openldap php Invalid credentials

IRC Logs Database




	Page: 1 2 <satsonic> i have that on in slapd.conf so will check log directly, ok <satsonic> _ranger_: hi <duncanmv> thanks <_ranger_> hi satsonic <satsonic> Oct 26 06:11:45 mail1 slapd[22922]: SASL [conn=948] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory <satsonic> i did touch /etc/salsldb2, thrown error cannot open, no secret in db etc... <satsonic> when tried to bind to ldap <_ranger_> satsonic, are you intentionally using sasl? <satsonic> _ranger_: i dont want it <satsonic> _ranger_: my problem is differnt, in php code i have something like, $r=ldap_bind($ds,"cn=postmaster,jvd=$jvd,o=hosting,dc=myhosting,dc=example","12345"); where $ds=localhost and $jvd=domain list <satsonic> so just want to check whether i can run above same command format in command line if it works in command line then above should work in php code but in command line also its not working but ldap is running fine <_ranger_> satsonic, ldap_bind in php-ldap doesn't so sasl AFAIK <_ranger_> satsonic, so, use -x flag to ldap* command-line tools <satsonic> _ranger_: ok you mean ldap_bind in php doesnt work right? <satsonic> _ranger_: strange thing is it was working from 1 year till now, some went wrong suddenly <_ranger_> satsonic, no <satsonic> _ranger_: ldapsearch -h localhost -x -b "o=hosting,dc=myhosting,dc=example", this works for me <_ranger_> satsonic, if you have openldap2.2 or later, test the dn you use from php with ldapwhoami <satsonic> i have ldap 2.1.30 <satsonic> ldapwhoami -x -D "cn=Manager,dc=myhosting,dc=example" -W <satsonic> above returned dn:cn=Manager,dc=myhosting,dc=example <satsonic> _ranger_: 6 <satsonic> oopps... <satsonic> _ranger_: ^ <_ranger_> satsonic, so it works with that dn <satsonic> yes <satsonic> Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /usr/local/apache2/htdocs/mail/src/register/register_complete.php on line 30 <satsonic> i get above error even though from php code <Gagatan> satsonic: invalid credentials can mean wrong combination of user(dn) and p**word, or that you don't have permission to do a certain task (i.e. protected by some ACL) <satsonic> Gagatan: ok <satsonic> Gagatan: how do i find correct one? <satsonic> any format for user name? <rob^^^> heya all. bdb_equality_candidates <-- anyone seen that before filling up your log? <rob^^^> seems to happen over and over with memberUid and apple- entries <Gagatan> rob^^^: yes.. it means slapd is giving you a free tip.. it suggest you put an equality index on those attributes... e.g. "index uidNumber eq" <Gagatan> rob^^^: indexes will speed up searc/query <REdOG> for sudoers in ldap is the default cn=default or cn=defaults ? <rob^^^> I'm beginning to wonder why memberUid wasn't indexed in the default schema <rob^^^> slapd's 10.3 default directory config btw <rob^^^> err OS X 10.3's default slap config rather <Gagatan> rob^^^: you shouldn't index attributes if you don't use them :P its up to you which indexes to use <rob^^^> ok nevermind <rob^^^> I checked my timestamps...Jan 20th <REdOG> anyone know why ldap_start_tls_s() would fail for one user but not for another? <REdOG> both use the same settings <REdOG> just one is an /etc/p*wd user and the other is in ldap... <asyd> check permission in cacert / clientcert <REdOG> both crt's are world readable <REdOG> well starttls works for both users when they use ldapsearch... its just that sudo fails for the users who aren't local <strerror_work> anyone know offhand if syncrepl works in 2.2.x? <REdOG> if I swap nsswitch.con pwd, group, and shadow from files ldap to ldap files then it happens for both users <_ranger_> strerror_work, client side yes, servers side there are some issues <_ranger_> which can only be solved by 2.3 <_ranger_> REdOG, TLS_CACERT specified in OL's ldap.conf? <REdOG> _ranger_: yes <REdOG> actually just the shadow line changed into ldap files breaks it for both users <_ranger_> REdOG, hmm, I'm not forcing TLS for sudo rules .. <_ranger_> and I can't really test it myself today <strerror_work> _ranger_: thanks info <Antel_afc> Hiya, anyone in here that is using OpenLDAP for user authentication through Apache 2.0 with modules mod_ldap and mod_auth_ldap? :) <strerror_work> Antel_afc: yeah <Antel_afc> And you have gotten it to work? <Antel_afc> Which type of certificate do you use for OpenLDAP and mod_ldap? <Antel_afc> Never mind... i think ill be switching to 2.1 anyway. <SteveB0> Hello everybody! <SteveB0> Got a little newbie question regarding OpenLDAP. I createt a directory with a OU "users" and a OU "groups". One group is called "Administratoren". <SteveB0> The ACLs are defined as followes: <SteveB0> access to <SteveB0> by group.exact="cn=Administratoren,ou=groups, dc=mydomain,dc=de" write <SteveB0> by * read <SteveB0> With a user which is member of the "Administratoren" group, I can add and modify attributes, but cannot create entries (e.g. new users). Any idea, what could be wrong? <SimonRaven> you need attrs=children,entry or such <_ranger_> actually, access to * by dn write should do it I think <_ranger_> the thing is the userP*word attribute needs the by admingroup write clause <_ranger_> I think <_ranger_> of course, logs at 384 would tell you exactly <SimonRaven> yeh, that's true. looks like it could stop on the first acl <matt_> hey, i have openldap with mysql backend running (finally) :) er.. all seems ok but all that powrds that i have are MD5 hashed and when i request a pword value its automatically hashed <matt_> was wondering if i could make the userPword: value act like givenName: <matt_> so i can put the MD5 value in userPword and that will be returned <REdOG> anyone here running with sudoers in ldap and uses tls? <kickrocks> id: cannot find name for user ID 200 <kickrocks> [I have no name!@testbox <kickrocks> what in /etc/ldap.conf would cause this <kickrocks> i can authenticate the user <kickrocks> getent pwd and group output the information <kickrocks> oid is garbage. <_ranger_> kickrocks, session section of pam config I think ... <_ranger_> or, is it account ... <_ranger_> hmm <_ranger_> kickrocks, maybe you should post your pam config file on pastebin.com or similar <kickrocks> i think it is the stupid way oracle oid works <kickrocks> openldap is so much nicer <REdOG> does pam cache creds? <REdOG> I cannpt figure out what is going on... I erased both users completly from /etc/pwd & /home ; ssh in and the homes are created; sudoers is identical; one gets the starttls error the other doesnt <REdOG> tls is working with ldapsearch, from other hosts, from webscripts talking to openldap but sudo isn't ... <REdOG> ah ha... shadow <REdOG> wtf though why would there need to be a local shadow entry to start_tls? <_ranger_> REdOG, there shouldn't be ... <_ranger_> REdOG, is sudo's pam config ok? <_ranger_> ie, /etc/pam.d/sudo <REdOG> looks ok <REdOG> auth account pword session_include all have include system-auth next to them <REdOG> nothing seems consistant... I change 1 thing then see 2 different behaviors if I just wait long enough <REdOG> now all sudo attemtps get tls error <REdOG> ok its definatly shadow <REdOG> if shadow entry has :x: it fails <REdOG> if its a hash it doesn't <_ranger_> REdOG, but, it works fine without TLS? <REdOG> yea <REdOG> works fine with tls too it just spews the error <REdOG> works just not as I desire <REdOG> heh <New0rder> WTF, does Redhat lok at the hosts entries for DNS in LDAP ** backwards like the automount stuff too? <Gagatan> New0rder: if its configured in nsswitch.conf, yes <New0rder> that's what jacked up my Redhat VMware box. I moved DNS stuff for the NFS server within LDAP and automoutn fails., hell booting failed. <New0rder> so, the setup I have for host based loops via LDAP will not work for redhat, but Sun? <New0rder> but will for Solaris <kickrocks> id: nss_ldap: could not search LDAP server - DSA is unwilling to perform <kickrocks> any ideas ? <freebox> Hello! Somebody knows a commercial product like a "Microsoft PDC Killer"? Return to #ldap or Go to some related logs: #rock #cybarchat #unixboard strokemeoff #hotsex #chatzone #math which sport has a movement called a "telemark""