Export LDAP plugin issue

jvits · December 4, 2015, 3:01am

Hello,
I am trying to use the Export LDAP plugin. After i install it and restart, i get the error message “error tagging as directory/bm-master” when trying to enable it from the server roles. Is there a step I am missing to use the ldap server?

Thank you

Toony · December 4, 2015, 8:55am

Did you install bm-ldap-role package on target LDAP host ?

Else, what’s the message in bm-core log /var/log/bm/core.log ?

jvits · December 5, 2015, 11:26pm

I installed the bm-ldap-role on the host, here is the error from core.log:

net.bluemind.core.api.fault.ServerFault: net.bluemind.core.api.fault.ServerFault: Fail to authenticate to LDAP server: 192.168.4.10
at net.bluemind.system.ldap.LdapHelper.connectLdap(LdapHelper.java:103) ~[na:na]
at net.bluemind.system.ldap.LdapHelper.connectConfigDirectory(LdapHelper.java:69) ~[na:na]
at net.bluemind.system.ldap.LdapHook.initLdapTree(LdapHook.java:165) ~[na:na]
at net.bluemind.system.ldap.LdapHook.onHostTagged(LdapHook.java:141) ~[na:na]
at net.bluemind.core.handler.host.impl.TagTask.runUnsafe(TagTask.java:65) ~[na:na]
at net.bluemind.core.handler.host.impl.SilentTask.run(SilentTask.java:56) ~[na:na]
at net.bluemind.core.taskref.TaskBindingImpl$1.run(TaskBindingImpl.java:93) [net.bluemind.core_1.0.0.b13625.jar:na]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
Caused by: net.bluemind.core.api.fault.ServerFault: Fail to authenticate to LDAP server: 192.168.4.10
at net.bluemind.system.ldap.LdapHelper.connectLdap(LdapHelper.java:99) ~[na:na]
… 7 common frames omitted

in var/log/syslog, there is the error

"slapd[10144]: SASL [conn=1000] Failure: cannot connect to saslauthd server: Permission denied

running on Ubuntu 14.04 LTS if that makes any difference

Toony · December 10, 2015, 7:31pm

Strange… I need to test, but it seems that your LDAP server can’t contact ynsp which is installed by bm-ldap-role.

Is there something in the ysnp log on LDAP host ?
Can you run on LDAP host:

# ls -ld /var/run/saslauthd
# ls -al /var/run/saslauthd

jvits · December 11, 2015, 1:07am

the out put of those commands is

ls -ld /var/run/saslauthd

lrwxrwxrwx 1 root root 36 Dec 9 14:26 /var/run/saslauthd → /var/spool/postfix/var/run/saslauthd

ls -al /var/run/saslauthd

lrwxrwxrwx 1 root root 36 Dec 9 14:26 /var/run/saslauthd → /var/spool/postfix/var/run/saslauthd

the ysnp log shows normal user logins, but there is nothing about the ldap login. Is there any configuration that I should have done in addition to installing bm-ldap-role and bm-core-ldap-export on my bluemind host?

Toony · December 11, 2015, 10:53am

No, all the needed configuration must be done by BlueMind itself.

Is your LDAP installed on your BlueMind host or is it a separated host ?

Sorry, but I make a mistake on the second command, can you run:

# ls -ltr /var/run/saslauthd/

jvits · December 12, 2015, 9:13pm

when i run # ls -ltr /var/run/saslauthd/ it returns permission denied,
With sudo this is the output:
total 0
srwxrwxrwx 1 root root 0 Dec 10 19:17 mux

I am running everything on one host right now, so bluemind and ldap are on the same host

Toony · December 24, 2015, 4:44pm

It seems that apparmor denied access to saslauthd socket.

Is it better after running:

# sudo service apparmor teardown

I open a ticket in BlueMind forge.

You can create file /etc/apparmor.d/disable/usr.sbin.slapd to disable apparmor only for slapd service

Maestrie · April 11, 2016, 11:14am

hello everyone, is there a solution on that problem, I tried to deactivate the apparmor service, but it’s unrecognized.

thanks for the reply!

Toony · April 11, 2016, 1:20pm

The problem was fixed on BlueMind 3.0.28 and greater.

Are you sure that it’s the same problem ?
Do you use Ubuntu 14.04 ? Does /etc/apparmor.d/disable/usr.sbin.slapd exist ?

Maestrie · April 11, 2016, 2:52pm

I’m in version 3.0.30, I installed the server on debian 8u3, and the /etc/apparmor.d/disable/usr.sbin.slapd does not exist.

I have the exact same message : “error tagging as directory/bm-master” while i’m trying to activate the ldap role.

is there only one plugin to install for export, or two? I just found a topic that speak about the “bm-ldap-role”
and the “bm-plugin-core-ldap-export” plugin,

i only have the export one is that the possible solution?

thanks for the reply

Toony · April 11, 2016, 3:26pm

Apparmor is supported only on Ubuntu 14.04 for now, so if you use it on Debian, you must create /etc/apparmor.d/disable/usr.sbin.slapd manually and restart apparmor as explain there, or remove apparmor.

You can create a bug in our jira too.

There is only one plugin to export BlueMind account into LDAP, it’s bm-plugin-core-ldap-export.

Package bm-ldap-role may be used to install all needed dependencies on server you plan to use to run LDAP service.
LDAP service can run on a separated server or directly on BlueMind server.

Maestrie · April 11, 2016, 3:36pm

okay, thanks for your answer.

is it necessary to disable apparmor?

in fact, I don’t know what is apparmor for, so if I don’t have to use it, its better

Toony · April 11, 2016, 3:45pm

AppArmor is a kernel security like SELinux.

BlueMind don’t need it to run.
If you don’t know what it’s and don’t master it’s management, it’s better to remove/disable it for now.

Maestrie · April 11, 2016, 3:55pm

Okay thanks a lot.

I installed the role bm-ldap-role, and managed to activate the export role.

thanks for your help and informations