[Fedora-directory-users] DSGW user authorization problem

Rich Megginson rmeggins at redhat.com
Mon Nov 17 23:04:06 UTC 2008 

Lev Dudko wrote:
>     Hello Rich,
> The answers are below. 
>
>   
>> Do you have some sort of proxy running?
>> netstat -an | grep 9830
>> and
>> netstat -an | grep 443
>>     
>>   
>>     
>
>     No, I have a direct link:
>  netstat -an | grep 9830
> tcp        0      0 0.0.0.0:9830                0.0.0.0:*
> LISTEN      
>
> netstat -an | grep 443
> unix  2      [ ACC ]     STREAM     LISTENING
> 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
> unix  3      [ ]         STREAM     CONNECTED     1724431 
> when the apache is down (to avoid possible interferences) 
>
> netstat -an | grep 443
> tcp        0      0 :::443                      :::*
> LISTEN      
> tcp        0      0 :::8443                     :::*
> LISTEN      
> unix  2      [ ACC ]     STREAM     LISTENING
> 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
> unix  3      [ ]         STREAM     CONNECTED     1724431 
> (apache is up)
>
>   
>> What access log level are you using?  I suggest using the default.
>>
>>     
>
> I will check, but I do not remember that I could change the level of
> access log, only the error log.
>   
The reason I said is that the access log does not usually log internal 
operations.
>   
>> [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
>> nentries=0 etime=0
>>
>> This usually means "incorrect password".  You can verify yourself by 
>> using ldapsearch:
>> ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w 
>> yourpassword -s base -b ""
>>
>>     
> I use the same login and password for logging to the system, so I am
> sure that it is correct, but in any case the output of the command above
> is:
>
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
>
>    By the way, the browser which I use to communicate with DSGW is
> firefox-3.0.4-1.fc9.x86_64
> and I did not have any problem with translation of my passwords to some
> site authorization systems.
>   
Do you have any 8-bit characters in any of your passwords?  I wonder if 
the gateway is corrupting them somehow.
>   
>> If you get err=49 here, this means your password is not correct. 
>> Agh - my eyes - I think you need to change the errorlog level back to 0 
>> - I don't think the problem is ACI related - err=49 means incorrect 
>> password.
>>     
>
>    Sorry, I tried to provide all of the information which I have.
>
>
>   
>> It is a feature.  You cannot edit local.conf directly.  You have to 
>> update that information in LDAP.  local.conf is a read-only cache of the 
>> LDAP information.  See - 
>> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
>>     
>
>
>    Thank you for the explanation, first of all I did it from console,
> but with the same result (need to put something in this field to keep
> it). In any way I will check again that HOWTO.
>          Lev
>
>
>   
>>> On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
>>>   
>>>       
>>>> Lev Dudko wrote:
>>>>     
>>>>         
>>>>>       Dear Directory server experts,
>>>>>  could you help me, please, to solve the problem with DSGW
>>>>> authorization.
>>>>> I have successfully setup FDS on Fedora 9 with 
>>>>> setup-ds-admin.pl
>>>>> setup ssl with the help of script from this page:
>>>>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
>>>>> and run setup-ds-dsgw
>>>>> Now, the directory server works, administration server works and
>>>>> I can configure everything in DS and Admin server with console
>>>>>  fedora-idm-console -a https://localhost:9830
>>>>> ldap and ldaps ports are open and accept requests.
>>>>>
>>>>>   I can point my browser to https://localhost:9830 and use DSGW to
>>>>> search successfully,
>>>>> but I can not do authorization, when I try to authorize as some user
>>>>> (normal user, Directory Manager or admin) I got the error:
>>>>>  Authentication Failed
>>>>> Authentication failed because the password you supplied is incorrect.
>>>>> Please click the Retry button and try again. If you have forgotten the
>>>>> password for this entry, a directory administrator must reset the
>>>>> password for you. 
>>>>>
>>>>> Of course, I am sure that the password is correct. There are no so much
>>>>> useful information in the log files. The
>>>>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
>>>>>
>>>>> I have read available documentation rather careful, but did not find the
>>>>> answer. Looks like one of the solution is to use binddnfile directive
>>>>> with special text file, but it looks strange for me that it is
>>>>> impossible to use normal authorization in LDAP with DSGW.
>>>>>
>>>>>     Have I missed something during the configuration or forgot to add some
>>>>> special ACL?
>>>>>   
>>>>>       
>>>>>           
>>>> What platform?
>>>> Any information in your admin server logs at /var/log/dirsrv/admin-serv?
>>>>     
>>>>         
>>>>>        Lev
>>>>>   
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> Fedora-directory-users mailing list
>>>>> Fedora-directory-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>   
>>>>>       
>>>>>           
>
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20081117/49e3a95b/attachment.bin>

More information about the Fedora-directory-users mailing list