Re: DSGW user authorization problem

[Rich Megginson <rmeggins@xxxxxxxxxx>]

Lev Dudko wrote:
>     Hello Rich,
> The answers are below. 
>
>   
> > Do you have some sort of proxy running?
> > netstat -an | grep 9830
> > and
> > netstat -an | grep 443
> >     
> >   
> >     
>
>     No, I have a direct link:
>  netstat -an | grep 9830
> tcp        0      0 0.0.0.0:9830                0.0.0.0:*
> LISTEN      
>
> netstat -an | grep 443
> unix  2      [ ACC ]     STREAM     LISTENING
> 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
> unix  3      [ ]         STREAM     CONNECTED     1724431 
> when the apache is down (to avoid possible interferences) 
>
> netstat -an | grep 443
> tcp        0      0 :::443                      :::*
> LISTEN      
> tcp        0      0 :::8443                     :::*
> LISTEN      
> unix  2      [ ACC ]     STREAM     LISTENING
> 4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
> unix  3      [ ]         STREAM     CONNECTED     1724431 
> (apache is up)
>
>   
> > What access log level are you using?  I suggest using the default.
> >
> >     
>
> I will check, but I do not remember that I could change the level of
> access log, only the error log.
>   
The reason I said is that the access log does not usually log internal 
operations.
>   
> > [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
> > nentries=0 etime=0
> >
> > This usually means "incorrect password".  You can verify yourself by 
> > using ldapsearch:
> > ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w 
> > yourpassword -s base -b ""
> >
> >     
> I use the same login and password for logging to the system, so I am
> sure that it is correct, but in any case the output of the command above
> is:
>
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
>
>    By the way, the browser which I use to communicate with DSGW is
> firefox-3.0.4-1.fc9.x86_64
> and I did not have any problem with translation of my passwords to some
> site authorization systems.
>   
Do you have any 8-bit characters in any of your passwords?  I wonder if 
the gateway is corrupting them somehow.
>   
> > If you get err=49 here, this means your password is not correct. 
> > Agh - my eyes - I think you need to change the errorlog level back to 0 
> > - I don't think the problem is ACI related - err=49 means incorrect 
> > password.
> >     
>
>    Sorry, I tried to provide all of the information which I have.
>
>
>   
> > It is a feature.  You cannot edit local.conf directly.  You have to 
> > update that information in LDAP.  local.conf is a read-only cache of the 
> > LDAP information.  See - 
> > http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt
> >     
>
>
>    Thank you for the explanation, first of all I did it from console,
> but with the same result (need to put something in this field to keep
> it). In any way I will check again that HOWTO.
>          Lev
>
>
>   
> > > On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
> > >   
> > >       
> > > > Lev Dudko wrote:
> > > >     
> > > >         
> > > > >       Dear Directory server experts,
> > > > >  could you help me, please, to solve the problem with DSGW
> > > > > authorization.
> > > > > I have successfully setup FDS on Fedora 9 with 
> > > > > setup-ds-admin.pl
> > > > > setup ssl with the help of script from this page:
> > > > > http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
> > > > > and run setup-ds-dsgw
> > > > > Now, the directory server works, administration server works and
> > > > > I can configure everything in DS and Admin server with console
> > > > >  fedora-idm-console -a https://localhost:9830
> > > > > ldap and ldaps ports are open and accept requests.
> > > > >
> > > > >   I can point my browser to https://localhost:9830 and use DSGW to
> > > > > search successfully,
> > > > > but I can not do authorization, when I try to authorize as some user
> > > > > (normal user, Directory Manager or admin) I got the error:
> > > > >  Authentication Failed
> > > > > Authentication failed because the password you supplied is incorrect.
> > > > > Please click the Retry button and try again. If you have forgotten the
> > > > > password for this entry, a directory administrator must reset the
> > > > > password for you. 
> > > > >
> > > > > Of course, I am sure that the password is correct. There are no so much
> > > > > useful information in the log files. The
> > > > > executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
> > > > >
> > > > > I have read available documentation rather careful, but did not find the
> > > > > answer. Looks like one of the solution is to use binddnfile directive
> > > > > with special text file, but it looks strange for me that it is
> > > > > impossible to use normal authorization in LDAP with DSGW.
> > > > >
> > > > >     Have I missed something during the configuration or forgot to add some
> > > > > special ACL?
> > > > >   
> > > > >       
> > > > >           
> > > > What platform?
> > > > Any information in your admin server logs at /var/log/dirsrv/admin-serv?
> > > >     
> > > >         
> > > > >        Lev
> > > > >   
> > > > > ------------------------------------------------------------------------
> > > > >
> > > > > --
> > > > > Fedora-directory-users mailing list
> > > > > Fedora-directory-users@xxxxxxxxxx
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > >   
> > > > >       
> > > > >           
>
>

<<attachment: smime.p7s>>

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users