Re: LDAP Authentication Problem
a...@novell.com
Hash: SHA1
Post the full trace.... there are no usernames in this one. Also if you
can provide an LDAP export (LDIF) of the object you are testing that could
be helpful to verify everything. With your trace include +time +tags
+nmas +auth +ldap filters.
Good luck.
migsam wrote:
> LDAP Server:(2) Novell eDirectory 8.8.5 - SLES10SP1 (Contain r/w
> replicas of all partitions)
>
> Hello! Hope you can help me with this problem.
>
> A little introduction:
> I've enabled LDAP authentication (Non-SSL) on our mail servers...
> Novell GroupWise 7.0.3 HP4 - SLES10SP2 using an object user for
> searching the whole tree. The object user has all required rights. Some
> users can't login to Groupwise using their NDS credentials even if they
> can login ok to the network. If i put the full name of the user in the
> Groupwise Account (ldap format), they can login ok to Groupwise.
>
> I thought it was a Groupwise problem.. but there is a web application
> that also use LDAP authentication against NDS with same results.. some
> users can't login... and again.. they can login ok to the network.
>
> Using LDAPBrowser with those users i can login ok and ndstrace shows
> the correct bind name.
>
> NDSTrace Groupwise using LDAP:
> Bind name:NULL, version:3, authentication:simple
> Failed to authenticate local on connection 0x162f6780, err = failed
> authentication (-669)
> Sending operation result 49:"":"NDS error: failed authentication
> (-669)" to connection 0x162f6780
>
> So now i think there is something wrong with ldap authentication
> against those eDir servers, like for some reason it has problems to
> locate certain users.. even if the testing users are in the same OU.
> I've tried delete the object user and create it again.. no luck.
>
> Any advice?
>
> Thanks in advance
> MigueL
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJLRhWlAAoJEF+XTK08PnB5CA4P/inGNNPcW1kf4q+TvQICpj5F
nHyKe60PPYsIyegWQZlnZQOVBqtCpXWTrMIaWTHJuqOOexfnmg+5LITMvpbwjWFF
4RCZIxKExgQXTjURCyaACnRVLE3SipRvixrKiamEoMypxAv5A18HyYI3kWa19jMj
ApaIUP5Wd0vGczOM3dymPh4dsIYgAl0nbs7lclmmAU5xdyuwRPaPDQn/f6Rq1dy/
Og0BEStbKiZoEDdeIHPbmNUD0jSDkvcfA9emYiyGKVsnc2jgBESmSqDSmVPJLcmV
xOdjDVRQTy6uGcwESS+1x6Dx1Td+cjcUkyAWCluPYWtsi1mLOeOPod/9R9xOaUuD
ZVBa8MvvvNwj2cmJz9Qzj0igykmgNw+/T4/mO7AC9usiePJo4IXvMeFjHRQOb/QT
r5gl2CP7cU+q/6a4xTy9CNmZYmkDjPPkJbFGNS5tG+vkLyS6gmoj1c+mICtqjHka
PWVhZ0yVdBlEQ1+qGC2TFZPi21Q1HO7+1DRDVYDXdE88WxfiuxjZR7lxZpndxSdh
m9ZHW/Y4hFSoAnuaN5HJYTYeOu7fO0TbFuEXlzcrP6IQPfrCI//uz8Ha9ynEUxnf
Tyiv53zGhhElS2P577fm8R2qkrXREjz7V8+CnDai0NlKZ3vgPbAKLetxgL+j1/Tm
itWgZ7eILtzKzblPs7hC
=DyN1
-----END PGP SIGNATURE-----
David Gersic
> NDSTrace Groupwise using LDAP:
> Bind name:NULL, version:3, authentication:simple Failed to authenticate
> local on connection 0x162f6780, err = failed authentication (-669)
> Sending operation result 49:"":"NDS error: failed authentication (-669)"
> to connection 0x162f6780
"Bind name: NULL"
That just doesn't look right to me.
--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com
Please post questions in the newsgroups. No support provided via email.
a...@novell.com
Hash: SHA1
David hit it originally... the bind name being sent to LDAP is null which
is not helping at all. Why is that? Not sure. Is that user coming from
a different GW Post Office which maybe is misconfigured?
Good luck.
migsam wrote:
> Thanks for your replies.
>
> User test01 LDAP Authentication ok:
> 3878259616 AUTH: [2010/01/07 15:06:56.218] Starting SEV calculation for
> conn 1059, entry .ldaputh.GW.XX.XX-TREE..
> 3878259616 AUTH: [2010/01/07 15:06:56.218] 1 GlobalGetSEV.
> 3878259616 AUTH: [2010/01/07 15:06:56.218] 4 GlobalGetSEV succeeded.
> 3904547744 AUTH: [2010/01/07 15:06:56.218] 4 GlobalGetSEV succeeded.
> 3904547744 AUTH: [2010/01/07 15:06:56.219] SEV calculation complete for
> conn 1059, (0:1 s:ms).
> 3878259616 AUTH: [2010/01/07 15:06:56.219] SEV calculation complete for
> conn 1059, (0:1 s:ms).
> 3904547744 LDAP: [2010/01/07 15:06:56.219] Sending operation result
> 0:"":"" to connection 0x162f6780
> 3880364960 LDAP: [2010/01/07 15:06:56.219] DoBind on connection
> 0x162f6780
> 3880364960 LDAP: [2010/01/07 15:06:56.220] Bind
> name:cn=test01,ou=SRV,ou=eDIR,o=XX, version:3, authentication:simple
> 3880364960 AUTH: [2010/01/07 15:06:56.220] [0000be18]
> <.test01.SRV.eDIR.XX.XX-TREE.> LocalLoginRequest. Error success, conn:
> 2554.
> 3880364960 LDAP: [2010/01/07 15:06:56.220] Sending operation result
> 0:"":"" to connection 0x162f6780
> 4032678816 LDAP: [2010/01/07 15:06:56.220] DoBind on connection
> 0x162f6780
> 4032678816 LDAP: [2010/01/07 15:06:56.220] Bind
> name:CN=ldaputh,OU=GW,O=XX, version:3, authentication:simple
> 4032678816 AUTH: [2010/01/07 15:06:56.221] [0000bcfd]
> <.ldaputh.GW.XX.XX-TREE.> LocalLoginRequest. Error success, conn: 1059.
> 4032678816 LDAP: [2010/01/07 15:06:56.221] Sending operation result
> 0:"":"" to connection 0x162f6780
> 3876154272 AUTH: [2010/01/07 15:06:56.306] 1 DSAFinishAuthentication.
> 3876154272 AUTH: [2010/01/07 15:06:56.306] 2 DSAFinishAuthentication.
> 3876154272 AUTH: [2010/01/07 15:06:56.307] 3 DSAFinishAuthentication.
>
> User test02 LDAP Authentication failed:
> 4134419360 AUTH: [2010/01/07 15:07:08.49] 1 GlobalGetSEV.
> 4134419360 AUTH: [2010/01/07 15:07:08.49] 4 GlobalGetSEV succeeded.
> 4134419360 AUTH: [2010/01/07 15:07:08.49] SEV calculation complete for
> conn 324, (0:0 s:ms).
> 3918584736 LDAP: [2010/01/07 15:07:08.157] DoBind on connection
> 0x15d33c80
> 3918584736 LDAP: [2010/01/07 15:07:08.157] Bind name:NULL, version:3,
> authentication:simple
> 3918584736 AUTH: [2010/01/07 15:07:08.157] [00008013] <.XX-TREE.>
> EmuVerifyPassword returned error request unknown or no such property
> (-251), conn: 1780
> 3918584736 NMAS: [2010/01/07 15:07:08.157] 6: Create NMAS Session
> 3918584736 NMAS: [2010/01/07 15:07:08.157] 6: Failed to find login
> sequence for proxy client can do: 0x9
> 3918584736 NMAS: [2010/01/07 15:07:08.157] 6: Client Session Destroy
> Request
> 3918584736 NMAS: [2010/01/07 15:07:08.157] 6: Destroy NMAS Session
> 3918584736 NMAS: [2010/01/07 15:07:08.157] 6: Aborted Session
> Destroyed (with MAF)
> 3918584736 AUTH: [2010/01/07 15:07:08.157] [00008013] <.XX-TREE.>
> DCSimplePasswordVerifyEx returned error -1660 (0xfffff984), conn: 1780
> 3918584736 AUTH: [2010/01/07 15:07:08.157] UpdateLoginAttributesThread
> page 1 processed 1 login in 0 milliseconds
> 3918584736 AUTH: [2010/01/07 15:07:08.157] UpdateLoginAttributesThread
> page 2 processed 0 login in 0 milliseconds
> 4136524704 AUTH: [2010/01/07 15:07:08.157] UpdateLoginAttributesThread
> page 1 processed 0 login in 0 milliseconds
> 3918584736 AUTH: [2010/01/07 15:07:08.157] [00008013] <.XX-TREE.>
> LocalLoginRequest. Error failed authentication (-669), conn: 1780.
> 4136524704 AUTH: [2010/01/07 15:07:08.157] UpdateLoginAttributesThread
> page 2 processed 0 login in 0 milliseconds
> 4141788064 AUTH: [2010/01/07 15:07:08.803] 1 DSAFinishAuthentication.
> 4141788064 AUTH: [2010/01/07 15:07:08.803] 2 DSAFinishAuthentication.
> 4141788064 AUTH: [2010/01/07 15:07:08.805] 3 DSAFinishAuthentication.
> 4141788064 AUTH: [2010/01/07 15:07:08.805] 4 DSAFinishAuthentication.
>
> LDIF:
> version: 1
> dn: cn=test02,ou=SRV,ou=eDIR,o=XX
> nGWMailboxExpirationTime: 19700101000000Z
> nGWVisibility: 2
> nGWObjectID: Test02
> nGWPostOffice: cn=OP-xxx,ou=GW,o=XX
> nGWFileID: f3e
> nGWGroupWiseID:
> DOM-xxx.OP-xxx.Test02{106}53EC6320-0A8C-0000-B14B-000072003100
> mail: Tes...@xx.xx
> uid: test02
> generationQualifier: 09079756
> givenName: AAA
> fullName: BBB CCC AAA
> title: xxx
> sn: BBB CCC
> passwordRequired: TRUE
> passwordMinimumLength: 4
> passwordExpirationTime: 20090702135033Z
> passwordExpirationInterval: 7776000
> ou: xxx
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: Person
> objectClass: ndsLoginProperties
> objectClass: Top
> eMailAddress: 7#Tes...@DOM-xxx.OP-xxx
> loginTime: 20090612134826Z
> loginMaximumSimultaneous: 4
> loginIntruderAddress:: OSMAAKwUyF8=
> loginGraceRemaining: 4
> loginGraceLimit: 4
> cn: test02
> ACL: 2#subtree#cn=test02,ou=SRV,ou=eDIR,o=XX#[All Attributes Rights]
> ACL: 6#entry#cn=test02,ou=SRV,ou=eDIR,o=XX#loginScript
> ACL: 2#entry#[Public]#messageServer
> ACL: 2#entry#[Root]#groupMembership
> ACL: 6#entry#cn=test02,ou=SRV,ou=eDIR,o=XX#printJobConfiguration
> ACL: 2#entry#[Root]#networkAddress
>
> test01 and test02 can login ok to the network.
>
>
> Post the full trace.... there are no usernames in this one. Also if
> you
> can provide an LDAP export (LDIF) of the object you are testing that
> could
> be helpful to verify everything. With your trace include +time +tags
> +nmas +auth +ldap filters.
>
> Good luck.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJLRnjSAAoJEF+XTK08PnB5QWYQAMDFArhZ25tOfRmApPv30W7/
nEFDmIIaZ8Dc7EP1blKVNbwZLq6UjNACc3W+s1WOxM60sgwr1WRXhuY4PlaBALlX
eC6nej8Z+0GAY/QMsJIYM6JyW9VLrPtecqoEPGfdDsk2g5RhuQTrVWDyMegBAyQ6
Bf64NgdBLaBjqaEW5M66Y5qrDNYB0rU5Oe8RSUKbLRE2l5wVrGLnmdXeiAf8otUT
KSZi4G68FabfsZI8ZvzUC9MPLO8jmG2pO+LE2hHxl0XbfSn+mJ+nOG5XVcVlBISU
a7RhII24jIkkr2aiPVFLPOtb16UJg1GjWg1YBRByNuTaKOI2DfWcCWT53Ttewca/
cymRigcowtYulAuebpKDqDxw00DGryziMOnrS5LldGFRrnUe2JfBpKAQq7D9PaAr
z9BG+wwJoVlIfIof4UnetSQbMC3eCfnQRZTIp7ath4Y+52EMxZUccy2BzGwvOS5X
/v5xofqBYkuuXwisnPgVj1gxNl5vZH74fEpM7peHbPykSPF6oi7I80Boyww8bW/+
ZNCzmIcDWSSgcTppnCviYYnAGaa/MzYZJNPByXUnchenkeCIcE+9qdoeKUvpHLAO
ICzD7oz0lGY+1sMEznQiZfLvQjyrT60MbqdgTQgv3O8I+ADRZkfUjxtsyvidANoQ
j/HWcOJ/FeQrbvqJ7/Za
=28wH
-----END PGP SIGNATURE-----
David Gersic
> Well, we have 2 domains connected for moving user mailboxes. In the old
> groupwise server (NW 6.5), a user use groupwise password to login.. no
> NDS/LDAP authentication here. After this user mailbox is moved to the
> new server (SLES10SP2), the account is associated with the object user
> of the new tree and use LDAP authentication. The NDS servers are in
> another Linux box.
I don't see anything wrong with this plan.
> But as i wrote, it happens with a web application too with LDAP
> Authentication.
>
> Last NDStrace shows this:
> DCSimplePasswordVerifyEx returned error -1660 (0xfffff984), conn: 1780
That's a different error. Let's see the whole trace of this connection so
we can see what led up to the error.
> I read that if you don't set simple password to a user then LDAP
> capabilities are maybe disabled. I set a simple password for this user
> just in case.. no luck... is this error related to simple passwords?
Read that where? Wherever it was, it's wrong. Simple password is not
needed for LDAP, nor does having (or not having) a Simple password
disable anything LDAP related.
The error you started with looks to me like GroupWise is doing something
stupid, but I can't tell you why. Maybe ask in the GW support forum for
that.
Peter Kuo
> Simple password is not
> needed for LDAP,
Its been a while, but I *think* if you do MD5-bind, you need Simple
Password ...
--
Peter
eDirectory Rules!
http://www.DreamLAN.com
David Gersic
> David Gersic wrote:
>
>> Simple password is not
>> needed for LDAP,
>
> Its been a while, but I *think* if you do MD5-bind, you need Simple
> Password ...
Ah, ok, yeah, if you're doing something other than just DN and password,
you might need simple. But the OP is using GroupWise as the LDAP client,
and I'm sure that doesn't do MD5 or anything weird like that.
Peter Kuo
> But the OP is using GroupWise as the LDAP client,
> and I'm sure that doesn't do MD5 or anything weird like that.
GW may be smart, but not 'that smart' <g>