[5.816] User authentication with LDAP/ActiveDir

Hi there.

I got 2 ASL Setups, one machine running 5.202 and one 5.816.
Both have the same setup for User Authentication (Joined NT Domain, same settings in the LDAP-Part).

If i try to use "User auth" HTTP-Proxy mode it works fine on 5.202 and i get "Permission denied" (the Astaro errorpage) on 5.816.

DNS-Proxy is enabled and configured.
The DomainController eventlog tells me that the login for the LDAP query user works.

ASL User authentication daemon log says:
2005:05:30-11:37:24 (none) aua[8169]: auth_methods: ldap
2005:05:30-11:37:24 (none) aua[8169]: Protocol: http is not accepted for goth
where 'goth' is the SAM Account name given in the browser.
HTTP is in the "Allowed Target Services" list in proxyconfig and there is no local user 'goth'
(it doesn't work with other domain users anyway)

Any ideas or is this a known problem?
Greetings,
Sebastian

Parents

0 Gert Hansen over 20 years ago

Hi there seezer,

please wait for the next beta version in order to retry this setup.

We have fixed bugs that occured in the LDAP and NTLM authentication part as well as the profile assignment of the HTTP proxy.

Thanks for the feedback,
Regards Gert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to Gert Hansen

Alright.

I'm gonna update this thread when the next version is available.

Greetings,
Sebastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to seezer

same thing with 5.838.

Same setup works fine on 5.202:
2005:06:06-10:15:00 (none) aua[1610]: Protocol: http ---> ok
2005:06:06-10:15:00 (none) aua[1610]: U:goth F:http R[:$]K C:

but fails on 5.838:
2005:06:06-08:31:19 (none) aua[24946]: ldapsearch failed - app exited with exitcode 256
2005:06:06-08:31:19 (none) aua[24946]: Protocol: http is not accepted for goth

only the errormessage changed from 5.816 to 5.838 but the ldapsearch seems working since it's really exactly the same setup in 5.202
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 seezer over 20 years ago in reply to seezer

same thing with 5.838.

Same setup works fine on 5.202:
2005:06:06-10:15:00 (none) aua[1610]: Protocol: http ---> ok
2005:06:06-10:15:00 (none) aua[1610]: U:goth F:http R[:$]K C:

but fails on 5.838:
2005:06:06-08:31:19 (none) aua[24946]: ldapsearch failed - app exited with exitcode 256
2005:06:06-08:31:19 (none) aua[24946]: Protocol: http is not accepted for goth

only the errormessage changed from 5.816 to 5.838 but the ldapsearch seems working since it's really exactly the same setup in 5.202
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 seezer over 20 years ago in reply to seezer

Ok, i did some research and i think it's a parsing problem in AUA.
i attached a file with AUA log in debug mode.
i stripped out domainname. ldapqueryusername, ldapquerypassword,userpassword.
domainname is a valid domainname!
username is uncensored and also contains no special chars.

also i cleared out some information about domaingroup memberships, exchange, passwords etc.
but as you can see the ldap-samaccount is found.

i marked a few lines with '#!#' where i think the parsing borked something.

for more information, just tell me.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Xeno over 20 years ago in reply to seezer

Do you have a testsetup which can be changed for testing?
If yes, could you please try a shorter LDAP string? The LDAP string is the string which your marked in your logfile. So to get a shorter one, you could use a shorter username or domain name for example.
Also could you please remove the dot in "OU=domainname.de"? Maybe this leads to problems.

As soon as we know the source of the error, we can report the issue to Astaro.

Xeno
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to Xeno

Let's see what i can do there..

[ QUOTE ]
As soon as we know the source of the error, we can report the issue to Astaro.

[/ QUOTE ]

Doesn't UBB count? Where to submit such problems then?

Greetings,
Sebastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gert Hansen over 20 years ago in reply to seezer

Hi seezer,

i hereby confirm this bug,
you were correct, the LDIF parser in the AUA didn't handle multiline responses properly.
This has been fixed.

Thanks for you help

Gert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to Gert Hansen

Hi Gert,

nice to see the error outside of my responsibility [;)]

Greetings,
Sebastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to seezer

just for keeping the log:
problem still existing in 5.841
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to seezer

Hi Xeno,

here is your requested logfile. looks unchanged until now.

Sebastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Xeno over 20 years ago in reply to seezer

OK, it's indeed the same issue. An issue which was not covered by the fix in 5.841. I can reproduce the issue with very long LDAP strings. As far as I know Astaro knows of the problem and is working on a fix.

cheers
Xeno
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to Xeno

as far as i can read, yes [:)]

Sebastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 seezer over 20 years ago in reply to seezer

Bug still exists in RC1 (5.900)
Thought it should be fixed?

Greets,
Sebastian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel