Forum OpenACS Q&A: Re: External Authentication - LDAP question

Collapse
4: Re: External Authentication - LDAP question (response to 3)
Posted by Chris Grant on 10/12/04 10:08 AM
Hi all,
i am having trouble getting auth-ldap working for oacs. i have installed OpenLDAP and run it on the host "ldap://127.0.0.1:389", and have configured everything for nsldap in the config.tcl file. i changed the login to username, but when i try to authenticate with ldap (created an authority called OpenLDAP) it says:
"could not allocate 1 handle from pool ldap". when i did tail -f error.log, it says:
"Error: nsldap: could not open connection to server ldap://127.0.0.1:389 on port 389: connection refused"

does anyone know how to fix this?
thanks,
Chris

Collapse
5: Re: External Authentication - LDAP question (response to 4)
Posted by Rocael Hernández Rizzardini on 10/12/04 05:41 PM
can you do ldapsearch from the same box that aolserver is running on?
Collapse
6: Re: External Authentication - LDAP question (response to 5)
Posted by Chris Grant on 10/13/04 02:00 AM
yes, which is why i don't understand why it doesn't allow a connection... but i installed openldap with sasl support, but couldn't get it working, so i run ldapsearch with simple binding... would that be the problem?
Collapse
7: Re: External Authentication - LDAP question (response to 6)
Posted by Rocael Hernández Rizzardini on 10/13/04 02:21 AM
pls post your config of ldap here...
Collapse
8: Re: External Authentication - LDAP question (response to 6)
Posted by Chris Grant on 10/13/04 02:45 AM
Does ns_ldap require a cert for SSL when connecting?
Collapse
9: Re: External Authentication - LDAP question (response to 8)
Posted by Chris Grant on 10/13/04 03:31 AM
in the config.tcl file, i put:

ns_section "ns/server/${servername}/modules"
ns_param  nsldap          ${bindir}/nsldap.so

#
# ldap pool ldap
#

ns_section "ns/ldap/pool/ldap"
ns_param user "cn=admin,dc=example,dc=com"
ns_param password "secret"
ns_param host "ldap://localhost:389"
ns_param connections 1
ns_param verbose On

#
# ldap pools
#
ns_section "ns/ldap/pools"
ns_param ldap ldap

#
# ldap default pool
#
ns_section "ns/server/${server}/ldap"
ns_param Pools *
ns_param DefaultPool ldap

i ran slapd using:
./slapd -f /usr/local/slapd.conf -h "ldap://localhost:389" -d127

Collapse
10: Re: External Authentication - LDAP question (response to 9)
Posted by Chris Grant on 10/13/04 03:46 AM
the slapd file is:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /usr/local/etc/openldap/schema/core.schema
include        /usr/local/etc/openldap/schema/cosine.schema
include        /usr/local/etc/openldap/schema/inetorgperson.schema
include        /usr/local/etc/openldap/schema/misc.schema
include        /usr/local/etc/openldap/schema/nis.schema
include        /usr/local/etc/openldap/schema/openldap.schema
include        /usr/local/etc/openldap/schema/eduperson.schema
include        /usr/local/etc/openldap/schema/commURI.schema
include        /usr/local/etc/openldap/schema/groupAttr.schema
schemacheck    on

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile        /usr/local/var/run/slapd.pid
argsfile    /usr/local/var/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database    ldbm
suffix        "dc=example,dc=com"
rootdn        "cn=admin,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw        secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /usr/local/var/openldap-data-example
# ldbm indexed attribute definitions
index    objectClass pres, eq

Collapse
11: Re: External Authentication - LDAP question (response to 9)
Posted by Rocael Hernández Rizzardini on 10/13/04 04:06 AM
No SSL required.

<blockquote> ns_param host "ldap://localhost:389"
</blockquote>

are you running on the same box?

try this:
ns_param host "localhost:389"

but not sure about ports, why you dont try the default port, and run it as:
ns_param host "localhost"

Collapse
12: Re: External Authentication - LDAP question (response to 11)
Posted by Chris Grant on 10/13/04 04:55 AM
when i tried ns_param host "localhost:389" i got the error:
Error: nsldap: could not bind to server localhost:389: Protocol error

trying just localhost gave the same error except it did not say the port, just "could not bind to server localhost: Protocol error"

yes, ldap is running on the same box as oacs...

Collapse
13: Re: External Authentication - LDAP question (response to 12)
Posted by Chris Grant on 10/13/04 05:26 AM
does it have anything to do with the password for the rootdn being a plain text password? i tried to put an empty password in, but came up with the same error...
would i need to encrypt the password?
Collapse
14: Re: External Authentication - LDAP question (response to 13)
Posted by Rocael Hernández Rizzardini on 10/13/04 06:20 AM
plain-text password is ok, why you dont try a standard port?, lets say, when you connect to your server using ldapsearch just use "localhost", try to configure ldap and let us know.
Collapse
15: Re: External Authentication - LDAP question (response to 13)
Posted by Malte Sussdorff on 10/13/04 06:22 AM
can you connect via telnet to the port? Try "telnet 127.0.0.1 389" to see what comes up. If you see the LDAP server then we have to look in AOLserver/OpenACS for the problem, otherwise it is something in your setup of LDAP.
Collapse
16: Re: External Authentication - LDAP question (response to 15)
Posted by Chris Grant on 10/13/04 06:38 AM
Rocael, i tried just using localhost when setting up the ldap server, but it gives me the error:
"could not bind to server localhost: Protocol error"

i also tried to telnet to localhost:389 and 127.0.0.1:389 (setting up the ldap server for each case, but each time, it says:
"Temporary failure in name resolution 127.0.0.1:389: Host name lookup failure"
i also tried telnet ldap://127.0.0.1:389 and telnet ldap://localhost:389 without success.
i guess it's the LDAP setup then?

Collapse
17: Re: External Authentication - LDAP question (response to 16)
Posted by Bruno Mattarollo on 10/13/04 07:05 AM

Hey Chris

Try telnet localhost 389 (note the whitespace between localhost and 389) instead of putting the :.

Collapse
18: Re: External Authentication - LDAP question (response to 17)
Posted by Chris Grant on 10/13/04 07:19 AM
thanks Bruno, it worked.
says: "Connected to localhost"

so i guess the problem is not ldap? does anyone have an idea?

Collapse
19: Re: External Authentication - LDAP question (response to 18)
Posted by Chris Grant on 10/13/04 07:54 AM
i changed the slapd.conf file (for openldap) so that it allows binding with LDAPv2. this seemed to do something, because now i get a strange error message:
"error: nsldap: could not open connection to server ldap://localhost" on port 389: Success"
i does anyone know what this means? it still says:
"could not allocate 1 handle from pool ldap" though...
Collapse
20: Re: External Authentication - LDAP question (response to 19)
Posted by Chris Grant on 10/13/04 02:17 PM
hi guys, thanks for all your help! i've managed to get it working now =)