Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: larieu on September 14, 2010, 08:17:27 PM

Title: Authenticate against LDAP
Post by: larieu on September 14, 2010, 08:17:27 PM

I try to authenticate users from Wireless AP against LDAP on SME 8

in config menu of wireless device I have one option to test the configuration
if I put there "testuser" account and hit the "test" button
I receive back all data sent by LDAP and everything seems ok
but when I try to use this settings direct on authentication on server /var/log/messages I see one error
and authentication fail

slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1

on openldap site is associated with "not loaded module" or not compiled for password
http://www.openldap.org/lists/openldap-software/200606/msg00021.html (http://www.openldap.org/lists/openldap-software/200606/msg00021.html)

I think I made something wrong and I ask for second opinion

the full output in mesage is as follow

Code: [Select]

Sep 14 21:01:27 mail slapd[3665]: conn=17402 fd=18 ACCEPT from IP=192.168.71.254:43695 (IP=0.0.0.0:389)
Sep 14 21:01:27 mail slapd[3665]: conn=17402 op=0 BIND dn="" method=128
Sep 14 21:01:27 mail slapd[3665]: conn=17402 op=0 RESULT tag=97 err=0 text=
Sep 14 21:01:27 mail slapd[3665]: conn=17402 op=1 SRCH base="ou=Users,dc=domain,dc=org" scope=2 deref=0 filter="(uid=tesuser)"
Sep 14 21:01:27 mail slapd[3665]: conn=17402 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 14 21:01:27 mail slapd[3665]: conn=17402 op=2 BIND dn="uid=testuser,ou=Users,dc=domain,dc=org" method=128
Sep 14 21:01:27 mail slapd[3665]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
Sep 14 21:01:27 mail slapd[3665]: conn=17402 op=2 RESULT tag=97 err=49 text=
Sep 14 21:01:27 mail slapd[3665]: conn=17403 fd=20 ACCEPT from IP=192.168.71.254:43696 (IP=0.0.0.0:389)
Sep 14 21:01:27 mail slapd[3665]: conn=17403 op=0 BIND dn="" method=128
Sep 14 21:01:27 mail slapd[3665]: conn=17403 op=0 RESULT tag=97 err=0 text=
Sep 14 21:01:29 mail slapd[3665]: conn=17403 op=1 UNBIND
Sep 14 21:01:29 mail slapd[3665]: conn=17403 fd=20 closed
Sep 14 21:01:29 mail slapd[3665]: conn=17402 fd=18 closed (connection lost)

and the output of my test from deice is

Code: [Select]


dn: uid=test,ou=Users,dc=domain,dc=org
ou: test
uid: test
street: Balarii 13 Sect 4
cn: test Domains
telephoneNumber: +40 21 xxxxxxx
objectClass: inetOrgPerson
l: City
sn: Domains
mail: test@domain.ro
givenName: test
o: domain


Title: Re: Authenticate against LDAP
Post by: Daniel B. on September 14, 2010, 09:17:23 PM

Looks like your not using TLS or SSL for the LDAP connection. LDAP ACL allow clear text consultation of non sensible inforamtions (that's why the test display some data), but in order to authenticate against LDAP from a host other than localhost, you need to enable SSL or TLS.

Regards, Daniel

Title: Re: Authenticate against LDAP
Post by: larieu on September 15, 2010, 06:17:17 AM

That mean I need to import server certificate into device - most probably
and use the port 636?

Title: Re: Authenticate against LDAP
Post by: Daniel B. on September 15, 2010, 08:42:59 AM

Depends on your device. Port 636 is usually for LDAP over SSL. But you can also use the standard port 389 with TLS. In any case, yes, you'll probably need to import your server certificate into the device.

Regards, Daniel