[Cdash] [Fwd: Re: CDash LDAP problem]
Marcel Loose
loose at astron.nl
Wed Feb 17 16:17:45 UTC 2010
Hi Julien,
Well, LDAP configurations can be different in zillion ways, so I don't
know if anyone else will ever run into this specific problem. Anyway,
the thing that bit me was in /etc/openldap/slapd.conf. Here's the
important snippet:
access to attrs=userPassword,userPKCS12,cn
by self write
by * auth
For some reason, access to 'cn' was disabled by anyone except 'self'.
Removing 'cn' from the 'attrs' solved the issue.
Regards,
Marcel.
On Wed, 2010-02-17 at 11:00 -0500, Julien Jomier wrote:
> Hi Marcel,
>
> Thanks for looking into this. Could you describe the configuration
issue
> so we can put it in the FAQ in case someone has the same issue.
>
> Thanks,
> Julien
>
> On 2/17/2010 10:57 AM, Marcel Loose wrote:
> > Hi Julien,
> >
> > I think I finally found the culprit. It was an LDAP configuration
> > problem after all. For some reason, retrieval of the 'cn' was
disallowed
> > for the mere mortals. After changing that setting I could
successfully
> > login as first-timer to CDash.
> >
> > Thanks for your time and effort.
> > Marcel.
> >
> > On Wed, 2010-02-17 at 10:26 -0500, Julien Jomier wrote:
> >> Hi Marcel,
> >>
> >> Could you try to change the
> >>
> >> $CDASH_LDAP_BASEDN='ou=people,dc=astron,dc=nl';
> >>
> >> to
> >>
> >> $CDASH_LDAP_BASEDN='cn=Manager,dc=astron,dc=nl';
> >>
> >> and see if that helps?
> >>
> >> Julien
> >>
> >> On 2/17/2010 10:24 AM, Marcel Loose wrote:
> >>> Hi Julien,
> >>>
> >>> I guess you mean $CDASH_LDAP_BASEDN, instead of
$CDASH_LDAP_BIND_DN?
> > I
> >>> couldn't find any occurrence of the latter.
> >>>
> >>>> From the configuration file /etc/openldap/slapd.conf:
> >>> suffix "dc=astron,dc=nl"
> >>> rootdn "cn=Manager,dc=astron,dc=nl"
> >>>
> >>>> From the CDash configuration file
> > /srv/CDash/cdash/config.local.php:
> >>> $CDASH_LDAP_BASEDN='ou=people,dc=astron,dc=nl';
> >>>
> >>> Looks to me they're the same.
> >>>
> >>> Changing 'cn' to 'gecos' in login.php indeed solves the problem. I
> > don't
> >>> know, though, if 'gecos' is just as "standard" as 'cn' is.
> >>>
> >>> Best regards,
> >>> Marcel Loose.
> >>>
> >>> On Wed, 2010-02-17 at 07:44 -0500, Julien Jomier wrote:
> >>>> Hi Marcel,
> >>>>
> >>>> This is strange. Could you check the value of the
> > $CDASH_LDAP_BIND_DN
> >>> in
> >>>> your config.local.php and see if it's the same as the one you are
> >>>> passing to slapcat?
> >>>>
> >>>> One thing you can do is replace 'cn' by 'gecos' in the login.php
> > file
> >>>> and it should work (since it looks like the same value).
> >>>>
> >>>> Let me know,
> >>>> Julien
> >>>>
> >>>> On 2/17/2010 3:59 AM, Marcel Loose wrote:
> >>>>> Hi Julien,
> >>>>>
> >>>>> So, it should be possible to authenticate users against an
> > existing
> >>> LDAP
> >>>>> database. However, when I try to login to CDash as
> > loose at astron.nl,
> >>> I
> >>>>> get the error:
> >>>>>
> >>>>> No givenname (cn) set in LDAP, cannot register user into
MIDAS
> >>>>>
> >>>>> That user is present in the LDAP database, though. Here's the
> > record
> >>>>> from the LDAP database, retrieved with 'slapcat'. As you can
see,
> >>> the
> >>>>> 'cn' field is also present.
> >>>>>
> >>>>> dn: uid=loose,ou=people,dc=astron,dc=nl
> >>>>> objectClass: shadowAccount
> >>>>> objectClass: posixAccount
> >>>>> objectClass: inetOrgPerson
> >>>>> gecos: Marcel Loose
> >>>>> uid: loose
> >>>>> sn: Loose
> >>>>> givenName: Marcel
> >>>>> structuralObjectClass: inetOrgPerson
> >>>>> entryUUID: 2375bf08-e435-102b-8b97-3952138d3cf7
> >>>>> creatorsName: cn=Manager,dc=astron,dc=nl
> >>>>> createTimestamp: 20070821132115Z
> >>>>> uidNumber: 511
> >>>>> mail: loose at astron.nl
> >>>>> gidNumber: 1000
> >>>>> shadowLastChange: 14127
> >>>>> cn: Marcel Loose
> >>>>> userPassword:: ########
> >>>>> homeDirectory: /home/loose
> >>>>> loginShell: /bin/bash
> >>>>> entryCSN: 20100104140045Z#000000#00#000000
> >>>>> modifiersName: cn=Manager,dc=astron,dc=nl
> >>>>> modifyTimestamp: 20100104140045Z
> >>>>>
> >>>>> I'm baffled. Any ideas?
> >>>>>
> >>>>> Best regards,
> >>>>> Marcel Loose.
> >>>>>
> >>>>> On Tue, 2010-02-16 at 07:31 -0500, Julien Jomier wrote:
> >>>>>> Hi Marcel,
> >>>>>>
> >>>>>> You can use a LDAP database to authenticate users in CDash,
> > others
> >>>>> have
> >>>>>> done it. The only thing is that you need to configure either
> > CDash
> >>> or
> >>>>>> your LDAP to fill the 'cn' field, this is how CDash gets the
> >>>>> information
> >>>>>> to create the authenticated user automatically.
> >>>>>>
> >>>>>> Julien
> >>>>>>
> >>>>>> On 2/15/2010 3:30 AM, Marcel Loose wrote:
> >>>>>>> Hi Julien,
> >>>>>>>
> >>>>>>> Sorry for the late reply, I had a long weekend off.
> >>>>>>> Do I understand correctly, from your answer, that it is not
> >>> possible
> >>>>> to
> >>>>>>> use an existing LDAP database to authenticate users? Is it
> > really
> >>>>>>> necessary to register them from within CDash? If so, is there
a
> >>> way
> >>>>> to
> >>>>>>> import users from an LDAP database into CDash?
> >>>>>>>
> >>>>>>> Best regards,
> >>>>>>> Marcel Loose.
> >>>>>>>
> >>>>>>>
> >>>>>>> On Thu, 2010-02-11 at 10:40 -0500, Julien Jomier wrote:
> >>>>>>>> Marcel,
> >>>>>>>>
> >>>>>>>> I'm wondering if the CDASH_LDAP options are defined correctly
> > and
> >>>>> that
> >>>>>>>
> >>>>>>>> might be the reason why 'cn' doesn't show up.
> >>>>>>>>
> >>>>>>>> CDash requires the user to be registered in CDash when using
> >>> LDAP.
> >>>>> The
> >>>>>>>
> >>>>>>>> authentication is done by LDAP. One option is to login as
> >>>>>>> administrator
> >>>>>>>> into CDash and register the user before trying to login into
> >>> LDAP.
> >>>>>>>>
> >>>>>>>> Let us know,
> >>>>>>>> Julien
> >>>>>>>>
> >>>>>>>> Marcel Loose wrote:
> >>>>>>>> > Hi all,
> >>>>>>>> >
> >>>>>>>> > I'm experiencing an LDAP problem with CDash. When
I
> > try to
> >>> log
> >>>>> into
> >>>>>>>> > CDash for the first time as a valid LDAP user, I
get
> > the
> >>>>> message:
> >>>>>>>> >
> >>>>>>>> > No givenname (cn) set in LDAP, cannot register
user
> > into
> >>> MIDAS
> >>>>>>>> >
> >>>>>>>> > Now I've been digging in the PHP-code a bit, but I
> > know
> >>> little
> >>>>> PHP.
> >>>>>>>> > The problem seems to be in the function
> > ldapAuthenticate()
> >>> in
> >>>>>>> login.php.
> >>>>>>>> > For reasons I don't understand, the return value
of
> >>>>>>>> ldap_search($ldap,$CDASH_LDAP_BASEDN, 'mail='.$email,
> >>>>>>> array('dn','cn'))
> >>>>>>>> > contains an empty 'cn' field, though it does
contain a
> >>> valid
> >>>>> 'dn'
> >>>>>>> field.
> >>>>>>>> >
> >>>>>>>> > For debugging purposes, I've removed the
attributes
> >>>>> specification
> >>>>>>> in the
> >>>>>>>> > ldap_search() call, thus returning all attributes.
> > This
> >>> gives
> >>>>> me:
> >>>>>>>> >
> >>>>>>>> > var_dump($entries);
> >>>>>>>> > array(2) { ["count"]=> int(1) [0]=>
array(24)
> > {
> >>>>> ["objectclass"]=>
> >>>>>>>> > array(4) { ["count"]=> int(3) [0]=>
string(13)
> >>>>> "shadowAccount"
> >>>>>>> [1]=>
> >>>>>>>> > string(12) "posixAccount" [2]=> string(13)
> >>> "inetOrgPerson" }
> >>>>> [0]=>
> >>>>>>>> > string(11) "objectclass" ["gecos"]=> array(2)
{
> >>> ["count"]=>
> >>>>>>> int(1)
> >>>>>>>> > [0]=> string(12) "Marcel Loose" } [1]=>
> > string(5)
> >>> "gecos"
> >>>>>>> ["uid"]=>
> >>>>>>>> > array(2) { ["count"]=> int(1) [0]=>
string(5)
> >>> "loose" }
> >>>>> [2]=>
> >>>>>>>> > string(3) "uid" ["sn"]=> array(2) {
["count"]=>
> >>> int(1)
> >>>>> [0]=>
> >>>>>>>> > string(5) "Loose" } [3]=> string(2) "sn"
> >>> ["givenname"]=>
> >>>>> array(2)
> >>>>>>>> > { ["count"]=> int(1) [0]=> string(6)
"Marcel"
> > }
> >>> [4]=>
> >>>>> string(9)
> >>>>>>>> > "givenname" ["uidnumber"]=> array(2) {
["count"]=>
> >>> int(1)
> >>>>> [0]=>
> >>>>>>>> > string(3) "511" } [5]=> string(9) "uidnumber"
> >>> ["mail"]=>
> >>>>> array(2)
> >>>>>>>> > { ["count"]=> int(1) [0]=> string(15)
> >>> "loose at astron.nl" }
> >>>>> [6]=>
> >>>>>>>> > string(4) "mail" ["gidnumber"]=> array(2) {
> > ["count"]=>
> >>>>> int(1)
> >>>>>>> [0]=>
> >>>>>>>> > string(4) "1000" } [7]=> string(9)
"gidnumber"
> >>>>>>> ["shadowlastchange"]=>
> >>>>>>>> > array(2) { ["count"]=> int(1) [0]=>
string(5)
> >>> "14127" }
> >>>>> [8]=>
> >>>>>>>> > string(16) "shadowlastchange" ["homedirectory"]=>
> >>> array(2)
> >>>>>>>> > { ["count"]=> int(1) [0]=> string(11)
> > "/home/loose"
> >>> }
> >>>>> [9]=>
> >>>>>>>> > string(13) "homedirectory" ["loginshell"]=>
> > array(2) {
> >>>>> ["count"]=>
> >>>>>>>> > int(1) [0]=> string(9) "/bin/bash" } [10]=>
> >>> string(10)
> >>>>>>>> > "loginshell" ["count"]=> int(11) ["dn"]=>
> > string(35)
> >>>>>>>> > "uid=loose,ou=people,dc=astron,dc=nl" } }
> >>>>>>>> >
> >>>>>>>> > Indeed, 'cn' is missing here. It is, however,
present
> > in
> >>> the
> >>>>> LDAP
> >>>>>>>> > database. Here's a snippet of the output of
'slapcat',
> > for
> >>> the
> >>>>>>> given
> >>>>>>>> > user:
> >>>>>>>> >
> >>>>>>>> > dn: uid=loose,ou=people,dc=astron,dc=nl
> >>>>>>>> > objectClass: shadowAccount
> >>>>>>>> > objectClass: posixAccount
> >>>>>>>> > objectClass: inetOrgPerson
> >>>>>>>> > gecos: Marcel Loose
> >>>>>>>> > uid: loose
> >>>>>>>> > sn: Loose
> >>>>>>>> > givenName: Marcel
> >>>>>>>> > structuralObjectClass: inetOrgPerson
> >>>>>>>> > entryUUID: 2375bf08-e435-102b-8b97-3952138d3cf7
> >>>>>>>> > creatorsName: cn=Manager,dc=astron,dc=nl
> >>>>>>>> > createTimestamp: 20070821132115Z
> >>>>>>>> > uidNumber: 511
> >>>>>>>> > mail: loose at astron.nl
> >>>>>>>> > gidNumber: 1000
> >>>>>>>> > shadowLastChange: 14127
> >>>>>>>> > cn: Marcel Loose
> >>>>>>>> > userPassword::<########>
> >>>>>>>> > homeDirectory: /home/loose
> >>>>>>>> > loginShell: /bin/bash
> >>>>>>>> > entryCSN: 20100104140045Z#000000#00#000000
> >>>>>>>> > modifiersName: cn=Manager,dc=astron,dc=nl
> >>>>>>>> > modifyTimestamp: 20100104140045Z
> >>>>>>>> >
> >>>>>>>> > I don't know if this is a CDash problem -- e.g. it
> > should
> >>> use
> >>>>> a
> >>>>>>>> > different ldap-function; or if it's a problem with
the
> >>>>> PHP-LDAP
> >>>>>>> module;
> >>>>>>>> > or if it's an LDAP database/configuration problem.
> > Could
> >>>>> someone
> >>>>>>> please
> >>>>>>>> > shed a light on this?
> >>>>>>>> >
> >>>>>>>> > Best regards,
> >>>>>>>> > Marcel Loose.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >>>
> >
> >
> >
More information about the CDash
mailing list