Ldap authentication failed

>
> If your system allows anonymous binds, don't put anything at all in
> the 'account' field. Otherwise you will need to enter an account &
> password that can bind to LDAP. This seemed to be dead simple to me.
>
If its not anonymous, you can use $login, which would be substituted with
user trying to authenticate.

Ohad
> Craig
>
> > OK enable on the fly user creation does not help
> >
> > Processing UsersController#login (for 10.200.0.236 at 2011-08-26
03:28:14)
> > [POST]
> > Parameters: {"action"=>"login",
> > "authenticity_token"=>"FywP1h2gViADEaMPSG/aZ68tTO/AGoxgG+Z62GFwzCQ=",
> > "controller"=>"users", "login"=>{"password"=>"[FILTERED]",
> > "login"=>"stevek"}}
> > Setting current user thread-local variable to nil
> > User Load (0.1ms) SELECT * FROM users WHERE (users.login =
> > 'stevek') LIMIT 1
> > AuthSource Load (0.1ms) SELECT * FROM auth_sources
> > AuthSourceInternal Columns (0.5ms) SHOW FIELDS FROM auth_sources
> > Authenticating 'stevek' against 'Internal'
> > User Load (0.2ms) SELECT * FROM users WHERE (login='stevek') LIMIT
1
> > Authenticating 'stevek' against 'ldap'
> > LDAP-Auth with User login
> > Role Load (0.2ms) SELECT * FROM roles WHERE (roles.name =
> > 'Anonymous') LIMIT 1
> > Redirected tohttp://puppet:3000/users/login
> > Completed in 9ms (DB: 38) | 302 Found [http://puppet/users/login]
> >
> > Processing UsersController#login (for 10.200.0.236 at 2011-08-26
03:28:14)
> > [GET]
> > Parameters: {"action"=>"login", "controller"=>"users"}
> > Setting current user thread-local variable to nil
> > Rendering template within layouts/application
> > Rendering users/login
> > Rendered home/_topbar (0.5ms)
> > Rendered common/_searchbar (1.1ms)
> > Completed in 7ms (View: 6, DB: 2) | 200 OK [http://puppet/users/login
> >
> > I will attached the ldap setting window here to see if I miss something
> > obvious. Tried with the Attr firstname and mail leave empty as well as I
> > could not see these attributes in the ldap server - and could not add it
(do
> > not know why PosixAccount prevent adding it even it is Org Person
already.
> >
> > but I guess foreman does nto need this, probabaly the only thing it
needs is
> > uid to be matched.
> >
> > Thanks,
> >
> >
> >
> > > Sorry I do not understand. I mean in ldap server, my account exists
there
> > > (I used it to login tomany other system using ldap)
> >
> > > So create account on the fly with foreman means to create on the
foreman
> > > system user account? I will try and see how it goes but I interpreted
that
> > > it try to create account in the ldap server if it does not exists -
some
> > > wording might need to reconsider as it is confusing.
> >
> > > thanks
> >
> >
> >
> > >> > Hi
> >
> > >> > Just check the ldap again and enable ldap, restart it, and capture
these
> > >> log
> >
> > >> Either you set on the fly creation, or you need to create the
accounts
> > >> first.
> >
> > >> Ohad
> >
> > >> > Processing UsersController#logout (for 10.200.9.194 at 2011-08-25
> > >> 16:20:27) [GET]
> > >> > Parameters: {"action"=>"logout", "controller"=>"users"}
> > >> > Setting current user thread-local variable to nil
> > >> > Redirected tohttp://10.200.10.63:3000/users/login
> > >> > Completed in 5ms (DB: 3) | 302 Found [
http://10.200.10.63/users/logout]

Nope - I removed $login and still not working. Run tcpdump I saw ldap trafic
so seems it tries to do something but always get Incorrect username or
password

I can do a (whihc return the search result)

ldapsearch -x -b ou=People,dc=m5networks,dc=com,dc=au

from the server that run foreman - is it anonymous bind allowed?

More, I can bind using the account I am trying to tell foreman to auth, like
this

ldapsearch -x -b ou=People,dc=m5networks,dc=com,dc=au -W -D
uid=stevek,ou=People,dc=m5networks,dc=com,dc=au

Type password and enter it gets the result.

I also tried to su foreman (foreman run as user forman after giving it a
shell - and then run the ldapsearch above, which is OK.

Now I am still not seeing the lights

Thanks a help. Is there any way tosee the actual error code that foreman
does with the auth? Or it does not work with 389 directory at all?

cheers

> Nope - I removed $login and still not working. Run tcpdump I saw ldap
> trafic so seems it tries to do something but always get Incorrect username
> or password
>
> I can do a (whihc return the search result)
>
> ldapsearch -x -b ou=People,dc=m5networks,dc=com,dc=au
>
> from the server that run foreman - is it anonymous bind allowed?
>
> More, I can bind using the account I am trying to tell foreman to auth,
> like this
>
> ldapsearch -x -b ou=People,dc=m5networks,dc=com,dc=au -W -D
> uid=stevek,ou=People,dc=m5networks,dc=com,dc=au
>
> Type password and enter it gets the result.
>
> I also tried to su foreman (foreman run as user forman after giving it a
> shell - and then run the ldapsearch above, which is OK.
>
> Now I am still not seeing the lights
>
> Thanks a help. Is there any way tosee the actual error code that foreman
> does with the auth? Or it does not work with 389 directory at all?
>

>
> Nope - I removed $login and still not working. Run tcpdump I saw ldap
trafic so seems it tries to do something but always get Incorrect username
or password
Can you send a screenshot of your ldap config?

Ohad
>
> I can do a (whihc return the search result)
>
> ldapsearch -x -b ou=People,dc=m5networks,dc=com,dc=au
>
> from the server that run foreman - is it anonymous bind allowed?
>
> More, I can bind using the account I am trying to tell foreman to auth,
like this
>
> ldapsearch -x -b ou=People,dc=m5networks,dc=com,dc=au -W -D
uid=stevek,ou=People,dc=m5networks,dc=com,dc=au
>
> Type password and enter it gets the result.
>
> I also tried to su foreman (foreman run as user forman after giving it a
shell - and then run the ldapsearch above, which is OK.
>
> Now I am still not seeing the lights
>
> Thanks a help. Is there any way tosee the actual error code that foreman
does with the auth? Or it does not work with 389 directory at all?
>
> cheers
>
>
>>
>>
>> >
>> > If your system allows anonymous binds, don't put anything at all in
>> > the 'account' field. Otherwise you will need to enter an account &
>> > password that can bind to LDAP. This seemed to be dead simple to me.
>> >
>> If its not anonymous, you can use $login, which would be substituted with
user trying to authenticate.
>>
>> Ohad
>>
>> > Craig
>> >
>> > > OK enable on the fly user creation does not help
>> > >
>> > > Processing UsersController#login (for 10.200.0.236 at 2011-08-26
03:28:14)
>> > > [POST]
>> > > Parameters: {"action"=>"login",
>> > > "authenticity_token"=>"FywP1h2gViADEaMPSG/aZ68tTO/AGoxgG+Z62GFwzCQ=",
>> > > "controller"=>"users", "login"=>{"password"=>"[FILTERED]",
>> > > "login"=>"stevek"}}
>> > > Setting current user thread-local variable to nil
>> > > User Load (0.1ms) SELECT * FROM users WHERE (users.login =
>> > > 'stevek') LIMIT 1
>> > > AuthSource Load (0.1ms) SELECT * FROM auth_sources
>> > > AuthSourceInternal Columns (0.5ms) SHOW FIELDS FROM
auth_sources
>> > > Authenticating 'stevek' against 'Internal'
>> > > User Load (0.2ms) SELECT * FROM users WHERE (login='stevek')
LIMIT 1
>> > > Authenticating 'stevek' against 'ldap'
>> > > LDAP-Auth with User login
>> > > Role Load (0.2ms) SELECT * FROM roles WHERE (roles.name =
>> > > 'Anonymous') LIMIT 1
>> > > Redirected tohttp://puppet:3000/users/login
>> > > Completed in 9ms (DB: 38) | 302 Found [http://puppet/users/login]
>> > >
>> > > Processing UsersController#login (for 10.200.0.236 at 2011-08-26
03:28:14)
>> > > [GET]
>> > > Parameters: {"action"=>"login", "controller"=>"users"}
>> > > Setting current user thread-local variable to nil
>> > > Rendering template within layouts/application
>> > > Rendering users/login
>> > > Rendered home/_topbar (0.5ms)
>> > > Rendered common/_searchbar (1.1ms)
>> > > Completed in 7ms (View: 6, DB: 2) | 200 OK [http://puppet/users/login
>> > >
>> > > I will attached the ldap setting window here to see if I miss
something
>> > > obvious. Tried with the Attr firstname and mail leave empty as well
as I
>> > > could not see these attributes in the ldap server - and could not add
it (do
>> > > not know why PosixAccount prevent adding it even it is Org Person
already.
>> > >
>> > > but I guess foreman does nto need this, probabaly the only thing it
needs is
>> > > uid to be matched.
>> > >
>> > > Thanks,
>> > >
>> > >
>> > >
>> > > > Sorry I do not understand. I mean in ldap server, my account exists
there
>> > > > (I used it to login tomany other system using ldap)
>> > >
>> > > > So create account on the fly with foreman means to create on the
foreman
>> > > > system user account? I will try and see how it goes but I
interpreted that
>> > > > it try to create account in the ldap server if it does not exists -
some
>> > > > wording might need to reconsider as it is confusing.
>> > >
>> > > > thanks
>> > >
>> > >
>> > >
>> > > >> > Hi
>> > >
>> > > >> > Just check the ldap again and enable ldap, restart it, and
capture these
>> > > >> log
>> > >
>> > > >> Either you set on the fly creation, or you need to create the
accounts
>> > > >> first.
>> > >
>> > > >> Ohad
>> > >
>> > > >> > Processing UsersController#logout (for 10.200.9.194 at
2011-08-25
>> > > >> 16:20:27) [GET]
>> > > >> > Parameters: {"action"=>"logout", "controller"=>"users"}
>> > > >> > Setting current user thread-local variable to nil
>> > > >> > Redirected tohttp://10.200.10.63:3000/users/login
>> > > >> > Completed in 5ms (DB: 3) | 302 Found [
http://10.200.10.63/users/logout]
>> > >
>> > > >> > Processing UsersController#login (for 10.200.9.194 at 2011-08-25
>> > > >> 16:20:27) [GET]
>> > > >> > Parameters: {"action"=>"login", "controller"=>"users"}
>> > > >> > Setting current user thread-local variable to nil
>> > > >> > Rendering template within layouts/application
>> > > >> > Rendering users/login
>> > > >> > Rendered home/_topbar (0.5ms)
>> > > >> > Completed in 10ms (View: 8, DB: 22) | 200 OK [
>> > > >>http://10.200.10.63/users/login]
>> > >
>> > > >> > Processing UsersController#login (for 10.200.9.194 at 2011-08-25
>> > > >> 16:20:44) [POST]
>> > > >> > Parameters: {"action"=>"login",
>> > > >>
"authenticity_token"=>"yOPPl+NeyQ9bNAV00oqm5wws+SFVg9ZK2huI+SSqe4s=",
>> > > >> "controller"=>"users", "login"=>{"password"=>"[FILTERED]",
>> > > >> "login"=>"stevek"}}
>> > > >> > Setting current user thread-local variable to nil
>> > > >> > User Load (0.1ms) SELECT * FROM users WHERE
(users.login =
>> > > >> 'stevek') LIMIT 1
>> > > >> > Setting current user thread-local variable to nil
>> > > >> > Role Load (0.1ms) SELECT * FROM roles WHERE
(roles.name =
>> > > >> 'Anonymous') LIMIT 1
>> > > >> > Redirected tohttp://10.200.10.63:3000/users/login
>> > > >> > Completed in 3ms (DB: 1) | 302 Found [
http://10.200.10.63/users/login]
>> > >
>> > > >> > Processing UsersController#login (for 10.200.9.194 at 2011-08-25
>> > > >> 16:20:44) [GET]
>> > > >> > Parameters: {"action"=>"login", "controller"=>"users"}
>> > > >> > Setting current user thread-local variable to nil
>> > > >> > Rendering template within layouts/application
>> > > >> > Rendering users/login
>> > > >> > Rendered home/_topbar (0.5ms)
>> > > >> > Completed in 6ms (View: 4, DB: 1) | 200 OK [
>> > > >>http://10.200.10.63/users/login]
>> > >
>> > > >> > cheers
>> > >
>> > >
>> > >
>> > > >> >> > Have actually turned debug on but found nothing useful in the
log
>> > > >> though
>> > >
>> > > >> >> > it print out several select statement and I saw it select
from users
>> > > >> table. Use mysql and found no user is set at all. I guess why it
still try
>> > > >> to access that table when auth coming from ldap? Anyway try to
insert a user
>> > > >> uid as the same as ldap login to that table, which does not help
as well.
>> > >
>> > > >> >> Please paste the log output.
>> > >
>> > > >> >> Thanks
>> > > >> >> Ohad
>> > >
>> > >
>> > > >> >> >> > Hello everyone,
>> > >
>> > > >> >> >> > I am struggling to make ldap auth works without sucess.
Even I
>> > > >> tried
>> > > >> >> >> > both on debian6 and centos 6 setup. The strange thing is
that
>> > > >> seems no
>> > > >> >> >> > body reported this problem so I am not sure what I did
wrong.
>> > >
>> > > >> >> >> > What I did is click Setting / LDAP Authentication and
setup one
>> > > >> ldap
>> > > >> >> >> > server
>> > >
>> > > >> >> >> > Account: I fill it with $login, I also tried using
>> > > >> cn=$login,base_dn
>> > >
>> > > >> >> >> > Password leave empty
>> > >
>> > > >> >> >> > Attr : uid
>> > > >> >> >> > firstname: givenName
>> > > >> >> >> > lasname: sn
>> > > >> >> >> > attr mail: mail
>> > >
>> > > >> >> >> > I did not check the On-the-fly user creation but if I do
not
>> > > >> supplie
>> > > >> >> >> > uid it complain. So did not check but still need to fill
it in.
>> > >
>> > > >> >> >> > Then enable ldap in the settings.yaml file. Login always
say
>> > > >> Incorrect
>> > > >> >> >> > username or password
>> > >
>> > > >> >> >> > I manually bind from the host I ran using that ldap
credential and
>> > > >> >> >> > success. This is the 389 directory server if it matters.
>> > >
>> > > >> >> >> > Please help as I could not think of anything else I might
be wrong
>> > > >> >> >> > here,
>> > >
>> > > >> >> >> My guess is you are missing something simple, try turning on
debug
>> > > >> >> >> messages[1], probably this should reveal a little bit more:
>> > >
>> > > >> >> >> Ohad
>> > >
>> > > >> >> >> [1] -
>> > > >>
Troubleshooting - Foreman…
>> > >
>> > > >> >> >> > Thanks
>> > >
>> > > >> >> >> > –
>> > > >> >> >> > You received this message because you are subscribed to
the Google
>> > > >> Groups "Foreman users" group.
>> > > >> >> >> > To post to this group, send email to
>> > > >> foreman-users@googlegroups.com.
>> > > >> >> >> > To unsubscribe from this group, send email to
>> > > >> foreman-users+unsubscribe@googlegroups.com.
>> > > >> >> >> > For more options, visit this group at
>> > > >>http://groups.google.com/group/foreman-users?hl=en.
>> > >
>> > > >> >> >> –
>> > > >> >> >> You received this message because you are subscribed to the
Google
>> > > >> Groups "Foreman users" group.
>> > > >> >> >> To post to this group, send email to
foreman-users@googlegroups.com
>> > > >> .
>> > > >> >> >> To unsubscribe from this group, send email to
>> > > >> foreman-users+unsubscribe@googlegroups.com.
>> > > >> >> >> For more options, visit this group at
>> > > >>http://groups.google.com/group/foreman-users?hl=en.
>> > >
>> > > >> >> > –
>> > > >> >> > Steve Kieu
>> > >
>> > > >> >> > –
>> > > >> >> > You received this message because you are subscribed to the
Google
>> > > >> Groups "Foreman users" group.
>> > > >> >> > To post to this group, send email to
foreman-users@googlegroups.com.
>> > > >> >> > To unsubscribe from this group, send email to
>> > > >> foreman-users+unsubscribe@googlegroups.com.
>> > > >> >> > For more options, visit this group at
>> > > >>http://groups.google.com/group/foreman-users?hl=en.
>> > >
>> > > >> >> –
>> > > >> >> You received this message because you are subscribed to the
Google
>> > > >> Groups "Foreman users" group.
>> > > >> >> To post to this group, send email to
foreman-users@googlegroups.com.
>> > > >> >> To unsubscribe from this group, send email to
>> > > >> foreman-users+unsubscribe@googlegroups.com.
>> > > >> >> For more options, visit this group at
>> > > >>http://groups.google.com/group/foreman-users?hl=en.
>> > >
>> > > >> > –
>> > > >> > Steve Kieu
>> > >
>> > > >> > –
>> > > >> > You received this message because you are subscribed to the
Google
>> > > >> Groups "Foreman users" group.
>> > > >> > To post to this group, send email to
foreman-users@googlegroups.com.
>> > > >> > To unsubscribe from this group, send email to
>> > > >> foreman-users+unsubscribe@googlegroups.com.
>> > > >> > For more options, visit this group at
>> > > >>http://groups.google.com/group/foreman-users?hl=en.
>> > >
>> > > >> –
>> > > >> You received this message because you are subscribed to the Google
Groups
>> > > >> "Foreman users" group.
>> > > >> To post to this group, send email to
foreman-users@googlegroups.com.
>> > > >> To unsubscribe from this group, send email to
>> > > >> foreman-users+unsubscribe@googlegroups.com.
>> > > >> For more options, visit this group at
>> > > >>http://groups.google.com/group/foreman-users?hl=en.
>> > >
>> > > > –
>> > > > Steve Kieu
>> > >
>> > > –
>> > > Steve Kieu
>> > >
>> > > Screenshot-Edit Auth Source Ldap - Google Chrome.png
>> > > 147KViewDownload
>> >
>> > –
>> > You received this message because you are subscribed to the Google
Groups "Foreman users" group.
>> > To post to this group, send email to foreman-users@googlegroups.com.
>> > To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
>> > For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.
>> >
>>
>> –
>> You received this message because you are subscribed to the Google Groups
"Foreman users" group.
>> To post to this group, send email to foreman-users@googlegroups.com.
>> To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.
>
>
>
>
> –
> Steve Kieu
>
> –
> You received this message because you are subscribed to the Google Groups
"Foreman users" group.
> To post to this group, send email to foreman-users@googlegroups.com.
> To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.

>
> As for whether you are doing anonymous binds, that of course would depend
> upon your /etc/ldap.conf (padl), perhaps an .ldaprc in your $HOME or even
> ldap.conf wherever the base OpenLDAP directory is located… all of those
> could have influence. Of course you can log connections/connection attempts
> to see the bind process and outcomes - ie debug your problems.
>
>
There is no /etc/ldap.conf and no $HOME/.ldaprc in my case. Our 389 server
enable ldap (389) and ldaps (636) - I re-run the ldapsearch command and add
option -H ldap://ldap - ldap is also the hostname of the 389 ds server - to
make it explicitly using the ldap scheme which return the same result. The
the linux host itself is using ldap to authenticate user's account on 389 so
I am sure that there is no problems at all with ldap server or client
config.

And I already try with $login and without $login with same result. Probably
I have tried many things as well in the ldap config screen without success.
Here attached is is the last one I tried. I believe that there is something
fundamental problems with ruby-ldap somehow - is there a ruby test script
ldap that I can test, sorry I am not familiar with ruby so can not craft one
myself.

Many thanks,

Screenshot-Edit Auth Source Ldap - Google Chrome-1.png1110×852 10.3 KB

>> As for whether you are doing anonymous binds, that of course would depend
>> upon your /etc/ldap.conf (padl), perhaps an .ldaprc in your $HOME or even
>> ldap.conf wherever the base OpenLDAP directory is located… all of those
>> could have influence. Of course you can log connections/connection attempts
>> to see the bind process and outcomes - ie debug your problems.

if you want on the fly, you need to complete all attributes (including
firstname).
imho, when running in debug mode with on the fly enabled, you would
get the exact error message…
Also, all fields in your ldap should be valid (e.g. mail address etc).

Ohad

How can I disable on the fly user creation and still make it work? I mean is
there a way to create manually the user for foreman?

I already did before by inserting into users(uid) value('stevek') ; and it
still does not work (mysql)

In 389 ldap browser I could not add attr mail and givenName - the schema
does not allow me to do it. have a look at the screenshot atached to see the
objectClass -

cheers

Screenshot-Edit Entry .png637×526 7.09 KB

Settings --> users --> new?

>
> How can I disable on the fly user creation and still make it work? I mean
is there a way to create manually the user for foreman?
>
> I already did before by inserting into users(uid) value('stevek') ; and it
still does not work (mysql)
>
> In 389 ldap browser I could not add attr mail and givenName - the schema
does not allow me to do it. have a look at the screenshot atached to see the
objectClass -
>
> cheers
>
>
>>
>> >> As for whether you are doing anonymous binds, that of course would
depend
>> >> upon your /etc/ldap.conf (padl), perhaps an .ldaprc in your $HOME or
even
>> >> ldap.conf wherever the base OpenLDAP directory is located… all of
those
>> >> could have influence. Of course you can log connections/connection
attempts
>> >> to see the bind process and outcomes - ie debug your problems.
>>
>> if you want on the fly, you need to complete all attributes (including
>> firstname).
>> imho, when running in debug mode with on the fly enabled, you would
>> get the exact error message…
>> Also, all fields in your ldap should be valid (e.g. mail address etc).
>>
>> Ohad
>> >>
>> >
>> > There is no /etc/ldap.conf and no $HOME/.ldaprc in my case. Our 389
server
>> > enable ldap (389) and ldaps (636) - I re-run the ldapsearch command and
add
>> > option -H ldap://ldap - ldap is also the hostname of the 389 ds server

• to
  >> > make it explicitly using the ldap scheme which return the same result.
  The
  >> > the linux host itself is using ldap to authenticate user's account on
  389 so
  >> > I am sure that there is no problems at all with ldap server or client
  >> > config.
  >> > And I already try with $login and without $login with same result.
  Probably
  >> > I have tried many things as well in the ldap config
  screen without success.
  >> > Here attached is is the last one I tried. I believe that there is
  something
  >> > fundamental problems with ruby-ldap somehow - is there a ruby test
  script
  >> > ldap that I can test, sorry I am not familiar with ruby so can not
  craft one
  >> > myself.
  >> > Many thanks,
  >> >
  >> >
  >> >
  >> > –
  >> > Steve Kieu
  >> >
  >> > –
  >> > You received this message because you are subscribed to the Google
  Groups
  >> > "Foreman users" group.
  >> > To post to this group, send email to foreman-users@googlegroups.com.
  >> > To unsubscribe from this group, send email to
  >> > foreman-users+unsubscribe@googlegroups.com.
  >> > For more options, visit this group at
  >> > http://groups.google.com/group/foreman-users?hl=en.
  >> >
  >>
  >> –
  >> You received this message because you are subscribed to the Google Groups
  "Foreman users" group.
  >> To post to this group, send email to foreman-users@googlegroups.com.
  >> To unsubscribe from this group, send email to
  foreman-users+unsubscribe@googlegroups.com.
  >> For more options, visit this group at
  http://groups.google.com/group/foreman-users?hl=en.
  >>
  >
  >
  >
  > –
  > Steve Kieu
  >
  > –
  > You received this message because you are subscribed to the Google Groups
  "Foreman users" group.
  > To post to this group, send email to foreman-users@googlegroups.com.
  > To unsubscribe from this group, send email to
  foreman-users+unsubscribe@googlegroups.com.
  > For more options, visit this group at
  http://groups.google.com/group/foreman-users?hl=en.

>
> How can I disable on the fly user creation and still make it work? I mean
is there a way to create manually the user for foreman?
>
> I already did before by inserting into users(uid) value('stevek') ; and it
still does not work (mysql)
>
> In 389 ldap browser I could not add attr mail and givenName - the schema
does not allow me to do it. have a look at the screenshot atached to see the
objectClass -

The idea of why this fields are customable, is that you could fill in your
own field names, check the wiki, there are examples for both ad and
openldap.

Ohad
>
> cheers
>
>
>>
>> >> As for whether you are doing anonymous binds, that of course would
depend
>> >> upon your /etc/ldap.conf (padl), perhaps an .ldaprc in your $HOME or
even
>> >> ldap.conf wherever the base OpenLDAP directory is located… all of
those
>> >> could have influence. Of course you can log connections/connection
attempts
>> >> to see the bind process and outcomes - ie debug your problems.
>>
>> if you want on the fly, you need to complete all attributes (including
>> firstname).
>> imho, when running in debug mode with on the fly enabled, you would
>> get the exact error message…
>> Also, all fields in your ldap should be valid (e.g. mail address etc).
>>
>> Ohad
>> >>
>> >
>> > There is no /etc/ldap.conf and no $HOME/.ldaprc in my case. Our 389
server
>> > enable ldap (389) and ldaps (636) - I re-run the ldapsearch command and
add
>> > option -H ldap://ldap - ldap is also the hostname of the 389 ds server

• to
  >> > make it explicitly using the ldap scheme which return the same result.
  The
  >> > the linux host itself is using ldap to authenticate user's account on
  389 so
  >> > I am sure that there is no problems at all with ldap server or client
  >> > config.
  >> > And I already try with $login and without $login with same result.
  Probably
  >> > I have tried many things as well in the ldap config
  screen without success.
  >> > Here attached is is the last one I tried. I believe that there is
  something
  >> > fundamental problems with ruby-ldap somehow - is there a ruby test
  script
  >> > ldap that I can test, sorry I am not familiar with ruby so can not
  craft one
  >> > myself.
  >> > Many thanks,
  >> >
  >> >
  >> >
  >> > –
  >> > Steve Kieu
  >> >
  >> > –
  >> > You received this message because you are subscribed to the Google
  Groups
  >> > "Foreman users" group.
  >> > To post to this group, send email to foreman-users@googlegroups.com.
  >> > To unsubscribe from this group, send email to
  >> > foreman-users+unsubscribe@googlegroups.com.
  >> > For more options, visit this group at
  >> > http://groups.google.com/group/foreman-users?hl=en.
  >> >
  >>
  >> –
  >> You received this message because you are subscribed to the Google Groups
  "Foreman users" group.
  >> To post to this group, send email to foreman-users@googlegroups.com.
  >> To unsubscribe from this group, send email to
  foreman-users+unsubscribe@googlegroups.com.
  >> For more options, visit this group at
  http://groups.google.com/group/foreman-users?hl=en.
  >>
  >
  >
  >
  > –
  > Steve Kieu
  >
  > –
  > You received this message because you are subscribed to the Google Groups
  "Foreman users" group.
  > To post to this group, send email to foreman-users@googlegroups.com.
  > To unsubscribe from this group, send email to
  foreman-users+unsubscribe@googlegroups.com.
  > For more options, visit this group at
  http://groups.google.com/group/foreman-users?hl=en.

Nope my foreman does not have it , click Settings does nto see any item
Users !

[root@puppet ~]# rpm -qa|grep foreman
foreman-0.3-1.noarch

this is centos 6 system by the way and the foreman repo is

[foreman]
name=Foreman Repo
baseurl=http://yum.theforeman.org/stable
gpgcheck=0
enabled=1

cheers

Dont you have

:ldap: true in your settings file?
(:login: true) also works as they are aliases.

Ohad

OK it is a bit tricky as when I enable it I need to login and I could not
login. However I disbaled first, runing and enable it restart the admin
session is still there and I can see the User menu item . So reset admin
passwrod set as internal - and signout and signin it is OK

However ldap does not work - but at least we have some sort of
authentication for now. Creaeting an account and mapped it to ldap, and try
to login, same odl story - oh I disable Create user on the fly as well
wihout success

Thanks for the tip to enable internal authentication.

cheers