[RCU] R: Re: Ldap Addressbook : problem for credentials in private addressbook

kaifamm at libero.it kaifamm at libero.it
Mon Mar 5 17:29:39 CET 2012


Hi All,

   thanks for the answers !!!

I made other tests : 

If I try this :  ldapsearch -xLLL -H ldap://localhost:389 -D cn=rcuser,
ou=rcabook,dc=localhost -w rcpass -b ou=rcabook,dc=localhost 
it works fine.

If I try this : ldapsearch -xLLL -H ldap://localhost:389 -D  cn=mark,
ou=private,ou=rcabook,dc=localhost  -w xxxx 
It answer : ldap_bind: Invalid credentials (49), 
so I think that there is an ACL problem.

I think that there is an error in the script rcabook-setup.sh.

I did run and run again  the script rcabook-setup.sh, it doesn't return 
errors  and it said : 
The LDAP addressbook is ready now for using:
  base_dn: ou=rcabook,dc=localhost
  bind_dn: cn=rcuser,ou=rcabook,dc=localhost
  
Use the following command for reading and checking your setup:
  ldapsearch -xLLL -H ldap://localhost:389 -D cn=rcuser,ou=rcabook,
dc=localhost -w rcpass -b ou=rcabook,dc=localhost

I report my ldap.log with the debug of ldap server :
 
daemon: activity on:
slap_listener_activate(7): 
daemon: epoll: listen=7 busy
daemon: epoll: listen=8 active_threads=0 tvp=zero
>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 13
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: added 13r (active) listener=(nil)
daemon: activity on 1 descriptor
conn=21 fd=13 ACCEPT from IP=127.0.0.1:45320 (IP=0.0.0.0:389)
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(13): got connid=21
connection_read(13): checking for input on id=21
ber_get_next
ldap_read: want=8, got=8
  0000:  30 84 00 00 00 3e 02 01                            0....>..          
ldap_read: want=60, got=60
  0000:  01 60 84 00 00 00 35 02  01 03 04 2a 63 6e 3d 6d   .`....5....*cn=m  
  0010:  61 72 6b 2c 6f 75 3d 70  72 69 76 61 74 65 2c 6f   ark,ou=private,o  
  0020:  75 3d 72 63 61 62 6f 6f  6b 2c 64 63 3d 6c 6f 63   u=rcabook,dc=loc  
  0030:  61 6c 68 6f 73 74 80 04  78 78 78 78               alhost..xxxx      
ber_get_next: tag 0x30 len 62 contents:
ber_dump: buf=0xa0b040a8 ptr=0xa0b040a8 end=0xa0b040e6 len=62
  0000:  02 01 01 60 84 00 00 00  35 02 01 03 04 2a 63 6e   ...`....5....*cn  
  0010:  3d 6d 61 72 6b 2c 6f 75  3d 70 72 69 76 61 74 65   =mark,ou=private  
  0020:  2c 6f 75 3d 72 63 61 62  6f 6f 6b 2c 64 63 3d 6c   ,ou=rcabook,dc=l  
  0030:  6f 63 61 6c 68 6f 73 74  80 04 78 78 78 78         ocalhost..xxxx    
op tag 0x60, time 1330963449
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=21 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0xa0b040a8 ptr=0xa0b040ab end=0xa0b040e6 len=59
  0000:  60 84 00 00 00 35 02 01  03 04 2a 63 6e 3d 6d 61   `....5....*cn=ma  
  0010:  72 6b 2c 6f 75 3d 70 72  69 76 61 74 65 2c 6f 75   rk,ou=private,ou  
  0020:  3d 72 63 61 62 6f 6f 6b  2c 64 63 3d 6c 6f 63 61   =rcabook,dc=loca  
  0030:  6c 68 6f 73 74 80 04 78  78 78 78                  lhost..xxxx       
ber_scanf fmt (m}) ber:
ber_dump: buf=0xa0b040a8 ptr=0xa0b040e0 end=0xa0b040e6 len=6
  0000:  00 04 78 78 78 78                                  ..xxxx            
>>> dnPrettyNormal: <cn=mark,ou=private,ou=rcabook,dc=localhost>
=> ldap_bv2dn(cn=mark,ou=private,ou=rcabook,dc=localhost,0)
<= ldap_bv2dn(cn=mark,ou=private,ou=rcabook,dc=localhost)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=mark,ou=private,ou=rcabook,dc=localhost)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=mark,ou=private,ou=rcabook,dc=localhost)=0 
<<< dnPrettyNormal: <cn=mark,ou=private,ou=rcabook,dc=localhost>, <cn=mark,
ou=private,ou=rcabook,dc=localhost>
conn=21 op=0 BIND dn="cn=mark,ou=private,ou=rcabook,dc=localhost" method=128
do_bind: version=3 dn="cn=mark,ou=private,ou=rcabook,dc=localhost" method=128
==> bdb_bind: dn: cn=mark,ou=private,ou=rcabook,dc=localhost
bdb_dn2entry("cn=mark,ou=private,ou=rcabook,dc=localhost")
=> bdb_dn2id("cn=mark,ou=private,ou=rcabook,dc=localhost")
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found 
(-30988)
send_ldap_result: conn=21 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 22 bytes to sd 13
  0000:  30 84 00 00 00 10 02 01  01 61 84 00 00 00 07 0a   0........a......  
  0010:  01 31 04 00 04 00                                  .1....            
ldap_write: want=22, written=22
  0000:  30 84 00 00 00 10 02 01  01 61 84 00 00 00 07 0a   0........a......  
  0010:  01 31 04 00 04 00                                  .1....            
conn=21 op=0 RESULT tag=97 err=49 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 13r
daemon: read active on 13
daemon: epoll: listen=7 active_threads=0 tvp=zero
connection_get(13)
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(13): got connid=21
connection_read(13): checking for input on id=21
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=21, closing.
connection_closing: readying conn=21 sd=13 for close
connection_close: conn=21 sd=13
daemon: activity on 1 descriptor
daemon: removing 13
daemon: activity on:
conn=21 fd=13 closed (connection lost)
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero

                                                                                                                                                                                                                       
Thanks a lot 
Mark



>----Messaggio originale----
>Da: andudi at gmx.ch
>Data: 05/03/2012 14.09
>A: "kaifamm at libero.it"<kaifamm at libero.it>, <users at lists.roundcube.net>
>Ogg: Re: [RCU]	Ldap Addressbook : problem for credentials in private	
addressbook
>
>Hei
>I am i ski hollydays and have not my setup in front.
>
>Your setup seems ok, but can you try to connect with ldapsearch on the 
commandline?
>Another try could be to switch on logging in slapd.conf
>Ldap.conf is not used by server but by clients like ldapsearch...
>
>Andreas
>
>
>
>"kaifamm at libero.it" <kaifamm at libero.it> schrieb:
>
>>Hi All,
>>
>>I configured the ldap server and roundcube to manage contacts. I used
>>the 
>>howto : http://trac.roundcube.net/wiki/Howto_Ldap. It work quite, I
>>have only  
>>a problem for credentials in private addressbook. The public
>>addressbook works 
>>fine, I can search and add contacts. 
>>
>>I checked the Mark's password and it is correct. I tried to use rootpw
>>but it 
>>doesn't works.
>>
>>My versions are :
>>openldap-servers-2.4.19-6
>>php-5.3.3-1
>>roundcube  0.7.1
>>
>>I report the error in ldap log of rouncube, my slapd.conf and my
>>main.inc.php.
>>
>>Thanks a lot 
>>
>>Mark
>>
>>--------------------------------
>>logs/ldap :
>>
>>[05-Mar-2012 10:09:01 +0100]: C: Connect [localhost:389]
>>[05-Mar-2012 10:09:01 +0100]: S: OK
>>[05-Mar-2012 10:09:01 +0100]: C: Bind [dn:
>>cn=mark,ou=private,ou=rcabook,
>>dc=localhost] [pass: xxxx]
>>[05-Mar-2012 10:09:01 +0100]: S: Invalid credentials
>>[05-Mar-2012 10:09:01 +0100]: C: Close
>>
>>
>>[05-Mar-2012 10:14:24 +0100]: C: Connect [localhost:389]
>>[05-Mar-2012 10:14:24 +0100]: S: OK
>>[05-Mar-2012 10:14:24 +0100]: C: Bind [dn:
>>cn=mark,ou=private,ou=rcabook,
>>dc=localhost] [pass: xxxx]
>>[05-Mar-2012 10:14:24 +0100]: S: Invalid credentials
>>[05-Mar-2012 10:14:24 +0100]: C: Close
>>[05-Mar-2012 10:27:42 +0100]: C: Connect [localhost:389]
>>[05-Mar-2012 10:27:42 +0100]: S: OK
>>[05-Mar-2012 10:27:42 +0100]: C: Bind [dn:
>>cn=mark,ou=private,ou=rcabook,
>>dc=localhost] [pass: xxxx]
>>[05-Mar-2012 10:27:42 +0100]: S: Invalid credentials
>>[05-Mar-2012 10:27:42 +0100]: C: Close
>>[05-Mar-2012 10:27:52 +0100]: C: Connect [localhost:389]
>>[05-Mar-2012 10:27:52 +0100]: S: OK
>>[05-Mar-2012 10:27:52 +0100]: C: Bind [dn:
>>cn=mark,ou=private,ou=rcabook,
>>dc=localhost] [pass: xxxx]
>>[05-Mar-2012 10:27:52 +0100]: S: Invalid credentials
>>[05-Mar-2012 10:27:52 +0100]: C: Add [dn: mail=ssssss at iiii.uu,cn=mark,
>>ou=private,ou=rcabook,dc=localhost]: Array
>>(
>>    [cn] => ssssssss sss
>>    [sn] => sss
>>    [givenname] => ssssssss
>>    [mail] => ssssss at iiii.uu
>>    [objectClass] => Array
>>        (
>>            [0] => top
>>            [1] => inetOrgPerson
>>        )
>>
>>)
>>
>>[05-Mar-2012 10:27:52 +0100]: S: Strong(er) authentication required
>>[05-Mar-2012 10:27:52 +0100]: C: Close
>>------------------------------------------------------------
>>config/main.inc.php
>>
>>$rcmail_config['ldap_public']['public'] = array(
>>    'name'              => 'Public LDAP Addressbook',
>>    'hosts'              => array('localhost'),
>>    'use_tls'         => false,
>>    'ldap_version'  => 3,       // using LDAPv3
>>    'port'                => 389,
>>    'auth_method'    => '',
>>    'user_specific' => false,
>>    'writable'     => true,
>>    'base_dn'         => 'ou=public,ou=rcabook,dc=localhost',
>>    'bind_dn'          => 'cn=rcuser,ou=rcabook,dc=localhost',
>>    'bind_pass'      => 'rcpass',
>>    'fieldmap' => array(
>>         'name'        => 'cn',
>>         'surname'     => 'sn',
>>         'firstname'   => 'givenName',
>>         'email'       => 'mail',
>>         'phone:home'  => 'homePhone',
>>         'phone:work'  => 'telephoneNumber',
>>         'phone:mobile' => 'mobile',
>>         'street'      => 'street',
>>         'zipcode'     => 'postalCode',
>>         'locality'    => 'l',
>>         'country'     => 'c',
>>         'organization' => 'o',
>>    ),
>>    'LDAP_Object_Classes' => array('top', 'inetOrgPerson'),
>>    'LDAP_rdn'       => 'mail',
>>    'required_fields' => array('cn', 'sn', 'mail'),
>>    'filter'              => '(objectClass=inetOrgPerson)',
>>    'groups'           => array(
>>  'base_dn'           => '',     // in this Howto, the same base_dn as 
>>for the contacts is used
>>        'filter'                 => '(objectClass=groupOfNames)',
>>        'object_classes' => array("top", "groupOfNames"),
>>  ),
>>);
>>
>>$rcmail_config['ldap_public']['private'] = array(
>>    'name'              => 'Private LDAP Addressbook',
>>    'hosts'              => array('localhost'),
>>    'use_tls'         => false,
>>    'ldap_version'  => 3,       // using LDAPv3
>>    'port'                => 389,
>>    'auth_method'    => '',
>>    'user_specific' => true,
>>    'writable'     => true,
>>    'base_dn'         => 'cn=%u,ou=private,ou=rcabook,dc=localhost',
>>    'bind_dn'          => 'cn=%u,ou=private,ou=rcabook,dc=localhost',
>>    'bind_pass'      => '',   // the user login password is used
>>    'fieldmap' => array(
>>         'name'        => 'cn',
>>         'surname'     => 'sn',
>>         'firstname'   => 'givenName',
>>         'email'       => 'mail',
>>         'phone:home'  => 'homePhone',
>>         'phone:work'  => 'telephoneNumber',
>>         'phone:mobile' => 'mobile',
>>         'street'      => 'street',
>>         'zipcode'     => 'postalCode',
>>         'locality'    => 'l',
>>         'country'     => 'c',
>>         'organization' => 'o',
>>    ),
>>    'LDAP_Object_Classes' => array('top', 'inetOrgPerson'),
>>    'LDAP_rdn'       => 'mail',
>>    'required_fields' => array('cn', 'sn', 'mail'),
>>    'filter'              => '(objectClass=inetOrgPerson)',
>>    'groups'           => array(
>>  'base_dn'           => '',     // in this Howto, the same base_dn as 
>>for the contacts is used
>>        'filter'                 => '(objectClass=groupOfNames)',
>>        'object_classes' => array("top", "groupOfNames"),
>>  ),
>>);
>>
>>-------------------------------------------
>>openldap/slapd.conf
>>
>>#
>># See slapd.conf(5) for details on configuration options.
>># This file should NOT be world readable.
>>#
>>
>>include		/etc/openldap/schema/corba.schema
>>include		/etc/openldap/schema/core.schema
>>include		/etc/openldap/schema/cosine.schema
>>include		/etc/openldap/schema/duaconf.schema
>>include		/etc/openldap/schema/dyngroup.schema
>>include		/etc/openldap/schema/inetorgperson.schema
>>include		/etc/openldap/schema/java.schema
>>include		/etc/openldap/schema/misc.schema
>>include		/etc/openldap/schema/nis.schema
>>include		/etc/openldap/schema/openldap.schema
>>include		/etc/openldap/schema/ppolicy.schema
>>include		/etc/openldap/schema/collective.schema
>>
>># Allow LDAPv2 client connections.  This is NOT the default.
>>allow bind_v2
>>
>># Do not enable referrals until AFTER you have a working directory
>># service AND an understanding of referrals.
>>#referral	ldap://root.openldap.org
>>
>>pidfile		/var/run/openldap/slapd.pid
>>argsfile	/var/run/openldap/slapd.args
>>
>>SIZELIMIT       100000
>>
>>
>>#
>># if no access controls are present, the default policy
>># allows anyone and everyone to read anything but restricts
>># updates to rootdn.  (e.g., "access to * by * read")
>>#
>># rootdn can always read and write EVERYTHING!
>>
>>#######################################################################
>># ldbm and/or bdb database definitions
>>#######################################################################
>>
>>database	bdb
>>suffix          "dc=localhost"
>>checkpoint	1024 15
>>rootdn          "cn=admin,dc=localhost"
>># Cleartext passwords, especially for the rootdn, should
>># be avoided.  See slappasswd(8) and slapd.conf(5) for details.
>># Use of strong authentication encouraged.
>>rootpw		{SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>
>># The database directory MUST exist prior to running slapd AND 
>># should only be accessible by the slapd and slap tools.
>># Mode 700 recommended.
>>directory	/var/lib/ldap
>>
>># Indices to maintain for this database
>>index objectClass                       eq,pres
>>index ou,cn,mail,surname,givenname      eq,pres,sub
>>index uidNumber,gidNumber,loginShell    eq,pres
>>index uid,memberUid                     eq,pres,sub
>>index nisMapName,nisMapEntry            eq,pres,sub
>>
>># Replicas of this database
>>#replogfile /var/lib/ldap/openldap-master-replog
>>#replica host=ldap-1.example.com:389 starttls=critical
>>#     bindmethod=sasl saslmech=GSSAPI
>>#     authcId=host/ldap-master.example.com at EXAMPLE.COM
>>
>>
>># Grant the Roundcub user to create private users
>>access to dn.one="ou=private,ou=rcabook,dc=localhost"
>>attrs=userPassword
>>        by dn="cn=rcuser,ou=rcabook,dc=localhost" write
>>        by anonymous auth
>>        by self write
>>        by * none
>>
>># For user authentication and password change
>>access to attrs=userPassword
>>        by dn="cn=admin,dc=localhost" write
>>        by anonymous auth
>>        by self write
>>        by * none
>>
>># Grant the Roundcube users access to their private addressbooks
>>access to dn.regex="^.*cn=([^,]+),ou=private,ou=rcabook,dc=localhost$"
>>        by dn="cn=admin,dc=localhost" write
>>        by dn="cn=rcuser,ou=rcabook,dc=localhost" write
>>    by dn.exact,expand="cn=$1,ou=private,ou=rcabook,dc=localhost" write
>>
>># Grant the Roundcube user access to the whole addressbook
>>access to dn.subtree="ou=rcabook,dc=localhost"
>>        by dn="cn=admin,dc=localhost" write
>>        by dn="cn=rcuser,ou=rcabook,dc=localhost" write
>>
>># For direcory access
>>access to *
>>        by dn="cn=admin,dc=localhost" write
>>
>># enable monitoring
>>database monitor
>>
>>-----------------------------------------
>
>-- 
>List info: http://lists.roundcube.net/users/
>BT/09979466
>




More information about the users mailing list