Description of problem: When anonymous binding is disabled. nsslapd-allow-anonymous-access: off You are not able to login to the console when running 389-console as cn=Directory Manager. The logs shows that two anonymous bind attempts are done during the login process. Version-Release number of selected component (if applicable): 1.2.6rc7 Steps to Reproduce: Disable anonymous access Restart both admin and dirsrv Try to login to console as cn=Directory Manager Actual results: Error Message Expected results: Ability to login Additional info: Original mailinglist thread: http://lists.fedoraproject.org/pipermail/389-users/2010-August/011918.html
The workaround is to use the full DN of the admin user instead of just the uid e.g. instead of "admin" use "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot"
I am confused here. The workaround states uid=admin... did you mean uid=Directory Manager? The bug was related to login it as Directory Manager with the privileges that comes with that user. To be fair I don't know if you are afforded less privileges as admin user so if you are not then the work around is clear to me.
(In reply to comment #3) > I am confused here. The workaround states uid=admin... did you mean > uid=Directory Manager? The bug was related to login it as Directory Manager > with the privileges that comes with that user. To be fair I don't know if you > are afforded less privileges as admin user so if you are not then the work > around is clear to me. Actually, I misspoke - there is no workaround.
https://bugzilla.redhat.com/show_bug.cgi?id=661116 is likely the same as this report similar finding in 389-users: Date: Tue, 21 Dec 2010 16:50:31 -0500 Subject: [389-users] issues with 1.2.7.5
*** Bug 638765 has been marked as a duplicate of this bug. ***
This is working fine with recent builds. I am running tests with the following packages: 389-adminutil-devel-1.1.13-1.fc14.x86_64 389-admin-1.1.14-1.fc14.x86_64 389-console-1.1.4-1.fc14.noarch 389-ds-console-1.2.3-1.fc14.noarch 389-admin-console-1.1.5-1.fc14.noarch 389-ds-base-1.2.8-0.1.a1.fc14.x86_64 389-adminutil-1.1.13-1.fc14.x86_64 I am able to disable anonymous access and login using the console as "cn=directory manager", "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot", and as a newly created user beneath "ou=TopologyManagement,o=NetscapeRoot". The directory server access log shows that the console falls back to using the DN after the anonymous bind fails: [04/Feb/2011:13:56:57 -0800] conn=15 fd=64 slot=64 connection from 127.0.0.1 to 127.0.0.1 [04/Feb/2011:13:56:57 -0800] conn=15 op=0 BIND dn="" method=128 version=3 [04/Feb/2011:13:56:57 -0800] conn=15 op=0 RESULT err=48 tag=97 nentries=0 etime=0 [04/Feb/2011:13:56:57 -0800] conn=15 op=1 BIND dn="uid=nkinder,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" method=128 version=3 [04/Feb/2011:13:56:57 -0800] conn=15 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=nkinder,ou=administrators,ou=topologymanagement,o=netscaperoot I believe this was likely fixed when Console was modified to work with the DN validation code. I'm going to mark this as MODIFIED.
Disable anonymous access nsslapd-allow-anonymous-access: off in dse.ldif Restart both admin and dirsrv /etc/init.d/dirsrv-admin restart service dirsrv restart Try to login to console as cn=Directory Manager check the access logs [24/May/2011:13:09:46 +051800] conn=10 fd=64 slot=64 SSL connection from 10.65.201.218 to 10.65.201.218 [24/May/2011:13:09:46 +051800] conn=10 SSL 128-bit RC4 [24/May/2011:13:09:46 +051800] conn=10 op=0 BIND dn="cn=Directory Manager" method=128 version=3 [24/May/2011:13:09:46 +051800] conn=10 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [24/May/2011:13:09:46 +051800] conn=10 op=1 SRCH base="ou=Accounting,dc=example,dc=com" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nsRole nsRoleDN objectClass nsAccountLock" [24/May/2011:13:09:46 +051800] conn=10 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [24/May/2011:13:09:46 +051800] conn=10 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix" [24/May/2011:13:09:46 +051800] conn=10 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [24/May/2011:13:09:46 +051800] conn=8 op=38 SRCH base="cn=ldbm database,cn=plugins,cn=config" scope=2 filter="(objectClass=nsBackendInstance)" attrs="nsslapd-suffix nsBackendSuffix"
Unfortunately, I have this issue using: nsslapd-allow-anonymous-access: rootdse with the following packages installed: 389-admin-1.1.23-1.fc15.i686 389-admin-console-1.1.8-1.fc15.noarch 389-admin-console-doc-1.1.8-1.fc15.noarch 389-adminutil-1.1.14-1.fc15.i686 389-console-1.1.7-1.fc15.noarch 389-ds-base-1.2.9.6-1.fc15.i686 389-ds-base-libs-1.2.9.6-1.fc15.i686 389-ds-console-1.2.6-1.fc15.noarch 389-ds-console-doc-1.2.6-1.fc15.noarch admin-serv errors: [Sun Aug 14 13:57:16 2011] [notice] caught SIGTERM, shutting down [Sun Aug 14 13:57:18 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0 [Sun Aug 14 13:57:19 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-elburn,cn=389 Administration Server,cn=Server Group,cn=elburn.messinet.com,ou=messinet.com,o=NetscapeRoot] for LDAPConnection [elburn.messinet.com:636] [Sun Aug 14 13:57:19 2011] [notice] Access Host filter is: *.messinet.com [Sun Aug 14 13:57:19 2011] [notice] Access Address filter is: * [Sun Aug 14 13:57:20 2011] [notice] Apache/2.2.17 (Unix) mod_nss/2.2.17 NSS/3.12.9.0 configured -- resuming normal operations [Sun Aug 14 13:57:20 2011] [crit] populate_tasks_from_server(): Unable to search [cn=admin-serv-elburn,cn=389 Administration Server,cn=Server Group,cn=elburn.messinet.com,ou=messinet.com,o=NetscapeRoot] for LDAPConnection [elburn.messinet.com:636] [Sun Aug 14 13:57:20 2011] [notice] Access Host filter is: *.messinet.com [Sun Aug 14 13:57:20 2011] [notice] Access Address filter is: *
This was fixed in DS 9.0 but not in DS 8.2 yet. Not sure why the bug was set to VERIFIED.
Disable anonymous access nsslapd-allow-anonymous-access: off in dse.ldif Restart both admin and dirsrv /etc/init.d/dirsrv-admin restart service dirsrv restart Try to login to console as cn=Directory Manager and "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" It was successful. But if I just give admin as login user, it fails, PFA for screen shot Also logs :: [root@ipaqavmh ~]# tail -f /var/log/dirsrv/admin-serv/access 127.0.0.1 - admin [11/Jul/2012:06:45:40 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/jars/redhat-ds-8.2.jar HTTP/1.0" 404 312 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2.jar HTTP/1.0" 200 1465828 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2_en.jar HTTP/1.0" 200 55190 127.0.0.1 - cn=Directory Manager [11/Jul/2012:10:16:57 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 373 127.0.0.1 - admin [11/Jul/2012:10:17:37 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 359 127.0.0.1 - admin [11/Jul/2012:10:18:03 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 359 127.0.0.1 - uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot [11/Jul/2012:10:22:20 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417 127.0.0.1 - admin [11/Jul/2012:10:22:50 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 359 tail -f /var/log/dirsrv/slapd-ipaqavmh/access [11/Jul/2012:10:33:37 -0400] conn=3 op=0 BIND dn="cn=admin-serv-ipaqavmh,cn=Red Hat Administration Server,cn=Server Group,cn=ipaqavmh.idm.lab.bos.redhat.com,ou=idm.lab.bos.redhat.com,o=NetscapeRoot" method=128 version=3 [11/Jul/2012:10:33:37 -0400] conn=3 op=0 RESULT err=48 tag=97 nentries=0 etime=0 [11/Jul/2012:10:33:37 -0400] conn=3 op=1 UNBIND [11/Jul/2012:10:33:37 -0400] conn=3 op=1 fd=64 closed - U1 [11/Jul/2012:10:33:37 -0400] conn=4 fd=65 slot=65 connection from 10.16.98.193 to 10.16.98.193 [11/Jul/2012:10:33:37 -0400] conn=4 op=0 BIND dn="(null)" method=128 version=3 [11/Jul/2012:10:33:37 -0400] conn=4 op=0 RESULT err=32 tag=97 nentries=0 etime=0 ALSO -- There is BIND dn="(null)" <--- null here.
Created attachment 597598 [details] Screenshot-Untitled Window.png
[root@ipaqavmh ~]# rpm -qa | grep redhat-ds redhat-ds-base-8.2.9-2.el5dsrv redhat-ds-base-devel-8.2.9-2.el5dsrv redhat-ds-console-8.2.0-4.el5dsrv redhat-ds-admin-8.2.2-1.el5dsrv redhat-ds-base-debuginfo-8.2.9-2.el5dsrv redhat-ds-8.2.0-2.el5dsrv redhat-ds-admin-debuginfo-8.2.2-1.el5dsrv
(In reply to comment #16) > Disable anonymous access > nsslapd-allow-anonymous-access: off in dse.ldif > > Restart both admin and dirsrv > /etc/init.d/dirsrv-admin restart > service dirsrv restart > > Try to login to console as cn=Directory Manager and > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" > > It was successful. > > But if I just give admin as login user, it fails, PFA for screen shot > Also logs :: > > > [root@ipaqavmh ~]# tail -f /var/log/dirsrv/admin-serv/access > 127.0.0.1 - admin [11/Jul/2012:06:45:40 -0400] "GET /admin-serv/authenticate > HTTP/1.0" 200 417 > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET > /java/jars/redhat-ds-8.2.jar HTTP/1.0" 404 312 > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2.jar > HTTP/1.0" 200 1465828 > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET > /java/redhat-ds-8.2_en.jar HTTP/1.0" 200 55190 > 127.0.0.1 - cn=Directory Manager [11/Jul/2012:10:16:57 -0400] "GET > /admin-serv/authenticate HTTP/1.0" 200 373 > 127.0.0.1 - admin [11/Jul/2012:10:17:37 -0400] "GET /admin-serv/authenticate > HTTP/1.0" 200 359 > 127.0.0.1 - admin [11/Jul/2012:10:18:03 -0400] "GET /admin-serv/authenticate > HTTP/1.0" 200 359 > 127.0.0.1 - uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot > [11/Jul/2012:10:22:20 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417 > 127.0.0.1 - admin [11/Jul/2012:10:22:50 -0400] "GET /admin-serv/authenticate > HTTP/1.0" 200 359 > > tail -f /var/log/dirsrv/slapd-ipaqavmh/access > [11/Jul/2012:10:33:37 -0400] conn=3 op=0 BIND > dn="cn=admin-serv-ipaqavmh,cn=Red Hat Administration Server,cn=Server > Group,cn=ipaqavmh.idm.lab.bos.redhat.com,ou=idm.lab.bos.redhat.com, > o=NetscapeRoot" method=128 version=3 > [11/Jul/2012:10:33:37 -0400] conn=3 op=0 RESULT err=48 tag=97 nentries=0 > etime=0 > [11/Jul/2012:10:33:37 -0400] conn=3 op=1 UNBIND > [11/Jul/2012:10:33:37 -0400] conn=3 op=1 fd=64 closed - U1 > [11/Jul/2012:10:33:37 -0400] conn=4 fd=65 slot=65 connection from > 10.16.98.193 to 10.16.98.193 > [11/Jul/2012:10:33:37 -0400] conn=4 op=0 BIND dn="(null)" method=128 > version=3 > [11/Jul/2012:10:33:37 -0400] conn=4 op=0 RESULT err=32 tag=97 nentries=0 > etime=0 > > ALSO -- There is BIND dn="(null)" <--- null here. I think this is correct - if anonymous access is turned off, you have to login with a full DN - Mark?
(In reply to comment #19) > (In reply to comment #16) > > Disable anonymous access > > nsslapd-allow-anonymous-access: off in dse.ldif > > > > Restart both admin and dirsrv > > /etc/init.d/dirsrv-admin restart > > service dirsrv restart > > > > Try to login to console as cn=Directory Manager and > > "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" > > > > It was successful. > > > > But if I just give admin as login user, it fails, PFA for screen shot > > Also logs :: > > > > > > [root@ipaqavmh ~]# tail -f /var/log/dirsrv/admin-serv/access > > 127.0.0.1 - admin [11/Jul/2012:06:45:40 -0400] "GET /admin-serv/authenticate > > HTTP/1.0" 200 417 > > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET > > /java/jars/redhat-ds-8.2.jar HTTP/1.0" 404 312 > > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET /java/redhat-ds-8.2.jar > > HTTP/1.0" 200 1465828 > > 10.16.98.193 - - [11/Jul/2012:06:45:47 -0400] "GET > > /java/redhat-ds-8.2_en.jar HTTP/1.0" 200 55190 > > 127.0.0.1 - cn=Directory Manager [11/Jul/2012:10:16:57 -0400] "GET > > /admin-serv/authenticate HTTP/1.0" 200 373 > > 127.0.0.1 - admin [11/Jul/2012:10:17:37 -0400] "GET /admin-serv/authenticate > > HTTP/1.0" 200 359 > > 127.0.0.1 - admin [11/Jul/2012:10:18:03 -0400] "GET /admin-serv/authenticate > > HTTP/1.0" 200 359 > > 127.0.0.1 - uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot > > [11/Jul/2012:10:22:20 -0400] "GET /admin-serv/authenticate HTTP/1.0" 200 417 > > 127.0.0.1 - admin [11/Jul/2012:10:22:50 -0400] "GET /admin-serv/authenticate > > HTTP/1.0" 200 359 > > > > tail -f /var/log/dirsrv/slapd-ipaqavmh/access > > [11/Jul/2012:10:33:37 -0400] conn=3 op=0 BIND > > dn="cn=admin-serv-ipaqavmh,cn=Red Hat Administration Server,cn=Server > > Group,cn=ipaqavmh.idm.lab.bos.redhat.com,ou=idm.lab.bos.redhat.com, > > o=NetscapeRoot" method=128 version=3 > > [11/Jul/2012:10:33:37 -0400] conn=3 op=0 RESULT err=48 tag=97 nentries=0 > > etime=0 > > [11/Jul/2012:10:33:37 -0400] conn=3 op=1 UNBIND > > [11/Jul/2012:10:33:37 -0400] conn=3 op=1 fd=64 closed - U1 > > [11/Jul/2012:10:33:37 -0400] conn=4 fd=65 slot=65 connection from > > 10.16.98.193 to 10.16.98.193 > > [11/Jul/2012:10:33:37 -0400] conn=4 op=0 BIND dn="(null)" method=128 > > version=3 > > [11/Jul/2012:10:33:37 -0400] conn=4 op=0 RESULT err=32 tag=97 nentries=0 > > etime=0 > > > > ALSO -- There is BIND dn="(null)" <--- null here. > > I think this is correct - if anonymous access is turned off, you have to > login with a full DN - Mark? Correct, the admin server will need to search DS for the "id". It does this using an anonymous bind to search the db.
Ok, We can mark the bug as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1079.html
*** Bug 832618 has been marked as a duplicate of this bug. ***
*** Bug 832619 has been marked as a duplicate of this bug. ***