samba4 alpha5 with openldap

Oliver Liebel o.liebel at itc.li
Wed Jul 23 13:00:10 GMT 2008


hi andrew,

i had just setup samba4 alpha5 with openldap 2.4.10, using the following 
configuration:

backend-provision:
setup/provision-backend --realm=ldap.local.site --domain=LDAP 
--ldap-manager-pass=linux --ldap-backend-type=openldap 
--server-role='domain controller'

then started slapd using another port, not ldapi:
/usr/lib/openldap/slapd -f /usr/local/samba/private/ldap/slapd.conf -h 
"ldap://192.168.198.11:9000/" -d 1

the final provision runs ok, using these settings:
setup/provision --realm=ldap.local.site --domain=LDAP  
--server-role='domain controller' 
--ldap-backend="ldap://192.168.198.11:9000/" 
--simple-bind-dn="CN=Manager,dc=ldap,dc=local,dc=site" --password=linux 
--adminpass=linux --ldap-backend-type=openldap

when i start smbd (smbd -i -d 4) i got the following errors:
- from smbd:
-------------------------------------
Starting GENSEC mechanism sasl-DIGEST-MD5
added interface ip=192.168.198.11 nmask=255.255.255.0
gensec_sasl: DIGEST-MD5 client step 2
ldb: Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  
<SASL(-13): user not found: no secret in database> <>
ldb: Failed to connect to 'ldap://192.168.198.11:9000/'

(after that, all other actions are failing due to the failed bind)
-------------------------------------

-from slapd :
------------------------------------
SASL [conn=8] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to 
uid=LDAPMASTER$,cn=ldap.local.site,cn=DIGEST-MD5,cn=auth
 >>> dnNormalize: <uid=LDAPMASTER$,cn=ldap.local.site,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=ldapmaster$,cn=ldap.local.site,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name 
uid=ldapmaster$,cn=ldap.local.site,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] 
string='uid=ldapmaster$,cn=ldap.local.site,cn=digest-md5,cn=auth'
==> rewrite_rule_apply 
rule='uid=([^,]*),cn=ldap.local.site,cn=digest-md5,cn=auth' 
string='uid=ldapmaster$,cn=ldap.local.site,cn=digest-md5,cn=auth' [1 
pass(es)]
==> rewrite_context_apply [depth=1] 
res={0,'ldap:///DC=ldap,DC=local,DC=site??sub?(samAccountName=ldapmaster$)'}
slap_parseURI: parsing 
ldap:///DC=ldap,DC=local,DC=site??sub?(samAccountName=ldapmaster$)
ldap_url_parse_ext(ldap:///DC=ldap,DC=local,DC=site??sub?(samAccountName=ldapmaster$))
put_filter: "(samAccountName=ldapmaster$)"
put_filter: simple
put_simple_filter: "samAccountName=ldapmaster$"
ber_scanf fmt ({mm}) ber:
 >>> dnNormalize: <DC=ldap,DC=local,DC=site>
<<< dnNormalize: <dc=ldap,dc=local,dc=site>
slap_sasl2dn: performing internal search (base=dc=ldap,dc=local,dc=site, 
scope=2)
=> hdb_search
bdb_dn2entry("dc=ldap,dc=local,dc=site")
search_candidates: base="dc=ldap,dc=local,dc=site" (0x00000001) scope=2
=> hdb_dn2idl("dc=ldap,dc=local,dc=site")
=> bdb_equality_candidates (objectClass)
=> key_read
<= bdb_index_read: failed (-30989)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (sAMAccountName)
=> key_read
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=44, last=44
bdb_search_candidates: id=1 first=44 last=44
send_ldap_result: conn=8 op=2 p=3
<==slap_sasl2dn: Converted SASL name to cn=ldapmaster,ou=domain 
controllers,dc=ldap,dc=local,dc=site
slap_sasl_getdn: dn:id converted to cn=ldapmaster,ou=domain 
controllers,dc=ldap,dc=local,dc=site
=> hdb_search
bdb_dn2entry("cn=ldapmaster,ou=domain controllers,dc=ldap,dc=local,dc=site")
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=8 op=2 p=3
SASL [conn=8] Failure: no secret in database
---------------------------------

the sasl2dn conversion looks allright for me;
maybe this is the most intersting part:
--->  bdb_dn2entry("cn=ldapmaster,ou=domain 
controllers,dc=ldap,dc=local,dc=site") <---
---> slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type 
undefined  <----

any ideas?

greetings,
oliver






____________
Virus checked by G DATA AntiVirusKit
Version: AVK 18.4606 from 23.07.2008
Virus news: www.antiviruslab.com




More information about the samba-technical mailing list