DSGW user authorization problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lev Dudko wrote:
>  Hello Rich,
> the OS is Fedora 9 (64) with all of the recent updates
> rpm -qa | grep fedora-ds
> fedora-ds-1.1.2-1.fc9.x86_64
> fedora-ds-dsgw-1.1.1-1.fc9.x86_64
> fedora-ds-admin-1.1.6-1.fc9.x86_64
> fedora-ds-admin-console-1.1.2-1.fc9.noarch
> fedora-ds-console-1.1.2-2.fc9.noarch
> fedora-ds-base-1.1.3-2.fc9.x86_64
>
>   Parts of the log files for DSGW authorisation
>
> /var/log/dirsrv/admin-serv/access
>
>   - [17/Nov/2008:23:43:45 +0300] "POST /dsgwcmd/dosearch HTTP/1.1" 200
> 4088
>  - [17/Nov/2008:23:43:46 +0300]
> "GET /dsgwcmd/lang?context=dsgw&file=style.css HTTP/1.1" 302 231
>  - [17/Nov/2008:23:43:55 +0300] "POST /dsgwcmd/doauth HTTP/1.1" 200 1402
>
> /var/log/dirsrv/admin-serv/error
>
> (here is the strange point, the marked port in this log is 443, but in
> reality it is 9830. I have stop apache and close 443 port at all, but in
> the log file it is still 443; address and ip here is the same computer
> which is localhost for all of the operations)
>
> [Mon Nov 17 23:43:45 2008] [info] Connection to child 12 established
> (server www...:443, client 213.131....)
> [Mon Nov 17 23:43:45 2008] [info] Initial (No.1) HTTPS request received
> for child 12 (server www...:443)
> [Mon Nov 17 23:43:46 2008] [info] Connection to child 12 closed (server
> www-hep.sinp.msu.ru:443, client 213.131...)
> [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 established
> (server www...:443, client 213.131....)
> [Mon Nov 17 23:43:46 2008] [info] Initial (No.1) HTTPS request received
> for child 11 (server www...:443)
> [Mon Nov 17 23:43:46 2008] [info] Connection to child 11 closed (server
> www-hep.sinp.msu.ru:443, client 213.131....)
>   
Do you have some sort of proxy running?
netstat -an | grep 9830
and
netstat -an | grep 443
>
>  /var/log/dirsrv/slapd-hep/access
>
> [17/Nov/2008:23:43:45 +0300] conn=140 SSL 128-bit RC4
> [17/Nov/2008:23:43:45 +0300] conn=140 op=0 BIND dn="" method=128
> version=3
> [17/Nov/2008:23:43:45 +0300] conn=140 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [17/Nov/2008:23:43:45 +0300] conn=140 op=1 SRCH base="dc=sinp, dc=msu,
> dc=ru" scope=2
> filter="(&(objectClass=person)(|(cn=dudko)(sn=dudko)(uid=dudko)))"
> attrs="objectClass title"
> [17/Nov/2008:23:43:46 +0300] conn=140 op=1 ENTRY
> dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
> [17/Nov/2008:23:43:46 +0300] conn=140 op=1 RESULT err=0 tag=101
> nentries=1 etime=1
> [17/Nov/2008:23:43:46 +0300] conn=140 op=2 UNBIND
> [17/Nov/2008:23:43:46 +0300] conn=140 op=2 fd=70 closed - U1
> [17/Nov/2008:23:43:55 +0300] conn=141 fd=70 slot=70 SSL connection from
> 127.0.0.1 to 127.0.0.1
> [17/Nov/2008:23:43:55 +0300] conn=141 SSL 128-bit RC4
> [17/Nov/2008:23:43:55 +0300] conn=141 op=0 BIND dn="" method=128
> version=3
> [17/Nov/2008:23:43:55 +0300] conn=141 op=0 RESULT err=0 tag=97
> nentries=0 etime=0 dn=""
> [17/Nov/2008:23:43:55 +0300] conn=141 op=1 BIND dn="uid=dudko,ou=People,
> dc=sinp, dc=msu, dc=ru" method=128 version=3
> [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 SRCH
> base="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru" scope=0
> filter="(|(objectclass=*)(objectclass=ldapsubentry))" attrs=ALL
> [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 ENTRY
> dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
> [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48
> nentries=1 etime=0
> [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 MOD
> dn="uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru"
> [17/Nov/2008:23:43:55 +0300] conn=Internal op=-1 RESULT err=0 tag=48
> nentries=0 etime=0
> [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
> nentries=0 etime=0
> [17/Nov/2008:23:43:55 +0300] conn=141 op=-1 fd=70 closed - B1
> [17/Nov/2008:23:45:16 +0300] conn=124 op=7 SRCH
> base="dc=sinp,dc=msu,dc=ru" scope=2
> filter="(&(objectClass=posixAccount)(uid=dudko))" attrs="uid
> userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
> description objectClass"
> [17/Nov/2008:23:45:18 +0300] conn=124 op=7 ENTRY
> dn="uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru"
> [17/Nov/2008:23:45:18 +0300] conn=124 op=7 RESULT err=0 tag=101
> nentries=1 etime=2
>   
What access log level are you using?  I suggest using the default.

[17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
nentries=0 etime=0

This usually means "incorrect password".  You can verify yourself by 
using ldapsearch:
ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w 
yourpassword -s base -b ""

If you get err=49 here, this means your password is not correct.
>  /var/log/dirsrv/slapd-hep/error
>
> [17/Nov/2008:23:43:45 +0300] NSACLPlugin - #### conn=140 op=1 binddn=""
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru: container:-1
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Searching AVL tree for update:ou=people,dc=sinp,dc=msu,dc=ru: container:2
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin -     ************ RESOURCE INFO STARTS *********
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin -     Client DN: 
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin -     resource type:256(search target_DN )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin -     Slapi_Entry DN: uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin -     ATTR: objectClass
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin -     rights:search
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin -     ************ RESOURCE INFO ENDS   *********
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2   ACL_ELEVEL:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6   ACL_ELEVEL:2
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access""
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectCl
> ass) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru"
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2   ACL_ELEVEL:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6   ACL_ELEVEL:2
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:cn for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access""
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found SEARCH ALLOW in cache
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow search on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(cn) to a
> nonymous: cached allow by aci(2)
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2   ACL_ELEVEL:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6   ACL_ELEVEL:2
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:sn;lang-ru for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access""
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(sn;lang-ru
> ) to anonymous: allowed by aci(2): aciname= "Enable anonymous access", acidn="dc=sinp,dc=msu,dc=ru"
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:0 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Using ACL Cointainer:1 for evaluation
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Enable anonymous access"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:2   ACL_ELEVEL:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read target_attr acltxt target_attr_not allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Directory Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:4   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrators Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:5   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "Configuration Administrator"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:6   ACL_ELEVEL:2
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(userdn ip )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***BEGIN ACL INFO[ Name: "SIE Group"]***
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACL Index:7   ACL_ELEVEL:6
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI type:(compare search read write delete add self target_attr acltxt allow_rule )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ACI RULE type:(groupdn )
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Slapi_Entry DN:dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - ***END ACL INFO*****************************
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Num of ALLOW Handles:5, DENY handles:0
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Processed attr:objectClass for entry:uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - 1. Evaluating ALLOW aci(2) " "Enable anonymous access""
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - Found READ ALLOW in cache
> [17/Nov/2008:23:43:46 +0300] NSACLPlugin - conn=140 op=1 (main): Allow read on entry(uid=dudko,ou=people,dc=sinp,dc=msu,dc=ru).attr(objectClas
> s) to anonymous: cached allow by aci(2)
>   
Agh - my eyes - I think you need to change the errorlog level back to 0 
- I don't think the problem is ACI related - err=49 means incorrect 
password.
>    Just in case, the list of the configuration directories:
> /etc/dirsrv/admin-serv/
> -rw-r--r-- 1 root   root    3984 19:02 admserv.conf
> -rw------- 1 nobody root   16384  23:22 secmod.db
> -r-------- 1 nobody nobody    50  23:27 password.conf
> -r-------- 1 nobody nobody  4581  23:27 nss.conf
> -rw-r--r-- 1 root   root   27061  03:39 httpd.conf
> -rw------- 1 root   root    394016 04:52 console.conf
> -rw------- 1 nobody root      40  04:56 admpw
> -rw------- 1 nobody root     532  05:32 adm.conf
> -rw------- 1 nobody root   16384  23:39 key3.db
> -rw------- 1 nobody root   65536  23:39 cert8.db
> -rw------- 1 nobody root   10259  00:04 local.conf
>
> /etc/dirsrv/dsgw/
> -r-------- 1 nobody root 7939 Nov 16 22:16 pb.conf
> -r-------- 1 nobody root 9734 Nov 16 22:16 orgchart.conf
> -r-------- 1 nobody root 8875 Nov 16 22:16 default.conf
> -rw------- 1 nobody root 8867 Nov 16 23:41 dsgw.conf
> -rw-r--r-- 1 root   root 3192 Nov 16 23:42 dsgw-httpd.conf
>
>
>
> One more strange point which is not connected with the main problem. In
> the /etc/dirsrv/admin-serv/local.conf
> I use only addresses access filter, not hosts. The last one is blank
> (looks like * does not work)
> configuration.nsAdminAccessAddresses: (127.0.0.1|.....)
> configuration.nsAdminAccessHosts:
>
> But with restart of admin server the directive configuration.nsAdminAccessHosts: removed from local.conf
> and server do not start, need to add manually this directive to start the server. Looks like this is a bug.
>   
It is a feature.  You cannot edit local.conf directly.  You have to 
update that information in LDAP.  local.conf is a read-only cache of the 
LDAP information.  See - 
http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
>       Lev
>
>
> On ???, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
>   
>> Lev Dudko wrote:
>>     
>>>       Dear Directory server experts,
>>>  could you help me, please, to solve the problem with DSGW
>>> authorization.
>>> I have successfully setup FDS on Fedora 9 with 
>>> setup-ds-admin.pl
>>> setup ssl with the help of script from this page:
>>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
>>> and run setup-ds-dsgw
>>> Now, the directory server works, administration server works and
>>> I can configure everything in DS and Admin server with console
>>>  fedora-idm-console -a https://localhost:9830
>>> ldap and ldaps ports are open and accept requests.
>>>
>>>   I can point my browser to https://localhost:9830 and use DSGW to
>>> search successfully,
>>> but I can not do authorization, when I try to authorize as some user
>>> (normal user, Directory Manager or admin) I got the error:
>>>  Authentication Failed
>>> Authentication failed because the password you supplied is incorrect.
>>> Please click the Retry button and try again. If you have forgotten the
>>> password for this entry, a directory administrator must reset the
>>> password for you. 
>>>
>>> Of course, I am sure that the password is correct. There are no so much
>>> useful information in the log files. The
>>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
>>>
>>> I have read available documentation rather careful, but did not find the
>>> answer. Looks like one of the solution is to use binddnfile directive
>>> with special text file, but it looks strange for me that it is
>>> impossible to use normal authorization in LDAP with DSGW.
>>>
>>>     Have I missed something during the configuration or forgot to add some
>>> special ACL?
>>>   
>>>       
>> What platform?
>> Any information in your admin server logs at /var/log/dirsrv/admin-serv?
>>     
>>>        Lev
>>>   
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>>       


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20081117/dad74a73/attachment.bin 


[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux