[Fedora-directory-users] DSGW user authorization problem

Lev Dudko dudko at fnal.gov
Mon Nov 17 22:15:26 UTC 2008 

    Hello Rich,
The answers are below. 

> Do you have some sort of proxy running?
> netstat -an | grep 9830
> and
> netstat -an | grep 443
> >
>   

    No, I have a direct link:
 netstat -an | grep 9830
tcp        0      0 0.0.0.0:9830                0.0.0.0:*
LISTEN      

netstat -an | grep 443
unix  2      [ ACC ]     STREAM     LISTENING
4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
unix  3      [ ]         STREAM     CONNECTED     1724431 
when the apache is down (to avoid possible interferences) 

netstat -an | grep 443
tcp        0      0 :::443                      :::*
LISTEN      
tcp        0      0 :::8443                     :::*
LISTEN      
unix  2      [ ACC ]     STREAM     LISTENING
4857378 /tmp/orbit-sherstnv/linc-1d58-0-25f8c4437879e
unix  3      [ ]         STREAM     CONNECTED     1724431 
(apache is up)

> What access log level are you using?  I suggest using the default.
> 

I will check, but I do not remember that I could change the level of
access log, only the error log.

> [17/Nov/2008:23:43:55 +0300] conn=141 op=1 RESULT err=49 tag=97
> nentries=0 etime=0
> 
> This usually means "incorrect password".  You can verify yourself by 
> using ldapsearch:
> ldapsearch -x -D "uid=dudko,ou=People, dc=sinp, dc=msu, dc=ru" -w 
> yourpassword -s base -b ""
> 
I use the same login and password for logging to the system, so I am
sure that it is correct, but in any case the output of the command above
is:

# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


   By the way, the browser which I use to communicate with DSGW is
firefox-3.0.4-1.fc9.x86_64
and I did not have any problem with translation of my passwords to some
site authorization systems.

> If you get err=49 here, this means your password is not correct. 
> Agh - my eyes - I think you need to change the errorlog level back to 0 
> - I don't think the problem is ACI related - err=49 means incorrect 
> password.

   Sorry, I tried to provide all of the information which I have.


> It is a feature.  You cannot edit local.conf directly.  You have to 
> update that information in LDAP.  local.conf is a read-only cache of the 
> LDAP information.  See - 
> http://directory.fedoraproject.org/wiki/Howto:AdminServerLDAPMgmt


   Thank you for the explanation, first of all I did it from console,
but with the same result (need to put something in this field to keep
it). In any way I will check again that HOWTO.
         Lev


> >
> > On Пнд, 2008-11-17 at 13:21 -0700, Rich Megginson wrote:
> >   
> >> Lev Dudko wrote:
> >>     
> >>>       Dear Directory server experts,
> >>>  could you help me, please, to solve the problem with DSGW
> >>> authorization.
> >>> I have successfully setup FDS on Fedora 9 with 
> >>> setup-ds-admin.pl
> >>> setup ssl with the help of script from this page:
> >>> http://www.linuxmail.info/fedora-directory-server-setup-howto-centos-5/
> >>> and run setup-ds-dsgw
> >>> Now, the directory server works, administration server works and
> >>> I can configure everything in DS and Admin server with console
> >>>  fedora-idm-console -a https://localhost:9830
> >>> ldap and ldaps ports are open and accept requests.
> >>>
> >>>   I can point my browser to https://localhost:9830 and use DSGW to
> >>> search successfully,
> >>> but I can not do authorization, when I try to authorize as some user
> >>> (normal user, Directory Manager or admin) I got the error:
> >>>  Authentication Failed
> >>> Authentication failed because the password you supplied is incorrect.
> >>> Please click the Retry button and try again. If you have forgotten the
> >>> password for this entry, a directory administrator must reset the
> >>> password for you. 
> >>>
> >>> Of course, I am sure that the password is correct. There are no so much
> >>> useful information in the log files. The
> >>> executable /usr/lib64/dirsrv/dsgw-cgi-bin/doauth do this authorization.
> >>>
> >>> I have read available documentation rather careful, but did not find the
> >>> answer. Looks like one of the solution is to use binddnfile directive
> >>> with special text file, but it looks strange for me that it is
> >>> impossible to use normal authorization in LDAP with DSGW.
> >>>
> >>>     Have I missed something during the configuration or forgot to add some
> >>> special ACL?
> >>>   
> >>>       
> >> What platform?
> >> Any information in your admin server logs at /var/log/dirsrv/admin-serv?
> >>     
> >>>        Lev
> >>>   
> >>> ------------------------------------------------------------------------
> >>>
> >>> --
> >>> Fedora-directory-users mailing list
> >>> Fedora-directory-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >>>   
> >>>       
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: ??? ????? ????????? ????????? ???????? ????????
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20081117/c451387d/attachment.sig>

More information about the Fedora-directory-users mailing list