LDAP login fails - BOE XI 3.1 + Novell eDirectory

security CMC
1

For ONE user (in the admin group) we get the error :

Account Information Not Recognized: Invalid username or password. If your account is under any root other than o=favv, you must enter your DN. (FWB 00007) (FWM 00007)

when he logs in using LDAP authentication (and the associated password).
This user is in the same (LDAP) groups as my own account, which IS working for both LDAP- and Enterprise login.
When the other user logs in using Enterprise, everything works.
For LDAP, it works only when logging in using the full cn (cn=username,ou=users,o=organisation)

What can be wrong here, as the “properties” pages are seemingly the same for both users ? The Enterprise username is equal to the name in cn=

All Ldap groups (other than “users”) are mapped onto “imported” groups placed inside BOE security groups by their “cn”.

BOEXI 3.1, ldap=edirectory.

RensH :belgium: (BOB member since 2007-06-18)

2

Hi,

I’m trying to set up an BOE XI 3.1 with Novell ldap edirectory.
I have already read many and many docs on this topic but I not succeded to find answers.
Do you have fews minutes to explain me where is my mistakes, regarding your experience on this subject ?

My problem is the following :
I configure the connection to the ldap server succesfully.
I have put the following informations :
annuaire-int.domain.com:389
type of ldap server Novell eDirectory with default mappings
ou=domain,o=com
cn=BOXI-User-Auth,ou=services,ou=domain,o=com with good pwd
no SSL, no SSO
common configuration for alias and others

When I click on finish, all is well as I can see on log file that the connection attempt is succesful.

But when I try to get the group contining all the member I need, it is with no success. I try with this setting for member group mapping :
cn=BOXI,ou=applications or cn=BOXI,ou=applications,ou=domain,o=com

I get the following error in the CMC :
The secLdap plugin failed to get the dn for the group cn=BOXI,ou=applications

When have a look to log file I see there is a problem with the function “LDAP: SecLdap Error: an unknown error occurred in GetFirstAttributeAndBaseFromDN()”

Could give somme explanation on how you setup your gonfiguration or even some screenshoots to compare BO ldap configuration and the objects of the ldap server. structure

Thank’s in advance for any piece of advice.

Laurent.

Laurent RIVIERE (BOB member since 2010-06-21)

3

Hi Laurent,

Welcome to B :mrgreen: B!!!

First, try using any LDAP browser (such as Softerra) and connect to LDAP server and from there you can copy the Exact DN and pasted it in the mapping groups area in CMC.

Second, can you please share the LDAP attribute mapping you are using. Or share the screenshot of the same.
:+1:

nicholas (BOB member since 2008-07-31)

4

Hi,

Ok. I already use softerra ldap browser to get some information.
So I can confirm that :

ldap server address : annuaire-int.domain.com:389
ou=domain,o=com
dn of the user used to navigate within softerra ldap browser : cn=BOXI-User-Auth,ou=services,ou=domain,o=com
So I use this dn user for authentication in the ldap module of the cmc.

The connection seems to be good.
I think my problem come from a mismatch between the mapping of objects from the ldap server and the cmc.
I use the default mapping for Novell eDirectory such this :

LDAP Server Attribute Mappings

Object Class : objectclass
Static Group : groupofnames
Static Group Member : member
Dynamic Group :
Dynamic Group Filter :
Group Description : description
User Object Class : inetorgperson
User Name : uid
User Full Name : cn
User Email : mail
User Description : fullname

LDAP Default Search Attributes

Default Group Search Attribute : cn
Default User Search Attribute : uid

What I get with Softerra ldap browser (ldif export) :

Export ldif groupe BOXI

#-------------------------------------------------------------------------------

par Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com)

#-------------------------------------------------------------------------------
version: 1
dn: cn=BOXI,ou=applications,ou=domain,o=com
domainADgrpSync: 0
domainLibelleComplet: BOXI
domainSigle: BOXI
objectClass: groupOfNames
objectClass: Top
objectClass: domainGroupe
objectClass: domainApplication
member: cn=NOM-prenom,ou=prestataires,ou=personnes,ou=domain,o=com
description: BOXI

Export ldif membre NOM Prenom

#-------------------------------------------------------------------------------

par Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com)

#-------------------------------------------------------------------------------
version: 1
dn: cn=NOM-Prenom,ou=prestataires,ou=personnes,ou=domain,o=com
domainDir: DIRECTION SYSTEMES OPERATIONNELS
domainDomPers: MON SITE
domainNomPrenom: NOM Prenom
roomNumber: D.0.28
mail: prenom.nom@domain.com
uid: NOM_P
initials: NP
givenName: Prenom
fullName: M. Prenom NOM
sn: NOM
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
objectClass: domainPersonne
groupMembership: cn=BOXI,ou=applications,ou=domain,o=com
cn: NOM-Prenom

What I can see in the logs :

(ldap_wrapper.cpp:890) LdapCreateNewSession() successful.
(ldap_wrapper.cpp:925) LdapBindToServer() successful.
LDAP: LdapQueryForAttribute: QUERY base: ou=domain, o=com, scope: 0, filter: (objectclass=), attribute: dn
LDAP: LdapQueryForAttribute: QUERY result: 0 took 10 ms

LDAP: LdapQueryForEntries: QUERY result: 0 took 10 ms
LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
CLdapWrapper::LdapQueryMVRanging() – Assuming that his server does not support ranged queries for multivalued attributes.
LDAP: LdapQueryForEntries: QUERY base: ou=applications, scope: 0, filter: (objectclass=), attribute: dn
LDAP: LdapQueryForEntries: QUERY result: 32 took 0 ms
SecLdap Error: an error occurred in LdapQueryForAttribute().

SResourceSource::LoadString 49408
SResourceSource::LoadString LDAP Error: %1. %2
LDAP: SecLdap Error: an unknown error occurred in GetFirstAttributeAndBaseFromDN().
LDAP Error: No such object. NDS error: no such entry (-601)
InfoStore.cpp:8046: TraceLog message 52993
InfoStoreSubsystem::CommitSingleObjectWithRetry: 0.011
SResourceSource::LoadString 49402
SResourceSource::LoadString The secLdap plugin failed to get the dn for the group %1. %2
(InfoStore.cpp:8003) CInfoStoreSubsystem::Commit: Error encountered on Object (4553): The secLdap plugin failed to get the dn for the group cn=BOXI,ou=applications,ou=domain,o=com.

Thank’s in advance for any piece of advice.

Laurent.

Laurent RIVIERE (BOB member since 2010-06-21)

5

Hi,

For any else who can issue the same problem.
My configuration is quite good and well done.
My problem come from a missed read acl needed on the group in the ldap tree.

Have fun.

Laurent RIVIERE (BOB member since 2010-06-21)

6

When we configuring LDAP + SSL make the group that you are adding in BO are having UniqueID (This is done be your LDAP Admin)

saidulud (BOB member since 2010-09-17)