[racktables-users] RackTables, OpenLDAP, and LDAPv3

  • From: Craig Hoffman <craig.hoffman@xxxxxxxxx>
  • To: racktables-users@xxxxxxxxxxxxx
  • Date: Mon, 24 Aug 2009 12:02:53 -0400

When attempting to utilize ldap as my auth method, I was unable to
successfully authenticate.

I ran OpenLDAP in debug mode, "slapd -d 16380", and noticed the
following message in the logs:
send_ldap_result: err=2 matched="" text="historical protocol version
requested, use LDAPv3 instead"
conn=2 op=1 RESULT tag=97 err=2 text=historical protocol version
requested, use LDAPv3 instead

So, as a test, I forced OpenLDAP to accept the legacy v2 protocol
(which is considered deprecated) via:

# Global Directives:
allow bind_v2

in slapd.conf (You have to place it before the database is
instantiated.  I stuck it at the very top)

And authentication worked!

I'm not sure if this is considered a bug, a fix, or a workaround, but
I thought it might be helpful to others.

Also, if you're going the LDAP route, keep in mind that RackTables
*authorization* is still needed.  If you want to do something along
the lines of "These people are admins, everyone else is read-only",
you'll need permissions like:

allow {$userid_1}
allow {$username_choffman}
allow {everyone} and {$tab_default}

In that example, choffman and ID#1 gets admin, everyone else is readonly.

There may be a better way, but that's what I did.

Other related posts: