[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's for SASL compat.

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ACL's for SASL compat.
From: Marc Heckmann <heckmann@hbesoftware.com>
Date: Fri, 6 Oct 2000 15:09:45 -0400
Content-disposition: inline
In-reply-to: <5.0.0.25.0.20001004143821.00a69960@router.boolean.net>; from Kurt@OpenLDAP.org on Wed, Oct 04, 2000 at 03:53:40PM -0700
References: <5.0.0.25.0.20001004085440.00a7be00@router.boolean.net> <5.0.0.25.0.20001003150536.00a41520@router.boolean.net> <20001003171559.B7227@hbesoftware.com> <5.0.0.25.0.20001003150536.00a41520@router.boolean.net> <20001003205221.A17171@hbesoftware.com> <5.0.0.25.0.20001004085440.00a7be00@router.boolean.net> <5.0.0.25.0.20001004103651.00a30eb0@router.boolean.net> <39DB7DCC.F20B994B@hbesoftware.com> <5.0.0.25.0.20001004143821.00a69960@router.boolean.net>
User-agent: Mutt/1.2.5i

ok,

	I was sick yesterday with the flu, back to it: 

	Before I go any further let's find out if this is a problem, the version I am using returns SASL_OK:

diff -uNr rh/cyrus-sasl-1.5.24/lib/server.c cyrus/cyrus-sasl-1.5.24/lib/server.c
--- rh/cyrus-sasl-1.5.24/lib/server.c	Mon Jul 10 14:54:45 2000
+++ cyrus/cyrus-sasl-1.5.24/lib/server.c	Sun Aug 13 22:04:42 2000
@@ -895,7 +895,7 @@
 	s_conn->base.oparams.user = (char *) canonuser;
     }
 
-    return SASL_OK;
+    return ret;
 }
 
I'd like to notify the vendor (RedHat) if the rpm they shipped is buggy. 


Anyway I tried with cyrus-sasl-1.5.24 from the url you posted and this is what I get:

[root@schoenberg openldap-2.0.4]# /usr/local/bin/ldapmodify  -Y DIGEST-MD5  -U testuser -X "dn:uid=testuser + realm=schoenberg" -f /tmp/modify.ldif
SASL/DIGEST-MD5 authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Insufficient access
	additional info: no proxy policy

if I try without the -X,

usr/local/bin/ldapmodify  -Y DIGEST-MD5  -U testuser -P 3 -f /tmp/modify.ldif
SASL/DIGEST-MD5 authentication started
Please enter your password: 
SASL username: testuser
SASL realm: schoenberg
SASL SSF: 128
SASL installing layers
modifying entry "uid=testuser,portalId=ADBE,ou=People,o=RedGorilla"
ldap_modify: Insufficient access

ldif_record() = 50

Oct  6 15:05:25 schoenberg slapd[4194]: connection_get(9) 
Oct  6 15:05:25 schoenberg slapd[4196]: ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0 
Oct  6 15:05:27 schoenberg slapd[4194]: connection_get(9) 
Oct  6 15:05:27 schoenberg slapd[4196]: ==> sasl_bind: dn="" mech=<continuing> datalen=298 
Oct  6 15:05:27 schoenberg slapd[4194]: connection_get(9) 
Oct  6 15:05:27 schoenberg slapd[4196]: ==> sasl_bind: dn="" mech=<continuing> datalen=0 
Oct  6 15:05:27 schoenberg slapd[4196]: SASL Authorize [conn=6]: authcid="testuser" authzid="testuser" 
Oct  6 15:05:27 schoenberg slapd[4194]: connection_get(9) 
Oct  6 15:05:27 schoenberg slapd[4196]: do_modify: dn (uid=testuser,portalId=ADBE,ou=People,o=RedGorilla) 
Oct  6 15:05:27 schoenberg slapd[4196]: modifications: 
Oct  6 15:05:27 schoenberg slapd[4196]: ^Ireplace: sn 
Oct  6 15:05:27 schoenberg slapd[4196]: entry_rdwr_rtrylock: ID: 13 
Oct  6 15:05:27 schoenberg slapd[4196]: entry_rdwr_runlock: ID: 13 
Oct  6 15:05:27 schoenberg slapd[4196]: ldbm_back_modify: 
Oct  6 15:05:27 schoenberg slapd[4196]: entry_rdwr_wtrylock: ID: 13 
Oct  6 15:05:27 schoenberg slapd[4196]: send_ldap_result: 50:: 
Oct  6 15:05:27 schoenberg slapd[4196]: entry_rdwr_wunlock: ID: 13 
Oct  6 15:05:27 schoenberg slapd[4194]: connection_get(9) 


So if I try to modify the authzid I get a "no proxy policy" error, otherwise, the auth ID remains, just "testuser".

	Cheers,


On Wed, Oct 04, 2000 at 03:53:40PM -0700, Kurt D. Zeilenga wrote:
> At 02:58 PM 10/4/00 -0400, Marc Heckmann wrote:
> >        I have a trace of what happens below, it seems that the authorization
> >DN is only "testuser" and not "uid=testuser+realm=schoenberg"
> 
> Just "testuser"?  Sounds like you might be suffering from a nasty
> (and dangerous) Cyrus SASL bug.  Make sure you have Cyrus SASL 1.5.24
> installed as currently available from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail.
> Do not install versions from any other source as there appears to
> be multiple versions labeled 1.5.24 floating about (due to a silent
> upgrade) and only the version in the official FTP site is known not
> to contain the bug.
> 
> Then, when testing with OpenLDAP, be sure to specify TRACE.  ARGS is
> useful as well.  This will report not only the authentication and
> authorization identities, but the authorization (or subject) DN.
> 
> Other notes: -D is for simple bind... irrelevant for SASL bind.
> -W is for simple bind, SASL bind will prompt as needed (but will
> use value provided via -W or -w as well).  And don't use -X
> (authorization identity) with OpenLDAP slapd... as slapd only
> supports authorization identities which are equivalent to the
> authentication identity (empty or u:user for user).
> 
> Kurt
> 
> 

-- 
	Marc Heckmann  -  Network Operations  
        HBE Software/Opendesk.Com
        heckmann@hbesoftware.com www.hbesoftware.com
        heckmann@opendesk.com www.opendesk.com
        Tel. (514) 876-7881 ext. 219
        Fax. (514) 876-9223

References:
- Re: ACL's for SASL compat.
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ACL's for SASL compat.
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- ACL's for SASL compat.
  - From: Marc Heckmann <heckmann@hbesoftware.com>
- Re: ACL's for SASL compat.
  - From: Marc Heckmann <heckmann@hbesoftware.com>
- Re: ACL's for SASL compat.
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: ACL's for SASL compat.
  - From: Marc Heckmann <heckmann@hbesoftware.com>
- Re: ACL's for SASL compat.
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: schema problem!!!
Next by Date: SSL support
Index(es):
- Chronological
- Thread