Forum OpenACS Q&A: Re: External Authentication - LDAP question

Collapse
Posted by Chris Grant on
Hi all,
i am having trouble getting auth-ldap working for oacs. i have installed OpenLDAP and run it on the host "ldap://127.0.0.1:389", and have configured everything for nsldap in the config.tcl file. i changed the login to username, but when i try to authenticate with ldap (created an authority called OpenLDAP) it says:
"could not allocate 1 handle from pool ldap". when i did tail -f error.log, it says:
"Error: nsldap: could not open connection to server ldap://127.0.0.1:389 on port 389: connection refused"

does anyone know how to fix this?
thanks,
Chris

can you do ldapsearch from the same box that aolserver is running on?
Collapse
Posted by Chris Grant on
yes, which is why i don't understand why it doesn't allow a connection... but i installed openldap with sasl support, but couldn't get it working, so i run ldapsearch with simple binding... would that be the problem?
pls post your config of ldap here...
Collapse
Posted by Chris Grant on
Does ns_ldap require a cert for SSL when connecting?
Collapse
Posted by Chris Grant on
in the config.tcl file, i put:

ns_section "ns/server/${servername}/modules"
ns_param  nsldap          ${bindir}/nsldap.so

#
# ldap pool ldap
#

ns_section "ns/ldap/pool/ldap"
ns_param user "cn=admin,dc=example,dc=com"
ns_param password "secret"
ns_param host "ldap://localhost:389"
ns_param connections 1
ns_param verbose On

#
# ldap pools
#
ns_section "ns/ldap/pools"
ns_param ldap ldap

#
# ldap default pool
#
ns_section "ns/server/${server}/ldap"
ns_param Pools *
ns_param DefaultPool ldap

i ran slapd using:
./slapd -f /usr/local/slapd.conf -h "ldap://localhost:389" -d127

Collapse
Posted by Chris Grant on
the slapd file is:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /usr/local/etc/openldap/schema/core.schema
include        /usr/local/etc/openldap/schema/cosine.schema
include        /usr/local/etc/openldap/schema/inetorgperson.schema
include        /usr/local/etc/openldap/schema/misc.schema
include        /usr/local/etc/openldap/schema/nis.schema
include        /usr/local/etc/openldap/schema/openldap.schema
include        /usr/local/etc/openldap/schema/eduperson.schema
include        /usr/local/etc/openldap/schema/commURI.schema
include        /usr/local/etc/openldap/schema/groupAttr.schema
schemacheck    on

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile        /usr/local/var/run/slapd.pid
argsfile    /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database    ldbm
suffix        "dc=example,dc=com"
rootdn        "cn=admin,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw        secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /usr/local/var/openldap-data-example
# ldbm indexed attribute definitions
index    objectClass pres, eq

No SSL required.

<blockquote> ns_param host "ldap://localhost:389"
</blockquote>

are you running on the same box?

try this:
ns_param host "localhost:389"

but not sure about ports, why you dont try the default port, and run it as:
ns_param host "localhost"

Collapse
Posted by Chris Grant on
when i tried ns_param host "localhost:389" i got the error:
Error: nsldap: could not bind to server localhost:389: Protocol error

trying just localhost gave the same error except it did not say the port, just "could not bind to server localhost: Protocol error"

yes, ldap is running on the same box as oacs...

Collapse
Posted by Chris Grant on
does it have anything to do with the password for the rootdn being a plain text password? i tried to put an empty password in, but came up with the same error...
would i need to encrypt the password?
plain-text password is ok, why you dont try a standard port?, lets say, when you connect to your server using ldapsearch just use "localhost", try to configure ldap and let us know.
Collapse
Posted by Malte Sussdorff on
can you connect via telnet to the port? Try "telnet 127.0.0.1 389" to see what comes up. If you see the LDAP server then we have to look in AOLserver/OpenACS for the problem, otherwise it is something in your setup of LDAP.
Collapse
Posted by Chris Grant on
Rocael, i tried just using localhost when setting up the ldap server, but it gives me the error:
"could not bind to server localhost: Protocol error"

i also tried to telnet to localhost:389 and 127.0.0.1:389 (setting up the ldap server for each case, but each time, it says:
"Temporary failure in name resolution 127.0.0.1:389: Host name lookup failure"
i also tried telnet ldap://127.0.0.1:389 and telnet ldap://localhost:389 without success.
i guess it's the LDAP setup then?

Collapse
Posted by Bruno Mattarollo on

Hey Chris

Try telnet localhost 389 (note the whitespace between localhost and 389) instead of putting the :.

Collapse
Posted by Chris Grant on
thanks Bruno, it worked.
says: "Connected to localhost"

so i guess the problem is not ldap? does anyone have an idea?

Collapse
Posted by Chris Grant on
i changed the slapd.conf file (for openldap) so that it allows binding with LDAPv2. this seemed to do something, because now i get a strange error message:
"error: nsldap: could not open connection to server ldap://localhost" on port 389: Success"
i does anyone know what this means? it still says:
"could not allocate 1 handle from pool ldap" though...
Collapse
Posted by Chris Grant on
hi guys, thanks for all your help! i've managed to get it working now =)