3 Replies Latest reply on May 20, 2009 6:29 AM by 807573

    LDAP Authentication fails

    807573
      We use LDAP-Authentication for use the proxy. The users which allowed to use proxy are member of a LDAP-group.

      There are some users which cannot authenticate. In the LDAP access log file I can see, that there was a lookup for the user but it not follow the bind for check the password.



      Are there any special attributes or objectclasses necessary for LDAP Authentication?



      Version: Proxy 4.0.9 on Solaris 10 x64
        • 1. Re: LDAP Authentication fails
          807817
          You should be able to see the proxy LDAP filter and the attributes it tries to get in your directory server access log.
          I believe it searches for an inetorgperson objectclass entry with a filter like (&(|(objectclass=orgperson)(objectclass=person))(|(uid=...)(cn=...)(sn=....))), where ...
          is what's been type in by the user and then uses the DN returned by the directory to BIND.
          • 2. Re: LDAP Authentication fails
            807573
            In the access log you can see the successfull search, user was found.
            It is also member of the group which proxy has to look for:
            [17/Apr/2009:18:45:02 +0200] conn=819 op=230 msgId=231 - SRCH base="o=mydomain.de,dc=hl,dc=lan" scope=2 filter="(uid=zapf)" attrs="c"
            [17/Apr/2009:18:45:02 +0200] conn=819 op=230 msgId=231 - RESULT err=0 tag=101 nentries=1 etime=0
            [17/Apr/2009:18:45:02 +0200] conn=853 op=149 msgId=150 - SRCH base="o=mydomain.de,dc=hl,dc=lan" scope=2 filter="(uid=zapf)" attrs="c"
            [17/Apr/2009:18:45:02 +0200] conn=853 op=149 msgId=150 - RESULT err=0 tag=101 nentries=1 etime=0
            [17/Apr/2009:18:45:03 +0200] conn=854 op=149 msgId=150 - SRCH base="o=mydomain.de,dc=hl,dc=lan" scope=2 filter="(uid=zapf)" attrs="c"
            [17/Apr/2009:18:45:03 +0200] conn=854 op=149 msgId=150 - RESULT err=0 tag=101 nentries=1 etime=0
            [17/Apr/2009:18:45:03 +0200] conn=820 op=195 msgId=196 - SRCH base="o=mydomain.de,dc=hl,dc=lan" scope=2 filter="(uid=zapf)" attrs="c"
            [17/Apr/2009:18:45:03 +0200] conn=820 op=195 msgId=196 - RESULT err=0 tag=101 nentries=1 etime=0
            But the users get the login window again, and not BIND follows, so the proxy do not check the password.
            Thats why I guess that the DIT entry has to have some attributes more?
            Why looks the proxy for attrs="c" in the search?
            • 3. Re: LDAP Authentication fails
              807573
              I have found my problem: Some Account has a little bit malformed dn:
              uid= name,ou=people,....
              Pay attention to the space character in front of the uidname. I have remove the space and all works well. However the proxy was the only one how has a problem with a leading space, not Solaris, not Samba, not Comms Suite