List Info

Thread: LDAP on LISTSERV 15.5
LDAP on LISTSERV 15.5
user name
 2008-02-18 07:55:10 
I am trying to set up LDAP for login on LISTSERV 15.5

I am not sure on the LDAP_ Configuration Variables to use

the LDAP server I am trying the authenticate against is
Sun ONE Directory Server 5.2

I have set the following:
LDAP_SERVER_nickname=ldaps://ubldap.buffalo.edu
LDAP_UID_nickname=LDAPBINDUSER
LDAP_AUTH_nickname=XXXXXXXX
LDAP_PW_BASE_nickname=ou=people,dc=buffalo,dc=edu
LDAP_PW_FILTER_nickname='%u'
LDAP_DEFAULT_EMAIL_nickname=eduPersonPrincipalName
LDAP_DEFAULT_NAME_nickname=cn


and when I try to Login

 Email Address: mtest03buffalo.edu
 Password:      XXXXXXXXXX


the listserv.log shows

15 Feb 2008 15:38:27 From [ANONYMOUS]LISTSERV2.ACSU.BUFFALO.EDU:
X-LOGIN
mtest03buffalo.edu 128.205.14.18 PW=[redacted]
15 Feb 2008 15:38:27 To   [ANONYMOUS]LISTSERV2.ACSU.BUFFALO.EDU:
***NOPW***


any help?

-jim

Senior Unix Engineer
Computing & Information Technology
University at Buffalo
Re: LDAP on LISTSERV 15.5
country flaguser name
Sweden		 2008-02-18 10:33:20 
> I have set the following:
> LDAP_SERVER_nickname=ldaps://ubldap.buffalo.edu
> LDAP_UID_nickname=LDAPBINDUSER
> LDAP_AUTH_nickname=XXXXXXXX
> LDAP_PW_BASE_nickname=ou=people,dc=buffalo,dc=edu
> LDAP_PW_FILTER_nickname='%u'
> LDAP_DEFAULT_EMAIL_nickname=eduPersonPrincipalName
> LDAP_DEFAULT_NAME_nickname=cn

You will need:

LDAP_PW_SERVERS=nickname (same nickname you used above)

I also think your filter is wrong. I don't know the layout
of your particular directory, but based on your sample, it
ought to be something like:

LDAP_PW_FILTER_nickname=(eduPersonPrincipalName=%s)

The DEFAULT_EMAIL and DEFAULT_NAME variables are used when
pulling subscriber data out of the directory. For password
validation, LISTSERV uses the exact filter you specify.

  Eric
Re: LDAP on LISTSERV 15.5
country flaguser name
United States		 2008-04-10 14:38:06 
We've started looking at this as well, and haven't had any
luck yet.
LISTSERV seems to find the ldap entry for (say)
"foovcu.edu"
successfully, but then tries to bind as "foovcu.edu" rather than
as "uid=foo,ou=People,dc=vcu,dc=edu".

I'm currently trying this:

    LDAP_SERVER_EDIR        ldaps://edir.vcu.edu
    LDAP_UID_EDIR           uid=foo,ou=apps,dc=vcu,dc=edu
    LDAP_AUTH_EDIR          XXXXXXXXXXXXXXXXXXXXXXX
    LDAP_PW_BASE_EDIR       ou=People,dc=VCU,dc=edu
    LDAP_PW_FILTER_EDIR     uid=%u
    LDAP_DEFAULT_EMAIL_EDIR mail
    LDAP_DEFAULT_NAME_EDIR  sn

When I try to log in via the web interface after that, I'm
getting
something like this in the LISTSERV log (where I've slightly
obscured the data):

    10 Apr 2008 14:44:21 From [ANONYMOUS][10.99.999.999]: X-LOGIN bazvcu.edu 128.172.193.33
PW=[redacted]
    10 Apr 2008 14:45:06 >>> Error X'01200113'
looking up LDAP account <<<
    10 Apr 2008 14:45:06  -> Severity: Error
    10 Apr 2008 14:45:06  -> Facility: LDAP interface
    10 Apr 2008 14:45:06  -> Abstract: Unspecified error
(34) - Refer to LDAP library documentation
    10 Apr 2008 14:45:06  -> LDAP err: Invalid DN syntax
    10 Apr 2008 14:45:06 To   [ANONYMOUS][10.99.999.999]: ***BADPW***

I don't have access to our LDAP logs, but if I point it at
an openldap
server, it has something like this in the log around this
time:

    Apr 10 14:24:55 europa slapd[17173]: daemon: conn=3375
fd=26 connection from IP=10.99.999.999 (IP=0.0.0.0:389)
accepted.
    Apr 10 14:24:55 europa slapd[17173]: bind: invalid dn
(bazVCU.EDU)


On Mon, Feb 18, 2008 at 05:33:20PM +0100, Eric Thomas
(ERICLSOFT.COM) said:
> > I have set the following:
> > LDAP_SERVER_nickname=ldaps://ubldap.buffalo.edu
> > LDAP_UID_nickname=LDAPBINDUSER
> > LDAP_AUTH_nickname=XXXXXXXX
> > LDAP_PW_BASE_nickname=ou=people,dc=buffalo,dc=edu
> > LDAP_PW_FILTER_nickname='%u'
> >
LDAP_DEFAULT_EMAIL_nickname=eduPersonPrincipalName
> > LDAP_DEFAULT_NAME_nickname=cn
> 
> You will need:
> 
> LDAP_PW_SERVERS=nickname (same nickname you used
above)
> 
> I also think your filter is wrong. I don't know the
layout of your particular directory, but based on your
sample, it ought to be something like:
> 
> LDAP_PW_FILTER_nickname=(eduPersonPrincipalName=%s)
> 
> The DEFAULT_EMAIL and DEFAULT_NAME variables are used
when pulling subscriber data out of the directory. For
password validation, LISTSERV uses the exact filter you
specify.
> 
>   Eric
> 

-- 
Jim Toth
jjtothvcu.edu
Re: LDAP on LISTSERV 15.5
country flaguser name
United States		 2008-04-10 14:47:48 
Oops, I forgot to mention; for:

>     LDAP_PW_FILTER_EDIR     uid=%u

we've also tried:

    LDAP_PW_FILTER_EDIR     mail=%s

and in fact that particular openldap error might have been
when we were
trying that.

-- 
Jim Toth
jjtothvcu.edu



[Nothing below this point not in my earlier email]

On Thu, Apr 10, 2008 at 03:38:06PM -0400, Jim Toth
(jjtothvcu.edu) said:
> We've started looking at this as well, and haven't had
any luck yet.
> LISTSERV seems to find the ldap entry for (say)
"foovcu.edu"
> successfully, but then tries to bind as "foovcu.edu" rather than
> as "uid=foo,ou=People,dc=vcu,dc=edu".
> 
> I'm currently trying this:
> 
>     LDAP_SERVER_EDIR        ldaps://edir.vcu.edu
>     LDAP_UID_EDIR          
uid=foo,ou=apps,dc=vcu,dc=edu
>     LDAP_AUTH_EDIR          XXXXXXXXXXXXXXXXXXXXXXX
>     LDAP_PW_BASE_EDIR       ou=People,dc=VCU,dc=edu
>     LDAP_PW_FILTER_EDIR     uid=%u
>     LDAP_DEFAULT_EMAIL_EDIR mail
>     LDAP_DEFAULT_NAME_EDIR  sn
> 
> When I try to log in via the web interface after that,
I'm getting
> something like this in the LISTSERV log (where I've
slightly obscured the data):
> 
>     10 Apr 2008 14:44:21 From [ANONYMOUS][10.99.999.999]: X-LOGIN bazvcu.edu 128.172.193.33
PW=[redacted]
>     10 Apr 2008 14:45:06 >>> Error X'01200113'
looking up LDAP account <<<
>     10 Apr 2008 14:45:06  -> Severity: Error
>     10 Apr 2008 14:45:06  -> Facility: LDAP
interface
>     10 Apr 2008 14:45:06  -> Abstract: Unspecified
error (34) - Refer to LDAP library documentation
>     10 Apr 2008 14:45:06  -> LDAP err: Invalid DN
syntax
>     10 Apr 2008 14:45:06 To   [ANONYMOUS][10.99.999.999]: ***BADPW***
> 
> I don't have access to our LDAP logs, but if I point it
at an openldap
> server, it has something like this in the log around
this time:
> 
>     Apr 10 14:24:55 europa slapd[17173]: daemon:
conn=3375 fd=26 connection from IP=10.99.999.999
(IP=0.0.0.0:389) accepted.
>     Apr 10 14:24:55 europa slapd[17173]: bind: invalid
dn (bazVCU.EDU)
> 
> 
> On Mon, Feb 18, 2008 at 05:33:20PM +0100, Eric Thomas
(ERICLSOFT.COM) said:
> > > I have set the following:
> > >
LDAP_SERVER_nickname=ldaps://ubldap.buffalo.edu
> > > LDAP_UID_nickname=LDAPBINDUSER
> > > LDAP_AUTH_nickname=XXXXXXXX
> > >
LDAP_PW_BASE_nickname=ou=people,dc=buffalo,dc=edu
> > > LDAP_PW_FILTER_nickname='%u'
> > >
LDAP_DEFAULT_EMAIL_nickname=eduPersonPrincipalName
> > > LDAP_DEFAULT_NAME_nickname=cn
> > 
> > You will need:
> > 
> > LDAP_PW_SERVERS=nickname (same nickname you used
above)
> > 
> > I also think your filter is wrong. I don't know
the layout of your particular directory, but based on your
sample, it ought to be something like:
> > 
> >
LDAP_PW_FILTER_nickname=(eduPersonPrincipalName=%s)
> > 
> > The DEFAULT_EMAIL and DEFAULT_NAME variables are
used when pulling subscriber data out of the directory. For
password validation, LISTSERV uses the exact filter you
specify.
> > 
> >   Eric
> >
Re: LDAP on LISTSERV 15.5
country flaguser name
United States		 2008-04-10 15:49:22 
On Thu, Apr 10, 2008 at 04:08:11PM -0400, Liam Kelly
(liamlsoft.com) said:
> It sounds like you just need to change:
> 
> LDAP_PW_FILTER_EDIR     uid=%u
> 
> to
> 
> LDAP_PW_FILTER_EDIR     uid=%u,ou=People,dc=VCU,dc=edu
> 
> As I understand it, LDAP_PW_BASE specifies the base for
the directory
> search, but LDAP_PW_FILTER supplies the literal bind
credentials.

Doesn't seem to work; LISTSERV says bad password,  Neither
of the user's
loginTime or loginIntruderAttempts attributes seems to have
been
affected[1].

Switching to the not-expected-to-work-but-we-have-logs
openldap server,
I get this line:

conn=5066 op=0 SRCH base="dc=vcu,dc=edu" scope=2
filter="(uid=joeuser,ou=People,dc=VCU,dc=edu)"

Which does not get an entry back, and isn't going to work:
the ou=People
etc stuff *shouldn't* be in there.  As I understand it (or
rather, had
an LDAP guru explain to me), it should be in the base but
not the filter
for the search for the user, but should be there for when we
log the
user in.




[1] The loginTime of the application's dn as specified in
LDAP_UID is
changing, though (which is as it was, and obviously a good
thing).

> 
> -- 
> Liam Kelly
> Senior Consulting Analyst
> L-Soft international
> liamlsoft.com
> 
> ------------------
> Have a question?  Check out the LISTSERV, and F-Secure
FAQs at
>       <http://www
.lsoft.com/resources/faq.asp>
> 

-- 
Jim Toth                                        jjtothvcu.edu
"We used to quip that "password" is the most
common password.
Now it's 'password1.' Who said users haven't learned
anything
about security?" -- Bruce Schneier
[1-5]

about | contact  Other archives ( Real Estate discussion Medical topics )