Manager authentication problem with eDirectory

[ju55i]

After saving the LDAP Manager User and Passowrd in control panel I get an error: ERROR: LDAP users; {'info': 'NDS error: failed authentication (-669)', 'desc': 'Invalid credentials'}

Manager DN and password are correct and they work from the ldapsearch command.

Is there any way to debug what LDAP queries pas.plugins.ldap is actually making?

[rnixx]

Authentication happens here. https://github.com/bluedynamics/node.ext.ldap/blob/master/src/node/ext/ldap/session.py#L91. You can step in with pdb.

[ju55i]

Strange... The debugger doesn't start when put in before that line (or after). I'm also getting {'info': 'NDS error: no such entry (-601)', 'desc': 'No such object'} error when accessing any page. It would be great if the product would log all the queries in debug log level.

[malthe]

You can have the SQL statements be written to stdout. I think it's debug="True" in the ZCML statements that configure the engine.

[jensens]

SQL ... well, dont we talk about LDAP? Anyway strange. You may want to try this: http://lpetr.org/blog/archives/how-to-enable-logging-in-python-ldap by editing the node.ext.ldap egg temporary.

[malthe]

Oh, sorry. I saw LDAP as SQL.

Jensens has the right advice here then :-)

[ju55i]

The problem seems to be cn=subschema query that is being made. Here's the dump from the debuging session: https://gist.github.com/0c698e78a118ffd43a68. If I understood correctly the correct way to access the schema is to query subschemaSubentry attribute from the object and that should tell the location of the schema object (cn=schema). Is this a concern of python-ldap?

[rnixx]

this is an issue of node.ext.ldap. -> https://github.com/bluedynamics/node.ext.ldap/blob/c2e1bb73d2c84f560d41021b0dbfa3d649ee21d8/src/node/ext/ldap/schema.py#L18.

[rnixx]

can you try with the latest node.ext.ldap changes again please?

[ju55i]

That resolved the schema issue. Now I'm getting an error: https://gist.github.com/7f9ebdda384d557bf62a.

[rnixx]

what version of python-ldap are you using?

[jensens]

What version of python-ldap do you use?

[ju55i]

We're running python_ldap-2.3.12 with our own UTF-8 default encoding patch. System is RHEL5 which has OpenLDAP 2.3.

[jensens]

As far as i know we need at least a python-ldap 2.4 release. correct me if i'am wrong. i think openldap 2.3 should be fine, even if our tests are running against 2.4.26

You can integrate a python-ldap build into buildout.

to be sure I would clone node.ext.ldap, edit its ldap.cfg to use the openldap version you use and let all tests run.

[ju55i]

Python-ldap 2.4 versions require OpenLDAP 2.4. That's the main reason we're still using 2.3.12. I guess we need to install a separate OpenLDAP 2.4 and build the newer python-ldap against it.

[jensens]

ok i was not aware of this. so we need to document this in the installation/requirements section of both, node.ext.ldap and pas.plugins.ldap!

[rnixx]

how to integrate you own openldap built via buildout can be found here -> https://github.com/collective/pas.plugins.ldap/blob/master/ldap.cfg

[ju55i]

I got this working now. I configured OpenLDAP with --disable-slapd because RHEL5 has too old BerkeleyDB and I don't really need the server part. Thanks everybody for the help!