Forum OpenACS Q&A: Help with auth-ldap ("no configured pools")

I've built nsldap 0.8 with aolserver 4.0.2 and am trying to connect to one of our Netware boxes running their nldap daemon. At server start up, I'm seeing the following:

[21/Jul/2004:13:15:59][1111.3073901216][-main-] Notice: modload: loading '/usr/local/aolserver/bin/nsldap.so'
[21/Jul/2004:13:15:59][1111.3073901216][-main-] Debug: nsldap: no configured pools

Not very informative. I started digging through nsldap.c to see where things were going wrong but haven't been able to follow up on that. My *guess* is that the ldap module isn't able to connect to the server as the user i'm specifying in config.tcl (I've got all the options from the nsldap README in my config.tcl). I've tried different combinations for the username, including leaving it blank for anonymous bind with no luck.

Has anyone dealt with the "no configured pools" message?

Thanks, Rocael. That's what I have - I copy and pasted right from the README so I've got all of those options set (with my own LDAP server's info, of course). Is there any way to get more debugging info from the LDAP module or is there another way to troubleshoot the connection?

Thanks for the push, Rocael. As I was pasting in the lines from my config file, I noticed a strange variable, ${serverNAME}, at the bottom which I hadn't noticed before ;)

Now that I've fixed that, I'm able to list all users in LDAP via nscp with something like:

ns_ldap search $ldaph -scope subtree -names true "o=myorg" "(uid=*)"

So, things are working, it would appear, at this level. However, it's unclear how one goes about enabling LDAP for login. I've created a new authority with LDAP selected for authentication, password management, account registration and on-demand sync. It's enabled but I can't see any change in the  login pages. Are there other parameters that need to be changed? Also, I'm unclear on how LDAP is supposed to work with LDAP names (versus email address). Do users log in using their CNs?

Thanks.

Thanks, Rocael (Just getting back to this)

That's the param I was looking for. So I've got UseEmailForLoginP set to 0, my LDAP authority set up and the following options set for the authority:

Authentication - LDAP
Password management - LDAP
Account registration - Local
User Info - LDAP

In the "configure drivers" section of my LDAP authority, I've got:

UsernameAttribute - uid (tried just about everything though)
BaseDN - 'o=myorg'
InfoAttributeMap - 'first_names=givenName;last_name=sn;email=mail'
PasswordHash - SHA (tried MD5 as well)

No matter what, I get an "invalid username/password" error when I try to log in using the LDAP authority. I'm positive both the username and password are correct.

In the log, I'm seeing this, so I'm assuming AOLServer's talking to the LDAP server OK (I was also able to create a little test page that could pull user names from the directory):

[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: getting a handle for thread -1241969744
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: connecting handle from pool ldap
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: entering handle nsldap0 to activeHandles
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: releasehandle nsldap0
[09/Aug/2004:16:41:36][8733.3052997552][-conn:upgrade-test::3] Debug: nsldap: returning handle to pool ldap for thread -1241969744

Any suggestions as to where to look at this point?

Thanks.