Authentication failed because the server was unable to generate authentication credentials. The authentication database could not be opened.
thsi was already discussed on this thread:
http://lists.fedoraproject.org/pipermail/389-users/2009-April/009362.html
but there was clue to solve the issue.
this server is a CentOS 6 with following packages:
389-admin-1.1.25-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-adminutil-devel-1.1.14-2.el6.x86_64 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-dsgw-1.1.7-2.el6.x86_64 389-ds-base-devel-1.2.9.14-1.el6_2.2.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-console-1.1.7-1.el6.noarch 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 389-adminutil-1.1.14-2.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-1.2.2-1.el6.noarch
I have configured dsgw using: http://directory.fedoraproject.org/wiki/DSGW
when i try to authenticate a test user, using /var/log/dirsrv/slapd-ds/access i see authentication is ok: [30/Mar/2012:22:30:23 +0200] conn=103 op=1 BIND dn="uid=xxx,ou=People,dc=xxx,dc=it" method=128 version=3 [30/Mar/2012:22:30:23+0200] conn=103 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=xxx,ou=people,dc=xxx,dc=it"
i use xxx to obfuscate real names to protect my customer privacy. but something goes wrong after it, into dsgw Is there any dsgw log to diagnose better the issue?
regards
On 03/30/2012 02:40 PM, Maurizio Marini wrote:
thsi was already discussed on this thread:
http://lists.fedoraproject.org/pipermail/389-users/2009-April/009362.html
but there was clue to solve the issue.
this server is a CentOS 6 with following packages:
389-admin-1.1.25-1.el6.x86_64 389-ds-console-1.2.6-1.el6.noarch 389-adminutil-devel-1.1.14-2.el6.x86_64 389-ds-base-1.2.9.14-1.el6_2.2.x86_64 389-admin-console-1.1.8-1.el6.noarch 389-dsgw-1.1.7-2.el6.x86_64 389-ds-base-devel-1.2.9.14-1.el6_2.2.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-console-1.1.7-1.el6.noarch 389-ds-base-libs-1.2.9.14-1.el6_2.2.x86_64 389-adminutil-1.1.14-2.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-1.2.2-1.el6.noarch
I have configured dsgw using: http://directory.fedoraproject.org/wiki/DSGW
when i try to authenticate a test user, using /var/log/dirsrv/slapd-ds/access i see authentication is ok: [30/Mar/2012:22:30:23 +0200] conn=103 op=1 BIND dn="uid=xxx,ou=People,dc=xxx,dc=it" method=128 version=3 [30/Mar/2012:22:30:23+0200] conn=103 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=xxx,ou=people,dc=xxx,dc=it"
i use xxx to obfuscate real names to protect my customer privacy. but something goes wrong after it, into dsgw Is there any dsgw log to diagnose better the issue?
ls -al /var/run/dirsrv/dsgw ls -al /var/run/dirsrv/dsgw/cookies
the admin server logs are in /var/log/dirsrv/admin-serv
regards
389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On Fri, 30 Mar 2012 14:45:28 -0600 Rich Megginson rmeggins@redhat.com wrote:
Hello Richard
Is there any dsgw log to diagnose better the issue?
ls -al /var/run/dirsrv/dsgw
empty
ls -al /var/run/dirsrv/dsgw/cookies
empty
the admin server logs are in /var/log/dirsrv/admin-serv
there is nothing newer than 1 day ago
if i enter a wrong password, i get an error on /var/log/dirsrv/slapd-ds/access and using credentials i am able to exec ldap search
[code] ldapsearch -x -b "ou=People,dc=xx,dc=it" -D "uid=xxx,ou=People,dc=xxx,dc=it" -w xxx "(objectClass=person)" uid # extended LDIF # # LDAPv3 # base <ou=People,dc=xxx,dc=it> with scope subtree # filter: (objectClass=person) # requesting: uid #
# udiprova, People, xxx.it dn: uid=udiprova,ou=People,dc=xxx,dc=it uid: udiprova
# bpb001, People, xxx.it dn: uid=bpb001,ou=People,dc=xxx,dc=it uid: bpb001
# xxx, People, xxx.it dn: uid=xxx,ou=People,dc=xxx,dc=it uid: xxx
# search result search: 2 result: 0 Success
# numResponses: 4 # numEntries: 3 [/code]
the issue is *after* authentication, the authentication with ldap is ok, but after that, something into dsgw goes wrong
maybe there is something wrong in dsgw.conf: [code] baseurl ldap://localhost:389/ou%3DPeople,dc%3Dxxx,dc%3Dit dirmgr "cn=Directory Manager" location-suffix dc=xxx, dc=it securitypath /etc/dirsrv/dsgw htmldir /usr/share/dirsrv/dsgw/html/ configdir /usr/share/dirsrv/dsgw/config/ gwnametrans /dsgw/ authlifetime 7200 template group groupOfNames template ntgroup groupOfUniqueNames ntGroup template groupun groupOfUniqueNames template org organization template dc domain template orgunit organizationalUnit template ntperson person inetOrgPerson nTUser template orgperson person inetOrgPerson template person person template country country location country "Italy" "c=IT#" location org "This Organization" "" location dc "This Domaincomponent" "" location groups "Groups" "ou=Groups" location people "People" "ou=People" location special "Special Users" "ou=Special Users" charset UTF-8 include "/usr/share/dirsrv/dsgw/config/dsgw-l10n.confMaurizio Marini maumar@cost.it" [/code]
sadly, without a specific dsgw log, i cannot diagnose anything there is no trace in any log of what is doing dsgw ;( at this point, a dsgw specific log can be an RFE and as such it should filed on bugzilla isn't it?
thnx for your attention regards
-m
On 03/31/2012 02:20 AM, Maurizio Marini wrote:
On Fri, 30 Mar 2012 14:45:28 -0600 Rich Megginsonrmeggins@redhat.com wrote:
Hello Richard
Is there any dsgw log to diagnose better the issue?
ls -al /var/run/dirsrv/dsgw
empty
ls -al /var/run/dirsrv/dsgw/cookies
empty
This is the problem. How did you install dsgw? From yum? Did you run setup-ds-dsgw after installing the packages?
the admin server logs are in /var/log/dirsrv/admin-serv
there is nothing newer than 1 day ago
if i enter a wrong password, i get an error on /var/log/dirsrv/slapd-ds/access and using credentials i am able to exec ldap search
[code] ldapsearch -x -b "ou=People,dc=xx,dc=it" -D "uid=xxx,ou=People,dc=xxx,dc=it" -w xxx "(objectClass=person)" uid # extended LDIF # # LDAPv3 # base<ou=People,dc=xxx,dc=it> with scope subtree # filter: (objectClass=person) # requesting: uid #
# udiprova, People, xxx.it dn: uid=udiprova,ou=People,dc=xxx,dc=it uid: udiprova
# bpb001, People, xxx.it dn: uid=bpb001,ou=People,dc=xxx,dc=it uid: bpb001
# xxx, People, xxx.it dn: uid=xxx,ou=People,dc=xxx,dc=it uid: xxx
# search result search: 2 result: 0 Success
# numResponses: 4 # numEntries: 3 [/code]
the issue is *after* authentication, the authentication with ldap is ok, but after that, something into dsgw goes wrong
maybe there is something wrong in dsgw.conf: [code] baseurl ldap://localhost:389/ou%3DPeople,dc%3Dxxx,dc%3Dit dirmgr "cn=Directory Manager" location-suffix dc=xxx, dc=it securitypath /etc/dirsrv/dsgw htmldir /usr/share/dirsrv/dsgw/html/ configdir /usr/share/dirsrv/dsgw/config/ gwnametrans /dsgw/ authlifetime 7200 template group groupOfNames template ntgroup groupOfUniqueNames ntGroup template groupun groupOfUniqueNames template org organization template dc domain template orgunit organizationalUnit template ntperson person inetOrgPerson nTUser template orgperson person inetOrgPerson template person person template country country location country "Italy" "c=IT#" location org "This Organization" "" location dc "This Domaincomponent" "" location groups "Groups" "ou=Groups" location people "People" "ou=People" location special "Special Users" "ou=Special Users" charset UTF-8 include "/usr/share/dirsrv/dsgw/config/dsgw-l10n.confMaurizio Marinimaumar@cost.it" [/code]
sadly, without a specific dsgw log, i cannot diagnose anything there is no trace in any log of what is doing dsgw ;( at this point, a dsgw specific log can be an RFE and as such it should filed on bugzilla isn't it?
thnx for your attention regards
-m
On 03/31/2012 02:20 AM, Maurizio Marini wrote:
On Fri, 30 Mar 2012 14:45:28 -0600 Rich Megginsonrmeggins@redhat.com wrote:
Hello Richard
Is there any dsgw log to diagnose better the issue?
ls -al /var/run/dirsrv/dsgw
empty
ls -al /var/run/dirsrv/dsgw/cookies
empty
But they exist? I wanted to see the ownership and permissions on these directories. If you ran setup-ds-admin.pl and chose the defaults, these directories should be owned by nobody:nobody and should be mode 0700 (-rwx------)
the admin server logs are in /var/log/dirsrv/admin-serv
there is nothing newer than 1 day ago
if i enter a wrong password, i get an error on /var/log/dirsrv/slapd-ds/access and using credentials i am able to exec ldap search
[code] ldapsearch -x -b "ou=People,dc=xx,dc=it" -D "uid=xxx,ou=People,dc=xxx,dc=it" -w xxx "(objectClass=person)" uid # extended LDIF # # LDAPv3 # base<ou=People,dc=xxx,dc=it> with scope subtree # filter: (objectClass=person) # requesting: uid #
# udiprova, People, xxx.it dn: uid=udiprova,ou=People,dc=xxx,dc=it uid: udiprova
# bpb001, People, xxx.it dn: uid=bpb001,ou=People,dc=xxx,dc=it uid: bpb001
# xxx, People, xxx.it dn: uid=xxx,ou=People,dc=xxx,dc=it uid: xxx
# search result search: 2 result: 0 Success
# numResponses: 4 # numEntries: 3 [/code]
the issue is *after* authentication, the authentication with ldap is ok, but after that, something into dsgw goes wrong
maybe there is something wrong in dsgw.conf: [code] baseurl ldap://localhost:389/ou%3DPeople,dc%3Dxxx,dc%3Dit dirmgr "cn=Directory Manager" location-suffix dc=xxx, dc=it
This should not have a space in it - it should be dc=xxx,dc=it - if there are spaces in the values, then quote it like this:
location-suffix "dc=xxx, dc=it"
securitypath /etc/dirsrv/dsgw htmldir /usr/share/dirsrv/dsgw/html/ configdir /usr/share/dirsrv/dsgw/config/ gwnametrans /dsgw/ authlifetime 7200 template group groupOfNames template ntgroup groupOfUniqueNames ntGroup template groupun groupOfUniqueNames template org organization template dc domain template orgunit organizationalUnit template ntperson person inetOrgPerson nTUser template orgperson person inetOrgPerson template person person template country country location country "Italy" "c=IT#"
Does this really have a "#" in it?
location org "This Organization" "" location dc "This Domaincomponent" "" location groups "Groups" "ou=Groups" location people "People" "ou=People" location special "Special Users" "ou=Special Users" charset UTF-8 include "/usr/share/dirsrv/dsgw/config/dsgw-l10n.confMaurizio Marinimaumar@cost.it"
Does this really have the string "Maurizio Marini maumar@cost.it" in it?
[/code]
sadly, without a specific dsgw log, i cannot diagnose anything there is no trace in any log of what is doing dsgw ;( at this point, a dsgw specific log can be an RFE and as such it should filed on bugzilla isn't it?
Trac - https://fedorahosted.org/389
thnx for your attention regards
-m
On 03/31/2012 02:20 AM, Maurizio Marini wrote:
On Fri, 30 Mar 2012 14:45:28 -0600 Rich Megginsonrmeggins@redhat.com wrote:
Hello Richard
Is there any dsgw log to diagnose better the issue?
ls -al /var/run/dirsrv/dsgw
empty
ls -al /var/run/dirsrv/dsgw/cookies
empty
But they exist? I wanted to see the ownership and permissions on these directories. If you ran setup-ds-admin.pl and chose the defaults, these directories should be owned by nobody:nobody and should be mode 0700 (-rwx------)
the admin server logs are in /var/log/dirsrv/admin-serv
there is nothing newer than 1 day ago
if i enter a wrong password, i get an error on /var/log/dirsrv/slapd-ds/access and using credentials i am able to exec ldap search
[code] ldapsearch -x -b "ou=People,dc=xx,dc=it" -D "uid=xxx,ou=People,dc=xxx,dc=it" -w xxx "(objectClass=person)" uid # extended LDIF # # LDAPv3 # base<ou=People,dc=xxx,dc=it> with scope subtree # filter: (objectClass=person) # requesting: uid #
# udiprova, People, xxx.it dn: uid=udiprova,ou=People,dc=xxx,dc=it uid: udiprova
# bpb001, People, xxx.it dn: uid=bpb001,ou=People,dc=xxx,dc=it uid: bpb001
# xxx, People, xxx.it dn: uid=xxx,ou=People,dc=xxx,dc=it uid: xxx
# search result search: 2 result: 0 Success
# numResponses: 4 # numEntries: 3 [/code]
the issue is *after* authentication, the authentication with ldap is ok, but after that, something into dsgw goes wrong
maybe there is something wrong in dsgw.conf: [code] baseurl ldap://localhost:389/ou%3DPeople,dc%3Dxxx,dc%3Dit dirmgr "cn=Directory Manager" location-suffix dc=xxx, dc=it
This should not have a space in it - it should be dc=xxx,dc=it - if there are spaces in the values, then quote it like this:
location-suffix "dc=xxx, dc=it"
securitypath /etc/dirsrv/dsgw htmldir /usr/share/dirsrv/dsgw/html/ configdir /usr/share/dirsrv/dsgw/config/ gwnametrans /dsgw/ authlifetime 7200 template group groupOfNames template ntgroup groupOfUniqueNames ntGroup template groupun groupOfUniqueNames template org organization template dc domain template orgunit organizationalUnit template ntperson person inetOrgPerson nTUser template orgperson person inetOrgPerson template person person template country country location country "Italy" "c=IT#"
Does this really have a "#" in it?
location org "This Organization" "" location dc "This Domaincomponent" "" location groups "Groups" "ou=Groups" location people "People" "ou=People" location special "Special Users" "ou=Special Users" charset UTF-8 include "/usr/share/dirsrv/dsgw/config/dsgw-l10n.confMaurizio Marinimaumar@cost.it"
Does this really have the string "Maurizio Marini maumar@cost.it" in it?
[/code]
sadly, without a specific dsgw log, i cannot diagnose anything there is no trace in any log of what is doing dsgw ;( at this point, a dsgw specific log can be an RFE and as such it should filed on bugzilla isn't it?
Trac - https://fedorahosted.org/389
thnx for your attention regards
-m
On Sat, 31 Mar 2012 09:12:43 -0600 Rich Megginson rmeggins@redhat.com wrote:
This is the problem. How did you install dsgw? From yum? Did you run
setup-ds-dsgw after installing the packages?
no, i didn't, my fault Now i did, and all went well, all is working smoothly :) this is the wiki to be used first of all: http://directory.fedoraproject.org/wiki/WebApps_Install as pointed out at the bottom of the wiki i started with: http://directory.fedoraproject.org/wiki/DSGW
best regards :)
-m
389-users@lists.fedoraproject.org
-
Maurizio Marini -
Rich Megginson