Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

[Dan White]

On 17/02/11 18:51 +0900, Hiroyuki Sato wrote:

However authentication still failed.

I'm not sure why slap_sasl_authorized compare input? password.

-- from debug message
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
become password1?

That's pretty strange. Which version of openldap are you running?

Does this command make any difference?:

ldapsearch -h 192.168.10.36 -Y digest-md5  -U ldap_u...@mydomain.com \
  -X u:ldap_u...@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'

1, new configuration

 database       bdb
 suffix         "dc=mydomain,dc=com"
 rootdn         "cn=Manager,dc=mydomain,dc=com"
 sasl-regexp
   uid=([^@]+)([^,]+),cn=digest-md5,cn=auth
   uid=$1,ou=users,dc=mydomain,dc=com
 sasl-auxprops sql

 ldapsearch -h 192.168.10.36 -Y digest-md5  -U ldap_u...@mydomain.com
-b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
 SASL/DIGEST-MD5 authentication started
 Please enter your password:
 ldap_sasl_interactive_bind_s: Insufficient access (50)

2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop
mech_list: DIGEST-MD5
log_level: 7
auxprop_plugin: sql
sql_verbose: yes
sql_engine: mysql
sql_hostnames: host.addre.ss
sql_user: username
sql_passwd: password
sql_database: database
#
# no realm
#
sql_select: select password from sasl_test where username = '%u'


2, log

conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=303
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1000]: authcid="ldap_u...@mydomain.com"
slap_sasl_getdn: conn 1000 id=ldap_u...@mydomain.com [len=22]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=ldap_u...@mydomain.com,cn=DIGEST-MD5,cn=auth)=0
slap_sasl_getdn: u:id converted to
uid=ldap_u...@mydomain.com,cn=DIGEST-MD5,cn=auth

dnNormalize: <uid=ldap_u...@mydomain.com,cn=DIGEST-MD5,cn=auth>

=> ldap_bv2dn(uid=ldap_u...@mydomain.com,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=ldap_u...@mydomain.com,cn=DIGEST-MD5,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_u...@mydomain.com,cn=digest-md5,cn=auth)=0
<<< dnNormalize: <uid=ldap_u...@mydomain.com,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=ldap_u...@mydomain.com,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1]
string='uid=ldap_u...@mydomain.com,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth'
string='uid=ldap_u...@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'}
[rw] authid: "uid=ldap_u...@mydomain.com,cn=digest-md5,cn=auth" ->
"uid=ldap_user,ou=users,dc=mydomain,dc=com"
slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com
ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)

dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>

=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0)
<= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
<<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
<==slap_sasl2dn: Converted SASL name to
uid=ldap_user,ou=users,dc=mydomain,dc=com
slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com
SASL Canonicalize [conn=1000]:
slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com"
SASL Canonicalize [conn=1000]: authzid="ldap_u...@mydomain.com"
SASL proxy authorize [conn=1000]: authcid="ldap_u...@mydomain.com"
authzid="ldap_u...@mydomain.com"
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
become password1?
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48)
SASL [conn=1000] Failure: not authorized
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization
failure: not authorized"
send_ldap_response: msgid=2 tag=97 err=50

In version 2.4.23, the authorization should succeed at (in
servers/slapd/saslauthz.c):


/* Check if a bind can SASL authorize to another identity.
* The DNs should not have the dn: prefix
*/

int slap_sasl_authorized( Operation *op,
   struct berval *authcDN, struct berval *authzDN )
{
   int rc = LDAP_INAPPROPRIATE_AUTH;

   /* User binding as anonymous */
   if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
       rc = LDAP_SUCCESS;
       goto DONE;
   }

   /* User is anonymous */
   if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) {
       goto DONE;
   }

   Debug( LDAP_DEBUG_TRACE,
      "==>slap_sasl_authorized: can %s become %s?\n",
       authcDN->bv_len ? authcDN->bv_val : "(null)",
       authzDN->bv_len ? authzDN->bv_val : "(null)",  0 );

   /* If person is authorizing to self, succeed */
   if ( dn_match( authcDN, authzDN ) ) {
       rc = LDAP_SUCCESS;
       goto DONE;
   }
...
}


So I'm not sure why you would be seeing anything other than:

==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
become uid=ldap_user,ou=users,dc=mydomain,dc=com?

But it's probably related to why your authentication is failing.

I've gotten this to work before with sasldb and digest-md5:

http://web.olp.net/dwhite/openldap/sasldb-notes.txt

Could you post your slapd config? or at least your ACLs?

--
Dan White