RE: PROBLEM: can't use SASL to authentication openldap client
Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run
/usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com. Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log
of slapd:
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1281422959
ber_get_next
conn=0 op=0 do_search
ber_scanf fmt ({mb) ber:
dnPrettyNormal:
dnPrettyNormal: ,
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
= send_search_entry: conn 0 dn=
ber_flush2: 72 bytes to sd 12
= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1281422959
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
dnPrettyNormal:
dnPrettyNormal: ,
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=195
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 248 bytes to sd 12
== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 326 contents:
op tag 0x60, time 1281422960
ber_get_next
conn=0 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
dnPrettyNormal:
dnPrettyNormal: ,
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: uid=admin,cn=digest-md5,cn=auth
==slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to
a DN
== rewrite_context_apply [depth=1]
string='uid=admin,cn=digest-md5,cn=auth'
== rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
== rewrite_context_apply [depth=1]
res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'}
slap_parseURI: parsing
ldap:///ou=people,dc=example,dc=com??one?(cn=admin)
ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin))
put_filter: (cn=admin)
put_filter: simple
put_simple_filter: cn=admin
ber_scanf fmt ({mm}) ber:
dnNormalize: ou=people,dc=example,dc=com
dnNormalize: ou=people,dc=example,dc=com
slap_sasl2dn: performing internal search
(base=ou=people,dc=example,dc=com, scope=1)
= bdb_search
bdb_dn2entry(ou=people,dc=example,dc=com)
= bdb_dn2id(ou=people,dc=example,dc=com)
= bdb_dn2id: got id=0x1
entry_decode: ou=people,dc=example,dc=com
= entry_decode(ou=people,dc=example,dc=com)
search_candidates: base=ou=people,dc=example,dc=com (0x0001)
scope=1
= bdb_dn2idl(ou=people,dc=example,dc=com)
= bdb_dn2idl: id=1 first=2 last=2
= bdb_equality_candidates (objectClass)
= bdb_equality_candidates: (objectClass) not indexed
= bdb_equality_candidates (cn)
= bdb_equality_candidates: (cn) not indexed
bdb_search_candidates: id=1 first=2 last=2
entry_decode: cn=admin,ou=people,dc=example,dc=com
= entry_decode(cn=admin,ou=people,dc=example,dc=com)
= bdb_dn2id(cn=admin,ou=people,dc=example,dc=com)
= bdb_dn2id: got id=0x2
send_ldap_result: conn=0 op=2 p=3
==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
Segmentation fault
-Original Message-
From: Howard Chu [mailto:h...@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi,
My problem is that I expect slapd to authenticate with the
password stored in sasldb. But it's not, it uses the password stored in
userpassword attribute of this user which is a item of openldap.
So I want to know, how can slapd use password stored in sasldb
to do the sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to
sasldb
did not provide the expected response. Regardless of whether I set
it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind
using the
internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in
particular with SASL configuration. If you can't get the desired
behavior
by setting the SASL config file, then file a bug
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, I can understand the disadvantage of using sasldb, I just want to test SASL with sasldb. Is there anyway I can solve this issue? I can't find out which version of db that sasldb is using. Thanks for your response, It helps me a lot. -Original Message- From: Howard Chu [mailto:h...@symas.com] Sent: Tuesday, August 10, 2010 2:26 PM To: LI Ji D Cc: Dan White; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D wrote: Hi, I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: SASL(0): successful result that's because slapd program is stopped for some reason, here is the log of slapd: ==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com Segmentation fault Most likely your sasldb was compiled against a different version of BerkeleyDB than slapd. In general, using sasldb is a mistake. You cannot administer it remotely, and it has no provisions for re-entrancy / thread-safety. -Original Message- From: Howard Chu [mailto:h...@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Dan White wrote: On 09/08/10 14:52 -0700, Howard Chu wrote: Dan White wrote: On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL. It does! for auxprop_plugin, and auxprop_plugin only. After some digging I found the insertion of a SASL_CB_GETOPT function which replaces whatever auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined. It's perfectly documented in the slapd.conf man page... just never occurred to me to look. LI, setting: sasl-auxprops sasldb within the openldap slapd.conf works for me. My mistake. This was added last year. http://www.openldap.org/its/index.cgi/Software Bugs?id=6147 -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, 1. I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7 So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none/var/log/messages auth.debug /var/log/secure 2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base= scope=0 deref=0 filter=(objectClass=*) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn= method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn= method=163 Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid=admin authzid=admin Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn=cn=admin,ou=people,dc=example,dc=com mech=DIGEST-MD5 sasl_ssf=128 ssf=128 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SRCH base=ou=people,dc=example,dc=com scope=2 deref=0 filter=(objectClass=*) Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=2 text= Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=4 UNBIND Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 fd=12 closed -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 6:37 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D ji.d...@alcatel-lucent.com writes: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf and enable syslog to log auth. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7 So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none/var/log/messages auth.debug /var/log/secure 2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base= scope=0 deref=0 filter=(objectClass=*) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn= method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn= method=163 Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid=admin authzid=admin Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn=cn=admin,ou=people,dc=example,dc=com mech=DIGEST-MD5 sasl_ssf=128 ssf=128 This is a successful bind, what is your problem here? -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. Thanks -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Monday, August 09, 2010 4:48 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client Hi, LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7 So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none/var/log/messages auth.debug /var/log/secure 2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base= scope=0 deref=0 filter=(objectClass=*) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn= method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn= method=163 Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: = bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid=admin authzid=admin Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn=cn=admin,ou=people,dc=example,dc=com mech=DIGEST-MD5 sasl_ssf=128 ssf=128 This is a successful bind, what is your problem here? -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. Why do you store a password in the directory if you don't make use of it? To delegate authentication to an external frame work, you should tell slapd to do so. Please read the admin guide, in particular section 14.5 Pass-Through authentication. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. -- Dan White
Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote: On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: PROBLEM: can't use SASL to authentication openldap client
On 09/08/10 14:52 -0700, Howard Chu wrote: Dan White wrote: On 09/08/10 16:56 +0800, LI Ji D wrote: Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication. I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin. I recommend you file a bug report. File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL. It does! for auxprop_plugin, and auxprop_plugin only. After some digging I found the insertion of a SASL_CB_GETOPT function which replaces whatever auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined. It's perfectly documented in the slapd.conf man page... just never occurred to me to look. LI, setting: sasl-auxprops sasldb within the openldap slapd.conf works for me. -- Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
Hi,
Could you tell me how to read man slapd.conf(5)?
I tried man slapd.conf(5), man slapd.conf in command line, but no entry found.
-Original Message-
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter
Sent: Friday, August 06, 2010 3:55 PM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi,
I'm using /usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry(cn=admin,ou=people,dc=example,dc=com)
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=2 op=2 p=3
SASL Authorize [conn=2]: proxy authorization allowed authzDN=
send_ldap_sasl: err=0 len=40
do_bind: SASL/DIGEST-MD5 bind: dn=cn=admin,ou=people,dc=example,dc=com
sasl_ssf=128
send_ldap_response: msgid=3 tag=97 err=0
[...]
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile/usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy
authorization, but you have not defined such in slapd.conf.
Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo
attribute types.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770...@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi,
I have read slapd.conf(5) on authz-policy, and I'm confusing now.
And I find that I give you the incorrect slapd.conf, now the correct
one is below:
nclude /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile/usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
#binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self
database bdb
suffix ou=people,dc=example,dc=com
rootdn cn=admin,ou=people,dc=example,dc=com
there is no proxy.
-Original Message-
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter
Sent: Friday, August 06, 2010 3:55 PM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi,
I'm using /usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry(cn=admin,ou=people,dc=example,dc=com)
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=2 op=2 p=3
SASL Authorize [conn=2]: proxy authorization allowed authzDN=
send_ldap_sasl: err=0 len=40
do_bind: SASL/DIGEST-MD5 bind: dn=cn=admin,ou=people,dc=example,dc=com
sasl_ssf=128
send_ldap_response: msgid=3 tag=97 err=0
[...]
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile/usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy
authorization, but you have not defined such in slapd.conf.
Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo
attribute types.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770...@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf and enable syslog to log auth. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the
password attribute stored in user in openldap to do the sasl. I expect openldap
to use sasldb as an external source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile/usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self
database bdb
suffix ou=people,dc=example,dc=com
rootdn cn=admin,ou=people,dc=example,dc=com
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
3. I use saslpasswd2 to create use and password.
Can you help to check this?
-Original Message-
From: openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org
[mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org] On
Behalf Of Dieter Kluenter
Sent: Thursday, June 24, 2010 1:07 AM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi,
This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf
file for settings) to tell the client how to authenticate. In this case, it
tells the client to use DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against
the information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and
returns the results to the client.
So SLAPD just compares the password received form client and the one stored
in sasldb2, how could it relate to the one stored in ldap like userPassword:
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= ?
Sorry, my bad. I forgot that you use sasldb as an external
authentication source. My remarks where based on an internal sasl
authentication. Try to raise the debug level in sasl/slapd.conf,
something like 'loglevel: 7'. If you use syslog, allow sasl to log to
auth.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using
the password attribute stored in user in openldap to do the sasl. I
expect openldap to use sasldb as an external source to do the
authentication.
1. My slapd.conf is below: include
/usr/local/openldap/schema/core.schema include
/usr/local/openldap/schema/cosine.schema include
/usr/local/openldap/schema/inetorgperson.schema include
/usr/local/openldap/schema/openldap.schema include
/usr/local/openldap/schema/nis.schema pidfile
/usr/local/openldap/slapd.1.pid argsfile
/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy
mode=self
database bdb suffix ou=people,dc=example,dc=com rootdn
cn=admin,ou=people,dc=example,dc=com
2. and also I create slapd.conf in
/usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method:
auxprop auxprop_plugin: sasldb mech_list: digest-md5
3. I use saslpasswd2 to create use and password.
Can you help to check this?
Two questions:
1. has slapd been compiled with spasswd? The default setting is no.
2. has the identity that runs slapd read access to sasldb? On most
systems slapd runs as user ldap and sasldb is owned by root.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770...@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi,
1. How to compile slapd with spasswd. I think I haven't done that
2. I run slapd as root. So it should not be problem.
-Original Message-
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter
Sent: Thursday, August 05, 2010 5:12 PM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using
the password attribute stored in user in openldap to do the sasl. I
expect openldap to use sasldb as an external source to do the
authentication.
1. My slapd.conf is below: include
/usr/local/openldap/schema/core.schema include
/usr/local/openldap/schema/cosine.schema include
/usr/local/openldap/schema/inetorgperson.schema include
/usr/local/openldap/schema/openldap.schema include
/usr/local/openldap/schema/nis.schema pidfile
/usr/local/openldap/slapd.1.pid argsfile
/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy
mode=self
database bdb suffix ou=people,dc=example,dc=com rootdn
cn=admin,ou=people,dc=example,dc=com
2. and also I create slapd.conf in
/usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method:
auxprop auxprop_plugin: sasldb mech_list: digest-md5
3. I use saslpasswd2 to create use and password.
Can you help to check this?
Two questions:
1. has slapd been compiled with spasswd? The default setting is no.
2. has the identity that runs slapd read access to sasldb? On most
systems slapd runs as user ldap and sasldb is owned by root.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770...@sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. How to compile slapd with spasswd. I think I haven't done that 2. I run slapd as root. So it should not be problem. Get the sources, run ./configure --help | less -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
RE: PROBLEM: can't use SASL to authentication openldap client
Hi, I checked my install steps, find that I'm using ./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes. So slapd should have been compiled with spasswd, but it's still not working. -Original Message- From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, August 05, 2010 6:50 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client LI Ji D ji.d...@alcatel-lucent.com writes: Hi, 1. How to compile slapd with spasswd. I think I haven't done that 2. I run slapd as root. So it should not be problem. Get the sources, run ./configure --help | less -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the
password attribute stored in user in openldap to do the sasl. I expect openldap
to use sasldb as an external source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile/usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self
database bdb
suffix ou=people,dc=example,dc=com
rootdn cn=admin,ou=people,dc=example,dc=com
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need
to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to
instruct the sasl glue library where to search for config files. See the
man page for sasl_getconfpath_t for details.
--
Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
Hi,
I have link /usr/lib/sasl2 to /usr/local/sasl2/lib/sasl2/, so I think
it will not be problem.
-Original Message-
From: Dan White [mailto:dwh...@olp.net]
Sent: Friday, August 06, 2010 10:35 AM
To: LI Ji D
Cc: Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the
password attribute stored in user in openldap to do the sasl. I expect
openldap to use sasldb as an external source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile/usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self
database bdb
suffix ou=people,dc=example,dc=com
rootdn cn=admin,ou=people,dc=example,dc=com
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need
to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to
instruct the sasl glue library where to search for config files. See the
man page for sasl_getconfpath_t for details.
--
Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
[mailto:dwh...@olp.net]
Sent: Friday, August 06, 2010 10:35 AM
To: LI Ji D
Cc: Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the
password attribute stored in user in openldap to do the sasl. I expect
openldap to use sasldb as an external source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile/usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn=uid=proxy,ou=People,dc=example,dc=com credentials=proxy mode=self
database bdb
suffix ou=people,dc=example,dc=com
rootdn cn=admin,ou=people,dc=example,dc=com
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need
to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to
instruct the sasl glue library where to search for config files. See the
man page for sasl_getconfpath_t for details.
--
Dan White
RE: PROBLEM: can't use SASL to authentication openldap client
Hi,
This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf
file for settings) to tell the client how to authenticate. In this case, it
tells the client to use DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against
the information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and
returns the results to the client.
So SLAPD just compares the password received form client and the one stored in
sasldb2, how could it relate to the one stored in ldap like userPassword:
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= ?
-Original Message-
From: openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org
[mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent@openldap.org] On
Behalf Of Dieter Kluenter
Sent: Wednesday, June 23, 2010 3:33 AM
To: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi,
I tried again with following steps:
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is
the password hash has a length of 32bit,
SASL requires plain text password in order to create a challange, a
challange based on a 32bit string is different from a challange based
on a plain text password string.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi,
This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf
file for settings) to tell the client how to authenticate. In this case, it
tells the client to use DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against
the information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and
returns the results to the client.
So SLAPD just compares the password received form client and the one stored
in sasldb2, how could it relate to the one stored in ldap like userPassword:
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= ?
Sorry, my bad. I forgot that you use sasldb as an external
authentication source. My remarks where based on an internal sasl
authentication. Try to raise the debug level in sasl/slapd.conf,
something like 'loglevel: 7'. If you use syslog, allow sasl to log to
auth.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote: 3. Then I configure the slapd.conf to be like this: authz-policy to sasl-regexp ^uid=([^,]+),.* uid=$1,cn=bjims31,cn=digest-md5,cn=auth database bdb suffix dc=example,dc=com rootdn uid=111,cn=digest-md5,cn=auth 4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content: pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5 5. Then I start slapd with command 'slapd -d 1', and run ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is: slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=DIGEST-MD5,cn=auth dnNormalize: uid=liji1,cn=digest-md5,cn=auth ==slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth SASL [conn=1] Failure: no secret in database It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1? You could increase your cyrus debugging to get more information out of syslog: Add an: auth.debug... to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf: log_level: 7 -- Dan White
Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
LI Ji D ji.d...@alcatel-lucent.com writes:
Hi,
I tried again with following steps:
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is
the password hash has a length of 32bit,
SASL requires plain text password in order to create a challange, a
challange based on a 32bit string is different from a challange based
on a plain text password string.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
PROBLEM: can't use SASL to authentication openldap client
Hi,
I'm using openldap 2.4.19 to set up an ldap server with sasl, but I
get some problems.
I followed the instruction in
http://www.openldap.org/doc/admin24/sasl.html to do the installation.
1. I install cyrus-sasl-2.1.22 successfully, and use the Cyrus SASL
sample_client and sample_server to test my SASL installation before
attempting to make use of it with OpenLDAP Software.
2. Then I install openldap with commands:
#export CPPFLAGS=-I/usr/local/BerkeleyDB.4.8/include
-I/usr/local/sasl2/include
#export
LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib -L/usr/local/sasl2/lib
-L/usr/local/sasl2/lib/sasl2
# export
LD_LIBRARY_PATH=/usr/local/BerkeleyDB.4.8/lib
#./configure --prefix=/usr/local/openldap
--sysconfdir=/etc/openldap --enable-passwd --enable-wrappers
--disable-ipv6 --enable-spasswd --enable-crypt --enable-modules
--enable-accesslog=yes
#make depend
#make
#make test
#make install
#cp
/usr/local/openldap/var/openldap-data/DB_CONFIG.example
/usr/local/openldap/var/openldap-data/DB_CONFIG
there is no error while install.
3. Then I configure the slapd.conf to be like this:
include
/usr/local/openldap/schema/core.schema
include
/usr/local/openldap/schema/cosine.schema
include
/usr/local/openldap/schema/inetorgperson.schema
include
/usr/local/openldap/schema/openldap.schema
include
/usr/local/openldap/schema/nis.schema
pidfile
/usr/local/openldap/slapd.1.pid
argsfile
/usr/local/openldap/slapd.1.args
authz-policy to
sasl-regexp ^uid=([^,]+),.*
uid=$1,cn=bjims31,cn=digest-md5,cn=auth
database bdb
suffix dc=example,dc=com
rootdn
uid=111,cn=digest-md5,cn=auth
4. Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login ntlm cram-md5
digest-md5
5. Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p 389', but fails with reason: user not found: no secret in database.
The log of slapd is:
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1276849696
ber_get_next
conn=1 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
dnPrettyNormal:
dnPrettyNormal: ,
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=1 tag=97 err=14
ber_flush2: 233 bytes to sd 12
== slap_sasl_bind: rc=14
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1276849697
ber_get_next
conn=1 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
dnPrettyNormal:
dnPrettyNormal: ,
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: uid=liji1,cn=digest-md5,cn=auth
==slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to
a DN
== rewrite_context_apply [depth=1]
string='uid=liji1,cn=digest-md5,cn=auth'
== rewrite_rule_apply rule='^uid=([^,]+),.*'
string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)]
== rewrite_context_apply [depth=1]
res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'}
slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)
dnNormalize: uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
dnNormalize: uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
==slap_sasl2dn: Converted SASL name to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
send_ldap_result: conn=1 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 70 bytes to sd 12
==
