Many DSGW authentication problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2008-11-29 at 19:14 -0500, John A. Sullivan III wrote:
> I'm finding several weird issues with DSGW authentication which make it
> very difficult for our users to use.  Not to complain - great DS - but
> we're experiencing some problems.
> 
> We do not allow anonymous browsing of the tree.  Each client has a user
> who has rights to search only their portion of the tree for possible
> DSGW logins.  The ACI, place on the root, is thus:
> 
> (target =
> "ldap:///ou=Users,($dn),o=Internal,dc=ssiservices,dc=biz")(targetattr =
> "uid || st || sn || ou || name || entrydn || dn || dc || objectClass ||
> cn || o || l || c || givenName") (version 3.0;acl "Client DSGW
> Lister";allow (search,read)(userdn =
> "ldap:///uid=*dsgwlister,[$dn],o=sysaccounts,dc=ssiservices,dc=biz";);)
> 
> We have an example test user named sue.sutter.  The full dn is
> uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz
> 
> The first step is to go the authentication page where we read:
> "The first step in authenticating to the directory is identifying
> yourself."
> This is why we created a user with rights to browse for other users and
> defined it with a binddnfile entry.  That part is working fine.
> 
> If I enter sue.sutter, it does not find her directly but rather offers a
> list with a single hyperlinked choice.  That's the first problem (a
> problem for anyone with a "." in their uid).  The query has replaced the
> "." with a space:
> filter="(&(objectClass=person)(|(sn=sue sutter)(cn=sue sutter)))
> I tried surrounding it with quotes and escaping it with a back slash but
> the quote was interpreted literally and the back slash gave the same
> results as the period alone.
> 
> Is this a bug, a configuration error, or just the way it's supposed to
> be? If the latter, this is very user unfriendly.  A techie might
> understand escape characters or special encoding but not an everyday
> user.
> 
> It wouldn't be so bad if they could simply click on the hyperlink and be
> allowed to login.  However, the hyperlink does not work.  Mousing over
> gives:
> javascript:authSubmit('uid%3Dsue.sutter%2Cou%3DUsers%2Co%3Da0000-0006%
> 2Co%3DInternal%2Cdc%3Dssiservices%2Cdc%3Dbiz');%20onMouseOver=
> 
> but it goes nowhere.  A packet trace shows no packets coming from the
> browser to the DS.  What might we have configured incorrectly to cause
> this? We see the same thing in Konqueror as we see in Firefox3 all
> running on fully patched Ubuntu 8.0.4.
> 
> Hmmm . . . this is getting long.  I'll put the other problem into
> another email.  Thanks - John
I should mention I also tried this after giving full rights to all
attributes to all portions of the tree to the browsing user but had the
exactly same results.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux