RE: PROBLEM: can't use SASL to authentication openldap client
Hi, I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: SASL(0): successful result that's because slapd program is stopped for some reason, here is the log of slapd: slap_listener_activate(7): slap_listener(ldap:///) connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 70 contents: op tag 0x63, time 1281422959 ber_get_next conn=0 op=0 do_search ber_scanf fmt ({mb) ber: dnPrettyNormal: dnPrettyNormal: , ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: = send_search_entry: conn 0 dn= ber_flush2: 72 bytes to sd 12 = send_search_entry: conn 0 exit. send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1281422959 ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber: dnPrettyNormal: dnPrettyNormal: , do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=195 send_ldap_response: msgid=2 tag=97 err=14 ber_flush2: 248 bytes to sd 12 == slap_sasl_bind: rc=14 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 326 contents: op tag 0x60, time 1281422960 ber_get_next conn=0 op=2 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber: dnPrettyNormal: dnPrettyNormal: , do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth dnNormalize: uid=admin,cn=DIGEST-MD5,cn=auth dnNormalize: uid=admin,cn=digest-md5,cn=auth ==slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN == rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth' == rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)] == rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'} slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin) ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin)) put_filter: (cn=admin) put_filter: simple put_simple_filter: cn=admin ber_scanf fmt ({mm}) ber: dnNormalize: ou=people,dc=example,dc=com dnNormalize: ou=people,dc=example,dc=com slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1) = bdb_search bdb_dn2entry(ou=people,dc=example,dc=com) = bdb_dn2id(ou=people,dc=example,dc=com) = bdb_dn2id: got id=0x1 entry_decode: ou=people,dc=example,dc=com = entry_decode(ou=people,dc=example,dc=com) search_candidates: base=ou=people,dc=example,dc=com (0x0001) scope=1 = bdb_dn2idl(ou=people,dc=example,dc=com) = bdb_dn2idl: id=1 first=2 last=2 = bdb_equality_candidates (objectClass) = bdb_equality_candidates: (objectClass) not indexed = bdb_equality_candidates (cn) = bdb_equality_candidates: (cn) not indexed bdb_search_candidates: id=1 first=2 last=2 entry_decode: cn=admin,ou=people,dc=example,dc=com = entry_decode(cn=admin,ou=people,dc=example,dc=com) = bdb_dn2id(cn=admin,ou=people,dc=example,dc=com) = bdb_dn2id: got id=0x2 send_ldap_result: conn=0 op=2 p=3 ==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com Segmentation fault -Original Message- From: Howard Chu [mailto:h...@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Dan White wrote: On 09/08/10 14:52 -0700, Howard Chu wrote: Dan White wrote: On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, I can understand the disadvantage of using sasldb, I just want to test SASL with sasldb. Is there anyway I can solve this issue? I can't find out which version of db that sasldb is using. Thanks for your response, It helps me a lot. -Original Message- From: Howard Chu [mailto:h...@symas.com] Sent: Tuesday, August 10, 2010 2:26 PM To: LI Ji D Cc: Dan White; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D wrote: Hi, I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: SASL(0): successful result that's because slapd program is stopped for some reason, here is the log of slapd: ==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com Segmentation fault Most likely your sasldb was compiled against a different version of BerkeleyDB than slapd. In general, using sasldb is a mistake. You cannot administer it remotely, and it has no provisions for re-entrancy / thread-safety. -Original Message- From: Howard Chu [mailto:h...@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Dan White wrote: On 09/08/10 14:52 -0700, Howard Chu wrote: Dan White wrote: On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL. It does! for auxprop_plugin, and auxprop_plugin only. After some digging I found the insertion of a SASL_CB_GETOPT function which replaces whatever auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined. It's perfectly documented in the slapd.conf man page... just never occurred to me to look. LI, setting: sasl-auxprops sasldb within the openldap slapd.conf works for me. My mistake. This was added last year. http://www.openldap.org/its/index.cgi/Software Bugs?id=6147 -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, 1. I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7 So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none/var/log/messages auth.debug /var/log/secure 2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base= scope=0 deref=0 filter=(objectClass=*) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn= method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn= method=163 Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid=admin authzid=admin Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn=cn=admin,ou=people,dc=example,dc=com mech=DIGEST-MD5 sasl_ssf=128 ssf=128 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SRCH base=ou=people,dc=example,dc=com scope=2 deref=0 filter=(objectClass=*) Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=2 text= Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=4 UNBIND Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 fd=12 closed -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 6:37 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D ji.d...@alcatel-lucent.com writes: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf and enable syslog to log auth. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7 So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none/var/log/messages auth.debug /var/log/secure 2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base= scope=0 deref=0 filter=(objectClass=*) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn= method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn= method=163 Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid=admin authzid=admin Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn=cn=admin,ou=people,dc=example,dc=com mech=DIGEST-MD5 sasl_ssf=128 ssf=128 This is a successful bind, what is your problem here? -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. Thanks -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Monday, August 09, 2010 4:48 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7 So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none/var/log/messages auth.debug /var/log/secure 2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base= scope=0 deref=0 filter=(objectClass=*) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn= method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn= method=163 Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid=admin authzid=admin Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn=cn=admin,ou=people,dc=example,dc=com mech=DIGEST-MD5 sasl_ssf=128 ssf=128 This is a successful bind, what is your problem here? -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. Why do you store a password in the directory if you don't make use of it? To delegate authentication to an external frame work, you should tell slapd to do so. Please read the admin guide, in particular section 14.5 Pass-Through authentication. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. -- Dan White
Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote: On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: PROBLEM: can't use SASL to authentication openldap client
On 09/08/10 14:52 -0700, Howard Chu wrote: Dan White wrote: On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL. It does! for auxprop_plugin, and auxprop_plugin only. After some digging I found the insertion of a SASL_CB_GETOPT function which replaces whatever auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined. It's perfectly documented in the slapd.conf man page... just never occurred to me to look. LI, setting: sasl-auxprops sasldb within the openldap slapd.conf works for me. -- Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, Could you tell me how to read man slapd.conf(5)? I tried man slapd.conf(5), man slapd.conf in command line, but no entry found. -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 3:55 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below: [...] bdb_dn2entry(cn=admin,ou=people,dc=example,dc=com) slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN= send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn=cn=admin,ou=people,dc=example,dc=com sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0 [...] include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self [...] According to the logs and slapd.conf you are initiating a proxy authorization, but you have not defined such in slapd.conf. Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo attribute types. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, I have read slapd.conf(5) on authz-policy, and I'm confusing now. And I find that I give you the incorrect slapd.conf, now the correct one is below: nclude /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) #binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self database bdb suffix ou=people,dc=example,dc=com rootdn cn=admin,ou=people,dc=example,dc=com there is no proxy. -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 3:55 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below: [...] bdb_dn2entry(cn=admin,ou=people,dc=example,dc=com) slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN= send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn=cn=admin,ou=people,dc=example,dc=com sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0 [...] include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self [...] According to the logs and slapd.conf you are initiating a proxy authorization, but you have not defined such in slapd.conf. Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo attribute types. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf and enable syslog to log auth. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self database bdb suffix ou=people,dc=example,dc=com rootdn cn=admin,ou=people,dc=example,dc=com 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 3. I use saslpasswd2 to create use and password. Can you help to check this? -Original Message- From: openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, June 24, 2010 1:07 AM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D ji.d...@alcatel-lucent.com writes: Hi, This is my comprehension: 1. The client is connecting to SLAPD requesting an SASL bind. 2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5. 3. The client sends the authentication information to SLAPD. 4. SLAPD performs the translation specified in authz-regexp. 5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2. 6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client. So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= ? Sorry, my bad. I forgot that you use sasldb as an external authentication source. My remarks where based on an internal sasl authentication. Try to raise the debug level in sasl/slapd.conf, something like 'loglevel: 7'. If you use syslog, allow sasl to log to auth. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self database bdb suffix ou=people,dc=example,dc=com rootdn cn=admin,ou=people,dc=example,dc=com 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 3. I use saslpasswd2 to create use and password. Can you help to check this? Two questions: 1. has slapd been compiled with spasswd? The default setting is no. 2. has the identity that runs slapd read access to sasldb? On most systems slapd runs as user ldap and sasldb is owned by root. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, 1. How to compile slapd with spasswd. I think I haven't done that 2. I run slapd as root. So it should not be problem. -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, August 05, 2010 5:12 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D ji.d...@alcatel-lucent.com writes: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self database bdb suffix ou=people,dc=example,dc=com rootdn cn=admin,ou=people,dc=example,dc=com 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 3. I use saslpasswd2 to create use and password. Can you help to check this? Two questions: 1. has slapd been compiled with spasswd? The default setting is no. 2. has the identity that runs slapd read access to sasldb? On most systems slapd runs as user ldap and sasldb is owned by root. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. How to compile slapd with spasswd. I think I haven't done that 2. I run slapd as root. So it should not be problem. Get the sources, run ./configure --help | less -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, I checked my install steps, find that I'm using ./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes. So slapd should have been compiled with spasswd, but it's still not working. -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, August 05, 2010 6:50 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. How to compile slapd with spasswd. I think I haven't done that 2. I run slapd as root. So it should not be problem. Get the sources, run ./configure --help | less -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self database bdb suffix ou=people,dc=example,dc=com rootdn cn=admin,ou=people,dc=example,dc=com 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 You may have hit the same issue that Brent did. Most likely you will need to create this file within /usr/lib/sasl2 or /etc/sasl2 instead. Alternatively, you can set the environment variable SASL_CONF_PATH to instruct the sasl glue library where to search for config files. See the man page for sasl_getconfpath_t for details. -- Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, I have link /usr/lib/sasl2 to /usr/local/sasl2/lib/sasl2/, so I think it will not be problem. -Original Message- From: Dan White [mailto:dwh...@olp.net] Sent: Friday, August 06, 2010 10:35 AM To: LI Ji D Cc: Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client On 05/08/10 16:35 +0800, LI Ji D wrote: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self database bdb suffix ou=people,dc=example,dc=com rootdn cn=admin,ou=people,dc=example,dc=com 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 You may have hit the same issue that Brent did. Most likely you will need to create this file within /usr/lib/sasl2 or /etc/sasl2 instead. Alternatively, you can set the environment variable SASL_CONF_PATH to instruct the sasl glue library where to search for config files. See the man page for sasl_getconfpath_t for details. -- Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
[mailto:dwh...@olp.net] Sent: Friday, August 06, 2010 10:35 AM To: LI Ji D Cc: Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client On 05/08/10 16:35 +0800, LI Ji D wrote: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self database bdb suffix ou=people,dc=example,dc=com rootdn cn=admin,ou=people,dc=example,dc=com 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 You may have hit the same issue that Brent did. Most likely you will need to create this file within /usr/lib/sasl2 or /etc/sasl2 instead. Alternatively, you can set the environment variable SASL_CONF_PATH to instruct the sasl glue library where to search for config files. See the man page for sasl_getconfpath_t for details. -- Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, This is my comprehension: 1. The client is connecting to SLAPD requesting an SASL bind. 2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5. 3. The client sends the authentication information to SLAPD. 4. SLAPD performs the translation specified in authz-regexp. 5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2. 6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client. So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= ? -Original Message- From: openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org] On Behalf Of Dieter Kluenter Sent: Wednesday, June 23, 2010 3:33 AM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, I tried again with following steps: dn: uid=admin,ou=People,o=Ever objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= [...] 4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256 5. ./ldapsearch -U admin -Y DIGEST-MD5 [...] You have the attribute value for userPassword hashed with SHA, that is the password hash has a length of 32bit, SASL requires plain text password in order to create a challange, a challange based on a 32bit string is different from a challange based on a plain text password string. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, This is my comprehension: 1. The client is connecting to SLAPD requesting an SASL bind. 2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5. 3. The client sends the authentication information to SLAPD. 4. SLAPD performs the translation specified in authz-regexp. 5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2. 6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client. So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= ? Sorry, my bad. I forgot that you use sasldb as an external authentication source. My remarks where based on an internal sasl authentication. Try to raise the debug level in sasl/slapd.conf, something like 'loglevel: 7'. If you use syslog, allow sasl to log to auth. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote: 3. Then I configure the slapd.conf to be like this: authz-policy to sasl-regexp ^uid=([^,]+),.* uid=$1,cn=bjims31,cn=digest-md5,cn=auth database bdb suffix dc=example,dc=com rootdn uid=111,cn=digest-md5,cn=auth 4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content: pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5 5. Then I start slapd with command 'slapd -d 1', and run ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is: slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=digest-md5,cn=auth ==slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth SASL [conn=1] Failure: no secret in database It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1? You could increase your cyrus debugging to get more information out of syslog: Add an: auth.debug... to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf: log_level: 7 -- Dan White
Re: PROBLEM: can't use SASL to authentication openldap client
Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, I tried again with following steps: dn: uid=admin,ou=People,o=Ever objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= [...] 4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256 5. ./ldapsearch -U admin -Y DIGEST-MD5 [...] You have the attribute value for userPassword hashed with SHA, that is the password hash has a length of 32bit, SASL requires plain text password in order to create a challange, a challange based on a 32bit string is different from a challange based on a plain text password string. -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
PROBLEM: can't use SASL to authentication openldap client
Hi, I'm using openldap 2.4.19 to set up an ldap server with sasl, but I get some problems. I followed the instruction in http://www.openldap.org/doc/admin24/sasl.html to do the installation. 1. I install cyrus-sasl-2.1.22 successfully, and use the Cyrus SASL sample_client and sample_server to test my SASL installation before attempting to make use of it with OpenLDAP Software. 2. Then I install openldap with commands: #export CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include -I/usr/local/sasl2/include #export LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib -L/usr/local/sasl2/lib -L/usr/local/sasl2/lib/sasl2 # export LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.8/lib #./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes #make depend #make #make test #make install #cp /usr/local/openldap/var/openldap-data/DB_CONFIG.example /usr/local/openldap/var/openldap-data/DB_CONFIG there is no error while install. 3. Then I configure the slapd.conf to be like this: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args authz-policy to sasl-regexp ^uid=([^,]+),.* uid=$1,cn=bjims31,cn=digest-md5,cn=auth database bdb suffix dc=example,dc=com rootdn uid=111,cn=digest-md5,cn=auth 4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content: pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5 5. Then I start slapd with command 'slapd -d 1', and run ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is: slap_listener_activate(7): slap_listener(ldap:///) connection_get(12): got connid=1 connection_read(12): checking for input on id=1 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1276849696 ber_get_next conn=1 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber: dnPrettyNormal: dnPrettyNormal: , do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=1] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=1 tag=97 err=14 ber_flush2: 233 bytes to sd 12 == slap_sasl_bind: rc=14 connection_get(12): got connid=1 connection_read(12): checking for input on id=1 ber_get_next ber_get_next: tag 0x30 len 296 contents: op tag 0x60, time 1276849697 ber_get_next conn=1 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber: dnPrettyNormal: dnPrettyNormal: , do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=1] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=digest-md5,cn=auth ==slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN == rewrite_context_apply [depth=1] string='uid=liji1,cn=digest-md5,cn=auth' == rewrite_rule_apply rule='^uid=([^,]+),.*' string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)] == rewrite_context_apply [depth=1] res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'} slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth) dnNormalize: uid=liji1,cn=bjims31,cn=digest-md5,cn=auth dnNormalize: uid=liji1,cn=bjims31,cn=digest-md5,cn=auth ==slap_sasl2dn: Converted SASL name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth SASL [conn=1] Failure: no secret in database send_ldap_result: conn=1 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 70 bytes to sd 12 ==