get(12): got connid=1000 >> connection_read(12): checking for input on id=1000 >> ber_get_next >> ber_get_next: tag 0x30 len 48 contents: >> op tag 0x60, time 1301434489 >> ber_get_next >> conn=1000 op=0 do_bind >> ber_scanf fmt ({imt) ber: >> ber_scanf fmt (m}) ber: >> >>> dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com> >>>>> >>>> <<< dnPrettyNormal: <uid=234,ou=su,dc=example,dc=com>, >> <uid=234,ou=su,dc=example,dc=com> >> do_bind: version=3 dn="uid=234,ou=su,dc=example,dc=com" method=128 >> bdb_dn2entry("uid=234,ou=su,dc=example,dc=com") >> => bdb_dn2id("dc=example,dc=com") >> <= bdb_dn2id: got id=0x1 >> => bdb_dn2id("ou=su,dc=example,dc=com") >> <= bdb_dn2id: got id=0x4 >> => bdb_dn2id("uid=234,ou=su,dc=example,dc=com") >> <= bdb_dn2id: got id=0x7 >> entry_decode: "uid=234,ou=su,dc=example,dc=com" >> <= entry_decode(uid=234,ou=su,dc=example,dc=com) >> do_bind: v3 bind: "uid=234,ou=su,dc=example,dc=com" to >> "uid=234,ou=su,dc=example,dc=com" >> send_ldap_result: conn=1000 op=0 p=3 >> send_ldap_response: msgid=1 tag=97 err=0 >> ber_flush2: 14 bytes to sd 12 >> connection_get(12): got connid=1000 >> connection_read(12): checking for input on id=1000 >> ber_get_next >> ber_get_next: tag 0x30 len 144 contents: >> op tag 0x63, time 1301434489 >> ber_get_next >> conn=1000 op=1 do_search >> ber_scanf fmt ({miiiib) ber: >> >>> dnPrettyNormal: <ou=user,dc=example,dc=com> >>>>> >>>> <<< dnPrettyNormal: <ou=user,dc=example,dc=com>, >> <ou=user,dc=example,dc=com> >> ber_scanf fmt ({mm}) ber: >> ber_scanf fmt ({mm}) ber: >> ber_scanf fmt ({M}}) ber: >> => get_ctrls >> ber_scanf fmt ({m) ber: >> => get_ctrls: oid="2.16.840.1.113730.3.4.2" (noncritical) >> <= get_ctrls: n=1 rc=0 err="" >> ==> limits_get: conn=1000 op=1 self="uid=234,ou=su,dc=example,dc=com" >> this="ou=user,dc=example,dc=com" >> => bdb_search >> bdb_dn2entry("ou=user,dc=example,dc=com") >> => bdb_dn2id("ou=user,dc=example,dc=com") >> <= bdb_dn2id: got id=0x3 >> entry_decode: "ou=user,dc=example,dc=com" >> <= entry_decode(ou=user,dc=example,dc=com) >> search_candidates: base="ou=user,dc=example,dc=com" (0x00000003) scope=2 >> => bdb_equality_candidates (objectClass) >> => key_read >> <= bdb_index_read: failed (-30988) >> <= bdb_equality_candidates: id=0, first=0, last=0 >> > > It looks like the search is not returning any entries. From your confluence > server, can you perform an ldapsearch as your privileged user to see if you > get any entries returned? > > -- > Dan White >
Thanks for your reply. You got me right and I am sure the first two things are working so my authentication user has privileges, Confluence is submitting base,scope and filter. I am not sure about the third point, needs to validate it. I tried doing ldapsearch from ldap server machine (local) and from confluence server using filter on uid/cn. However, don't know why wild card works and specific search doesn't. ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123) # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1 where as ldapsearch -x -W -D 'cn=Manager,dc=example,dc=com' -b 'ou=users,dc=example,dc=com' '(uid=123*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=users,dc=example,dc=com> with scope subtree # filter: (uid=123*) # requesting: ALL # # 123, users, example.com dn: uid=123,ou=users,dc=example,dc=com displayName: Barbara Jason objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top mail: [email protected] uid: 123 userPassword:: bXJhanZhaWR5YQ== sn: Jason cn: Barbara # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 again, I tried searching for it but couldn't find it, sorry for being naive but would appreciate any help. Thanks
