ldap - Using Asustor 5304T with OpenLDAP

Question

I am setting up Asustor 5304T with OpenLDAP authentication. I have OpenLDAP running on a Linux box. Both the LDAP server and Asustor are on the same local network.

Asustor can see LDAP users and groups - I can view them in the admin console (AD/LDAP Users and AD/LDAP Groups in Access Control).

However, when I try to log in using any LDAP user, the login is rejected and all I get is a "Sign in failed" warning in the Connection Log in Asustor's admin console.

I don't have any white lists nor black lists set up. Local users can log in just fine.

When I try to log into LDAP via other means (like LDAP Browser or ldapsearch) the user login works fine.

LDAP is set up with a self-signed CA certificate and TLS.

I can see in LDAP's log that Asustor tries to bind the user and succeeds:

601bc71d <<< dnPrettyNormal: <uid=another,ou=users,dc=houshin,dc=net>,<uid=another,ou=users,dc=houshin,dc=net>
601bc71d conn=1005 op=0 BIND dn="uid=another,ou=users,dc=houshin,dc=net" method=128
601bc71d do_bind: version=3 dn="uid=another,ou=users,dc=houshin,dc=net" method=128
601bc71d ==> mdb_bind: dn: uid=another,ou=users,dc=houshin,dc=net
601bc71d mdb_dn2entry("uid=another,ou=users,dc=houshin,dc=net")
601bc71d => mdb_dn2id("uid=another,ou=users,dc=houshin,dc=net")
601bc71d <= mdb_dn2id: got id=0x6
601bc71d => mdb_entry_decode:
601bc71d <= mdb_entry_decode
601bc71d => access_allowed: result not in cache (userPassword)
601bc71d => access_allowed: auth access to "uid=another,ou=users,dc=houshin,dc=net" "userPassword" requested
601bc71d => slap_access_allowed: backend default auth access granted to "(anonymous)"
601bc71d => access_allowed: auth access granted by read(=rscxd)
601bc71d conn=1005 op=0 BIND dn="uid=another,ou=users,dc=houshin,dc=net" mech=SIMPLE ssf=0
601bc71d do_bind: v3 bind: "uid=another,ou=users,dc=houshin,dc=net" to "uid=another,ou=users,dc=houshin,dc=net"
601bc71d send_ldap_result: conn=1005 op=0 p=3
601bc71d send_ldap_result: err=0 matched="" text=""
601bc71d send_ldap_response: msgid=1 tag=97 err=0

When I purposefully use a wrong password, LDAP's BIND results in 49 (Invalid Credentials) error, as one would expect.

LDAP definitions:

# houshin.net
dn: dc=houshin,dc=net
objectClass: dcObject
objectClass: organization
o: Houshin
dc: houshin

# users, houshin.net
dn: ou=users,dc=houshin,dc=net
objectClass: organizationalUnit
ou: users

# groups, houshin.net
dn: ou=groups,dc=houshin,dc=net
objectClass: organizationalUnit
ou: groups

# another, users, houshin.net
dn: uid=another,ou=users,dc=houshin,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Another
sn: Another
uid: another
uidNumber: 1002
homeDirectory: /home/another
loginShell: /bin/bash
gecos: Another
userPassword:: cGFzc3dk
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
gidNumber: 48907

# people, groups, houshin.net
dn: cn=people,ou=groups,dc=houshin,dc=net
objectClass: posixGroup
objectClass: top
description: users
memberUid: another
gidNumber: 48907
cn: people

I can't find any information on Asustor's side that would indicate why the login request is being denied.

Any help and pointers are greatly appreciated.

question from:https://stackoverflow.com/questions/66047542/using-asustor-5304t-with-openldap

Answer 1

Waitting for answers