[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie OpenLDAP-SASL question

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: Newbie OpenLDAP-SASL question
From: manig <manig@steltor.com>
Date: Thu, 14 Feb 2002 18:13:12 -0500
Cc: openldap-software@OpenLDAP.org
Organization: Steltor
References: <NMEFLNHODBAOPDKNNJALGEJKCFAA.hyc@highlandsun.com>

Thanks for the clarifications.

Even after searching the archives and reading many of the posts related
to this matter, I have yet to solve this problem.

Here is a relevant part of my ldap debug log (this occurs seemingly
after SASL gives a positive password check):



SASL Authorize [conn=1]: "dn:cn=Nolan Buschnell,dc=steltor,dc=com" as
"u:dn:cn=Nolan Buschnell,dc=steltor,dc=com"
slap_sasl_bind: username="u:dn:cn=Nolan Buschnell,dc=steltor,dc=com"
realm="c-644.in.steltor.com" ssf=128
<== slap_sasl_bind: authorization disallowed



I am setting "dn:cn=Nolan Buschnell,dc=steltor,dc=com" as my
authentication and authorization id's, which is consistent with both
ldap utilities documentation, as well as RFC 2829 "Authentication
Methods for LDAP". Why is it trying to authorize as "u:dn:cn=Nolan
Buschnell,dc=steltor,dc=com" ?

As I understand it, "u:dn:cn=Nolan Buschnell,dc=steltor,dc=com" has been
authenticated, however the ldap server is of course not allowed to let
this be an authorization for "dn:cn=Nolan Buschnell,dc=steltor,dc=com"
(please let me know if my understanding is totally wrong :) ). As sort
of a hack to fix this, I put the following lines in my slapd.conf:

access to dn="^cn=(.*),dc=steltor,dc=com"
 by dn=".*cn=$1,dc=steltor,dc=com.*" write

Would this be the correct way to get something like "u:dn:cn=Nolan
Buschnell,dc=steltor,dc=com" to authorize as "dn:cn=Nolan
Buschnell,dc=steltor,dc=com" (forgive me if there are errors, I am rusty
with regexp's)? After adding these lines my LDAP server does not seem to
work anymore (I get "ldap_sasl_interactive_bind_s: No such object").

Thanks,
-Mani

Howard Chu wrote:
> 
> The reason "saslregexp" is only in the draft developer's admin guide is
> because it only exists in the development code at the moment; it has never
> been in any released versions. I think the upcoming 2.1alpha will be the
> first actual release of this feature.
> 
> Given that the current public release is 2.0.22 I find it difficult to
> understand why anyone would begin a project today by compiling version
> 2.0.9. It is in everyone's best interest to check for the latest versions of
> all software before beginning to work with any of it. Sure they may be new,
> as-yet-undiscovered bugs in the newest code, but in general more bugs are
> fixed than introduced.
> 
> As for mapping SASL IDs to LDAP DNs, this has been covered repeatedly in the
> past couple weeks on this mailing list. The short answer in this case is
> that slapd always constructs a DN using "uid=<sasl-name>+realm=<sasl-realm>"
> in the released code, and always expects you to specify the name as
> "u:<sasl-name>" on the command line.
> 
> As mentioned before, the new code has the "saslregexp" config directive for
> mapping SASL names to DN format, plus other related features to make SASL a
> lot better integrated. Check through the archives of this mailing list for
> more details.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Brian Arkills
> > Sent: Thursday, February 14, 2002 1:10 PM
> > To: 'manig'; openldap-software@OpenLDAP.org
> > Subject: RE: Newbie OpenLDAP-SASL question
> >
> >
> > Let me begin by saying I've never setup an OpenLDAP server ...
> > that said ...
> >
> > I believe what you are missing is not in the general admin guide
> > for 2.0, but is in the draft developer's admin guide at:
> > http://www.openldap.org/devel/admin/sasl.html section 9.2.3
> > (which is not the same section as in the regular admin guide).
> > You need to map the authentication id to an authorization id
> > using the saslregex directive.
> >
> > I think the fact that this piece of information is only listed in
> > the draft developer's guide is very problematic, and it should be
> > added the the production admin guide to avoid further confusion.
> >
> > Brian
> >
> > > -----Original Message-----
> > > From: manig [mailto:manig@steltor.com]
> > > Sent: Thursday, February 14, 2002 11:04 AM
> > > To: openldap-software@OpenLDAP.org
> > > Subject: Newbie OpenLDAP-SASL question
> > >
> > >
> > > To get directory users authenticated using SASL, I have taken the
> > > following steps:
> > >
> > > - compile/install cyrus sasl
> > > - compile/install openldap 2.0.9 with cyrus sasl support
> > > - set 'require SASL' in my slapd.conf (i want to prevent any
> > > other type
> > > of authentication)
> > > - create a sasl passwd file (/etc/sasldb) using saslpasswd(8), invoked
> > > like this:
> > >
> > > for dn "cn=Manager,dc=example,dc=com":
> > > % /usr/local/sbin/saslpasswd -c "dn:cn=Manager,dc=example,dc=com"
> > >
> > > At this point, running ldapsearch with -D
> > > "cn=Manager,dc=example,dc=com"
> > > and -W, I set the authentication id and the authzid to
> > > "dn:cn=Manager,dc=example,dc=com". Running in debug mode, it
> > > looks like
> > > it is authenticating correctly against the sasl database,
> > > however I get
> > > the error:
> > >
> > > ldap_sasl_interactive_bind_s: Inappropriate authentication
> > >         additional info: authorization disallowed
> > >
> > > (I believe the SASL part of authentication is going through correctly,
> > > because putting in a wrong password gives me "Invalid Credentials
> > > Error". Running in debug mode showed correct SASL client-server
> > > communication, with a positive response from the server).
> > >
> > > Reading previous posts about SASL authentication, I believe what is
> > > wrong here is that I am not telling the LDAP server which
> > > SASL username
> > > corresponds to which LDAP directory entry. Unfortunately, I couldn't
> > > find any documentation on this matter.
> > >
> > > Thanks,
> > > Mani
> > >
> > > --
> > > /* Mani Ghasemlou, Software Developer
> > >  * Steltor Inc., 2000 Peel Street, 4th floor, Montreal.
> > >  * TELEPHONE: (514) 733-8500 EXT 4217 FAX: (514) 733-8878
> > >  */
> > >

-- 
/* Mani Ghasemlou, Software Developer
 * Steltor Inc., 2000 Peel Street, 4th floor, Montreal.
 * TELEPHONE: (514) 733-8500 EXT 4217 FAX: (514) 733-8878
 */

Follow-Ups:
- RE: Newbie OpenLDAP-SASL question
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- RE: Newbie OpenLDAP-SASL question
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: Newbie OpenLDAP-SASL question
Next by Date: ACL for userPassword problems
Index(es):
- Chronological
- Thread