ldap server login error when logged in as admin

g.navink · 03-23-2010, 02:05 AM

Hi,
I am facing login issues when i try to login as admin using phpldapadmin into ldap server.
Installed phpldapadmin for administering ldap server from the repository:
1)http://download.fedora.redhat.com/pu...5.3.noarch.rpm
2)yum install phpldapadmin

Able to see the default phpldapadmin login page.

Login procedure
login: <rootdn>
password: <rootpw>

ldapadmin throws the error as "Bad username/password.Please try again"

But when i login as anonymous i am able to login but the web page asks whether to create the root domain?

kindly do suggest whether anything needs to be done for making it login as admin.

Thanks.
navin

The details of my set up are as follows:

Linux Distribution: RedHat 5.3 Enterprise Client.
Openldap version: $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd

My slapd configuration:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/auth.schema

# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
by self write
by users read
by anonymous auth

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb

suffix "dc=intoto,dc=com"

rootdn "cn=Manager,dc=intoto,dc=com"

# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap

# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

-----------------------------

Log of slapd when started in debug mode ([b22318@112mc77 openldap]$ sudo /usr/sbin/slapd -d 16783 -f slapd.conf)
slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=include{0}"
config_build_entry: "cn=include{1}"
config_build_entry: "cn=include{2}"
config_build_entry: "cn=include{3}"
config_build_entry: "cn=include{4}"
config_build_entry: "cn=include{5}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "cn={3}nis"
config_build_entry: "cn={4}dnszone"
config_build_entry: "cn={5}auth"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}bdb"
backend_startup_one: starting "dc=intoto,dc=com"
bdb_db_open: dc=intoto,dc=com
bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2)
Expect poor performance for suffix dc=intoto,dc=com.
bdb_db_open: dbenv_open(/var/lib/ldap)
slapd starting
daemon: added 4r listener=(nil)
daemon: added 7r listener=0x2ada7bdbc6b0
daemon: epoll: listen=7 active_threads=0 tvp=NULL

....
....

<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=6 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=7 tag=101 err=0
ber_flush: 14 bytes to sd 11
0000: 30 0c 02 01 07 65 07 0a 01 00 04 00 04 00 0....e........
ldap_write: want=14, written=14
0000: 30 0c 02 01 07 65 07 0a 01 00 04 00 04 00 0....e........
conn=0 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read active on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 50 02 01 08 63 4b 04 0P...cK.
ldap_read: want=74, got=74
0000: 10 64 63 3d 69 6e 74 6f 74 6f 2c 64 63 3d 63 6f .dc=intoto,dc=co
0010: 6d 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 00 m...............
0020: a3 22 04 03 75 69 64 04 1b 63 6e 3d 4d 61 6e 61 ."..uid..cn=Mana
0030: 67 65 72 2c 64 63 3d 69 6e 74 6f 74 6f 2c 64 63 ger,dc=intoto,dc
0040: 3d 63 6f 6d 30 04 04 02 64 6e =com0...dn
ber_get_next: tag 0x30 len 80 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: epoll: listen=7 active_threads=0 tvp=NULL
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=intoto,dc=com>
=> ldap_bv2dn(dc=intoto,dc=com,0)
<= ldap_bv2dn(dc=intoto,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=intoto,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=intoto,dc=com)=0
<<< dnPrettyNormal: <dc=intoto,dc=com>, <dc=intoto,dc=com>
SRCH "dc=intoto,dc=com" 2 0 0 0 0
ber_scanf fmt ({mm}) ber:
filter: (uid=cn=manager,dc=intoto,dc=com)
ber_scanf fmt ({M}}) ber:
attrs: dn
conn=0 op=7 SRCH base="dc=intoto,dc=com" scope=2 deref=0 filter="(uid=cn=manager,dc=intoto,dc=com)"
conn=0 op=7 SRCH attr=dn
==> limits_get: conn=0 op=7 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("dc=intoto,dc=com")
search_candidates: base="dc=intoto,dc=com" (0x00000001) scope=2
=> bdb_dn2idl("dc=intoto,dc=com")
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [40ee0fca]
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
bdb_search_candidates: id=0 first=1 last=0
bdb_search: no candidates
send_ldap_result: conn=0 op=7 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=8 tag=101 err=0
ber_flush: 14 bytes to sd 11
0000: 30 0c 02 01 08 65 07 0a 01 00 04 00 04 00 0....e........
ldap_write: want=14, written=14
0000: 30 0c 02 01 08 65 07 0a 01 00 04 00 04 00 0....e........
conn=0 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read active on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 09 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: epoll: listen=7 active_threads=0 tvp=NULL
do_unbind
conn=0 op=8 UNBIND
connection_closing: readying conn=0 sd=11 for close
connection_resched: attempting closing conn=0 sd=11
connection_close: conn=0 sd=11
daemon: removing 11
conn=0 fd=11 closed
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL

g.navink · 03-23-2010, 02:19 AM

The slapd logs afer i log in as admin using phpldapadmin is as follows:

>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 11
daemon: added 11r (active) listener=(nil)
conn=0 fd=11 ACCEPT from IP=127.0.0.1:56928 (IP=0.0.0.0:389)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read active on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 60 07 02 0....`..
ldap_read: want=6, got=6
0000: 01 03 04 00 80 00 ......
ber_get_next: tag 0x30 len 12 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: epoll: listen=7 active_threads=0 tvp=NULL
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
conn=0 op=0 BIND dn="" method=128
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 11
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
conn=0 op=0 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read active on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 35 02 01 02 63 30 04 05...c0.
ldap_read: want=47, got=47
0000: 00 0a 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 ................
0010: 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 10 04 ..objectClass0..
0020: 0e 6e 61 6d 69 6e 67 43 6f 6e 74 65 78 74 73 .namingContexts
ber_get_next: tag 0x30 len 53 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: epoll: listen=7 active_threads=0 tvp=NULL
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
SRCH "" 0 0 0 0 0
ber_scanf fmt (m) ber:
filter: (objectClass=*)
ber_scanf fmt ({M}}) ber:
attrs: namingContexts
conn=0 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
conn=0 op=1 SRCH attr=namingContexts
=> access_allowed: search access to "" "objectClass" requested
=> dn: [1]
=> acl_get: [1] matched
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> send_search_entry: conn 0 dn=""
=> access_allowed: read access to "" "entry" requested
=> dn: [1]
=> acl_get: [1] matched
=> acl_get: [1] attr entry
=> acl_mask: access to entry "", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [1]
=> acl_get: [1] matched
=> acl_get: [1] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
ber_flush: 49 bytes to sd 11
0000: 30 2f 02 01 02 64 2a 04 00 30 26 30 24 04 0e 6e 0/...d*..0&0$..n
0010: 61 6d 69 6e 67 43 6f 6e 74 65 78 74 73 31 12 04 amingContexts1..
0020: 10 64 63 3d 69 6e 74 6f 74 6f 2c 64 63 3d 63 6f .dc=intoto,dc=co
0030: 6d m
ldap_write: want=49, written=49
0000: 30 2f 02 01 02 64 2a 04 00 30 26 30 24 04 0e 6e 0/...d*..0&0$..n
0010: 61 6d 69 6e 67 43 6f 6e 74 65 78 74 73 31 12 04 amingContexts1..
0020: 10 64 63 3d 69 6e 74 6f 74 6f 2c 64 63 3d 63 6f .dc=intoto,dc=co
0030: 6d m
<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 11
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read active on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
ber_get_next
ldap_read: want=8, got=8
0000: 30 50 02 01 03 63 4b 04 0P...cK.
ldap_read: want=74, got=74
0000: 10 64 63 3d 69 6e 74 6f 74 6f 2c 64 63 3d 63 6f .dc=intoto,dc=co
0010: 6d 0a 01 02 0a 01 00 02 01 00 02 01 00 01 01 00 m...............
0020: a3 22 04 03 75 69 64 04 1b 63 6e 3d 4d 61 6e 61 ."..uid..cn=Mana
0030: 67 65 72 2c 64 63 3d 69 6e 74 6f 74 6f 2c 64 63 ger,dc=intoto,dc
0040: 3d 63 6f 6d 30 04 04 02 64 6e =com0...dn
ber_get_next: tag 0x30 len 80 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: epoll: listen=7 active_threads=0 tvp=NULL
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=intoto,dc=com>
=> ldap_bv2dn(dc=intoto,dc=com,0)
<= ldap_bv2dn(dc=intoto,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=intoto,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=intoto,dc=com)=0
<<< dnPrettyNormal: <dc=intoto,dc=com>, <dc=intoto,dc=com>
SRCH "dc=intoto,dc=com" 2 0 0 0 0
ber_scanf fmt ({mm}) ber:
filter: (uid=cn=manager,dc=intoto,dc=com)
ber_scanf fmt ({M}}) ber:
attrs: dn
conn=0 op=2 SRCH base="dc=intoto,dc=com" scope=2 deref=0 filter="(uid=cn=manager,dc=intoto,dc=com)"
conn=0 op=2 SRCH attr=dn
==> limits_get: conn=0 op=2 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("dc=intoto,dc=com")
=> bdb_dn2id("dc=intoto,dc=com")
<= bdb_dn2id: got id=0x1
entry_decode: "dc=intoto,dc=com"
<= entry_decode(dc=intoto,dc=com)
search_candidates: base="dc=intoto,dc=com" (0x00000001) scope=2
=> bdb_dn2idl("dc=intoto,dc=com")
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [40ee0fca]
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
bdb_search_candidates: id=0 first=1 last=0
bdb_search: no candidates
send_ldap_result: conn=0 op=2 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=3 tag=101 err=0
ber_flush: 14 bytes to sd 11
0000: 30 0c 02 01 03 65 07 0a 01 00 04 00 04 00 0....e........
ldap_write: want=14, written=14
0000: 30 0c 02 01 03 65 07 0a 01 00 04 00 04 00 0....e........
conn=0 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
daemon: activity on 1 descriptor
daemon: activity on: 11r
daemon: read active on 11
connection_get(11)
connection_get(11): got connid=0
connection_read(11): checking for input on id=0
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 04 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ldap_read: want=8, got=0

ber_get_next on fd 11 failed errno=0 (Success)
connection_read(11): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=11 for close
connection_close: deferring conn=0 sd=11
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
do_unbind
conn=0 op=3 UNBIND
connection_resched: attempting closing conn=0 sd=11
connection_close: conn=0 sd=11
daemon: removing 11
conn=0 fd=11 closed

I am unable to figure it out why the login is failing. kindly do provide your suggestions for the problem
thanks.

navin

g.navink · 03-23-2010, 03:57 AM

No database entries are added into ldap database. wanted to login as admin using phpldapadmin for adding entries.

phpadmin login details:
login: cn=Manager,dc=intoto,dc=com
password: secret

Not using hashed password. using a simple ascii based password as mentioned in slapd.conf

g.navink · 03-23-2010, 05:12 AM

Hi,
thanks. now able to login with admin (ie <rootdn>) and password using phpldapadmin into the ldap server.

The setting for the attr attribute in the file config.php in the folder /etc/phpldapadmin has to be changed as below:
$ldapservers->SetValue($i,'login','dn','cn=Manager,dc=intoto,dc=com')
$ldapservers->SetValue($i,'login','attr','uid');

Upon this change was able to login with cn=Manager,dc=intoto,dc=com
and its password.

seems its a setting for the phpldapadmin rather than ldap server(slapd)

thanks.
have a nice day,
navin