[racktables-users] Re: RackTables, OpenLDAP, and LDAPv3

  • From: Jason Hamilton <jason@xxxxxxxxxxxxxxxxxx>
  • To: racktables-users@xxxxxxxxxxxxx
  • Date: Thu, 01 Oct 2009 10:57:11 -0400

Craig,
Thanks for the info (better late than never). The bind_v2 hint is good to know. On a similar note - might I suggest that support for ldap_bind would be useful for directories which don't allow anonymous binding. 

Something like:
$ldaprn = $LDAP_options['search_attr'] . "=" . $username . "," . $LDAP_options['search_dn']; 
$ldapbind = ldap_bind($connect, $ldaprn, $password );
My php is somewhat rusty and that may not be the best approach since the search_attr might not always be part of the dn. 

-Jason

Craig Hoffman wrote:

When attempting to utilize ldap as my auth method, I was unable to
successfully authenticate.

I ran OpenLDAP in debug mode, "slapd -d 16380", and noticed the
following message in the logs:
...
send_ldap_result: err=2 matched="" text="historical protocol version
requested, use LDAPv3 instead"
conn=2 op=1 RESULT tag=97 err=2 text=historical protocol version
requested, use LDAPv3 instead

So, as a test, I forced OpenLDAP to accept the legacy v2 protocol
(which is considered deprecated) via:

# Global Directives:
allow bind_v2

in slapd.conf (You have to place it before the database is
instantiated.  I stuck it at the very top)

And authentication worked!

I'm not sure if this is considered a bug, a fix, or a workaround, but
I thought it might be helpful to others.
---

Also, if you're going the LDAP route, keep in mind that RackTables
*authorization* is still needed.  If you want to do something along
the lines of "These people are admins, everyone else is read-only",
you'll need permissions like:

allow {$userid_1}
allow {$username_choffman}
allow {everyone} and {$tab_default}

In that example, choffman and ID#1 gets admin, everyone else is readonly.

There may be a better way, but that's what I did.



--
-Jason

Other related posts:

  1. Home
  2. racktables-users
  3. Archive
  4. 10-2009