[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 Released

To: thierryW <thierryw@libertysurf.fr>
Subject: Re: OpenLDAP 2.1 Released
From: thierryW <thierryw@libertysurf.fr>
Date: Fri, 14 Jun 2002 10:45:59 +0200
Cc: openldap-software@OpenLDAP.org
References: <NMEFLNHODBAOPDKNNJALIEOBDAAA.hyc@highlandsun.com> <3D09AC88.4020502@libertysurf.fr>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc1) Gecko/20020417

thierryW wrote:
Sorry i forgot one thing :
rootdn    "uid=master1,ou=admins,o=Mairie(not firm),dc=intranet,dc=fr"

saslRegexp
uid=(.*),cn=intranet.fr,cn=DIGEST-MD5,cn=auth
uid=$1,ou=admins,o=Mairie(not firm),dc=intranet,dc=fr
thierry

*ThierryW wrote:
2 questions :*
*First one, starting ssl or tls search failed with :* TLS trace: SSL_accept:failed in SSLv3 read client certificate A TLS: can't accept. TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:985 where it worked with 2.0.23 ?? What's wrong
*Second question :*
my config. : openldap2.1.2 sasl1.5
I cannot perform a search :
in slapd.conf (only what's important):
********************************
TLSCertificateFile      /usr/local/ssl/certs/certmorangis.pem
TLSCertificateKeyFile   /usr/local/ssl/certs/certmorangis.pem
TLSCACertificateFile    /usr/local/ssl/certs/certmorangis.pem
# Schema and objectClass definitions
sasl-realm             intranet.fr
sasl-host               openmail.intranet.fr
#sasl-secprops          none
database    bdb
directory       /usr/ldap/var/openldap-data
suffix        "dc=intranet,dc=fr"
rootdn    "uid=master1,ou=admins,o=firm,dc=intranet,dc=fr"
saslRegexp
 uid=(.*),cn=intranet.fr,cn=DIGEST-MD5,cn=auth
 uid=$1,ou=admins,o=firm,dc=intranet,dc=fr
#ldap://openmail.intranet.fr/ou=admins,o=mairie,dc=intranet,dc=fr??sub?uid=$1
access to *
        by dn="uid=master1\\+realm=intranet.fr"  write
        by * read
#by dn="uid=master1.*\+realm=openmail.intranet.fr"  write
access to attr=userPassword
       by self write
       by anonymous auth
       by * none
*****************************************************
Like notice in 2.1 admin guide : ldapsearch -h openmail.intranet.fr -X "u:master1" or -I or whatever you want... I got with slapd debug: ...... daemon: conn=2 fd=13 connection from IP=192.0.1.252:33951 (IP=192.0.1.252:389) accepted. daemon: added 13r daemon: activity on: daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 13r daemon: read activity on 13 connection_get(13) connection_get(13): got connid=2 connection_read(13): checking for input on id=2 ber_get_next ldap_read: want=9, got=9 0000: 30 3e 02 01 01 63 39 04 00 0>...c9.. ldap_read: want=55, got=55 0000: 0a 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 ................ 0010: 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 19 04 17 .objectclass0... 0020: 73 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 63 supportedSASLMec 0030: 68 61 6e 69 73 6d 73 hanisms ber_get_next: tag 0x30 len 62 contents: ber_dump: buf=0x081ec430 ptr=0x081ec430 end=0x081ec46e len=62 0000: 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 01 00 ...c9........... 0010: 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c ........objectcl 0020: 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 65 64 ass0...supported 0030: 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 SASLMechanisms ber_get_next ldap_read: want=9 error=Resource temporarily unavailable ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable) do_search ber_scanf fmt ({miiiib) ber: ber_dump: buf=0x081ec430 ptr=0x081ec433 end=0x081ec46e len=59 0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9.............. 0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass 0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS 0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> SRCH "" 0 0 0 0 0 begin get_filter PRESENT ber_scanf fmt (m) ber: ber_dump: buf=0x081ec430 ptr=0x081ec446 end=0x081ec46e len=40 0000: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 19 04 ..objectclass0.. 0010: 17 73 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 .supportedSASLMe 0020: 63 68 61 6e 69 73 6d 73 chanisms end get_filter 0 filter: (objectClass=*) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x081ec430 ptr=0x081ec453 end=0x081ec46e len=27 0000: 00 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 ....supportedSAS 0010: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms attrs: supportedSASLMechanisms conn=2 op=0 SRCH base="" scope=0 filter="(objectClass=*)" => test_filter PRESENT => access_allowed: search access to "" "objectClass" requested => acl_get: [1] check attr objectClass <= acl_get: [1] acl attr: objectClass => acl_mask: access to entry "", attr "objectClass" requested => acl_mask: to all values by "", (=n) <= check a_dn_pat: uid=master1\+realm=intranet.fr => string_expand: pattern: uid=master1\+realm=intranet.fr => string_expand: expanded: uid=master1\+realm=intranet.fr => regex_matches: string: => regex_matches: rc: 1 no matches <= check a_dn_pat: * <= acl_mask: [4] applying read(=rscx) (stop) <= acl_mask: [4] mask: read(=rscx) => access_allowed: search access granted by read(=rscx) <= test_filter 6 => send_search_entry: dn="" => access_allowed: read access to "" "entry" requested => acl_get: [1] check attr entry <= acl_get: [1] acl attr: entry => acl_mask: access to entry "", attr "entry" requested => acl_mask: to all values by "", (=n) <= check a_dn_pat: uid=master1\+realm=intranet.fr => string_expand: pattern: uid=master1\+realm=intranet.fr => string_expand: expanded: uid=master1\+realm=intranet.fr => regex_matches: string: => regex_matches: rc: 1 no matches <= check a_dn_pat: * <= acl_mask: [4] applying read(=rscx) (stop) <= acl_mask: [4] mask: read(=rscx) => access_allowed: read access granted by read(=rscx) => access_allowed: read access to "" "supportedSASLMechanisms" requested => acl_get: [1] check attr supportedSASLMechanisms <= acl_get: [1] acl attr: supportedSASLMechanisms => acl_mask: access to entry "", attr "supportedSASLMechanisms" requested => acl_mask: to all values by "", (=n) <= check a_dn_pat: uid=master1\+realm=intranet.fr => string_expand: pattern: uid=master1\+realm=intranet.fr => string_expand: expanded: uid=master1\+realm=intranet.fr => regex_matches: string: => regex_matches: rc: 1 no matches <= check a_dn_pat: * <= acl_mask: [4] applying read(=rscx) (stop) <= acl_mask: [4] mask: read(=rscx) => access_allowed: read access granted by read(=rscx) ber_flush: 52 bytes to sd 13 0000: 30 32 02 01 01 64 2d 04 00 30 29 30 27 04 17 73 02...d-..0)0'..s 0010: 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 63 68 upportedSASLMech 0020: 61 6e 69 73 6d 73 31 0c 04 0a 44 49 47 45 53 54 anisms1...DIGEST 0030: 2d 4d 44 35 -MD5 ldap_write: want=52, written=52 0000: 30 32 02 01 01 64 2d 04 00 30 29 30 27 04 17 73 02...d-..0)0'..s 0010: 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 63 68 upportedSASLMech 0020: 61 6e 69 73 6d 73 31 0c 04 0a 44 49 47 45 53 54 anisms1...DIGEST 0030: 2d 4d 44 35 -MD5 conn=2 op=0 ENTRY dn="" <= send_search_entry send_ldap_result: conn=2 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=101 err=0 ber_flush: 14 bytes to sd 13 0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........ conn=2 op=0 RESULT tag=101 err=0 text= daemon: select: listen=6 active_threads=1 tvp=NULL daemon: select: listen=7 active_threads=1 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 13r daemon: read activity on 13 connection_get(13) connection_get(13): got connid=2 connection_read(13): checking for input on id=2 ber_get_next ldap_read: want=9, got=9 0000: 30 18 02 01 02 60 13 02 01 0....`... ldap_read: want=17, got=17 0000: 03 04 00 a3 0c 04 0a 44 49 47 45 53 54 2d 4d 44 .......DIGEST-MD 0010: 35 5 ber_get_next: tag 0x30 len 24 contents: ber_dump: buf=0x081ec558 ptr=0x081ec558 end=0x081ec570 len=24 0000: 02 01 02 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 ...`..........DI 0010: 47 45 53 54 2d 4d 44 35 GEST-MD5 ber_get_next ldap_read: want=9 error=Resource temporarily unavailable ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x081ec558 ptr=0x081ec55b end=0x081ec570 len=21 0000: 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 `..........DIGES 0010: 54 2d 4d 44 35 T-MD5 ber_scanf fmt ({o) ber: ber_dump: buf=0x081ec558 ptr=0x081ec562 end=0x081ec570 len=14 0000: 00 0c 04 0a 44 49 47 45 53 54 2d 4d 44 35 ....DIGEST-MD5 ber_scanf fmt (}}) ber: ber_dump: buf=0x081ec558 ptr=0x081ec570 end=0x081ec570 len=0

*>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> do_sasl_bind: dn () mech DIGEST-MD5 conn=2 op=1 BIND dn="" method=163 ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0 daemon: select: listen=6 active_threads=1 tvp=NULL daemon: select: listen=7 active_threads=1 tvp=NULL **send_ldap_sasl: err=14 len=162 send_ldap_response: msgid=2 tag=97 err=14* ber_flush: 181 bytes to sd 13 0000: 30 81 b2 02 01 02 61 81 ac 0a 01 0e 04 00 04 00 0.....a......... 0010: 87 81 a2 72 65 61 6c 6d 3d 22 69 6e 74 72 61 6e ...realm="intran 0020: 65 74 2e 66 72 22 2c 6e 6f 6e 63 65 3d 22 75 49 et.fr",nonce="uI 0030: 43 54 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 CTiINyLtMQEmejJt 0040: 34 39 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b 73 49Y09rqaND0KN4+s 0050: 78 44 48 61 4c 43 54 35 6b 3d 22 2c 71 6f 70 3d xDHaLCT5k=",qop= 0060: 22 61 75 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 "auth,auth-int,a 0070: 75 74 68 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 uth-conf",cipher 0080: 3d 22 72 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c ="rc4-40,rc4-56, 0090: 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 74 66 rc4",charset=utf 00a0: 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 -8,algorithm=md5 00b0: 2d 73 65 73 73 -sess ldap_write: want=181, written=181 0000: 30 81 b2 02 01 02 61 81 ac 0a 01 0e 04 00 04 00 0.....a......... 0010: 87 81 a2 72 65 61 6c 6d 3d 22 69 6e 74 72 61 6e ...realm="intran 0020: 65 74 2e 66 72 22 2c 6e 6f 6e 63 65 3d 22 75 49 et.fr",nonce="uI 0030: 43 54 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 CTiINyLtMQEmejJt 0040: 34 39 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b 73 49Y09rqaND0KN4+s 0050: 78 44 48 61 4c 43 54 35 6b 3d 22 2c 71 6f 70 3d xDHaLCT5k=",qop= 0060: 22 61 75 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 "auth,auth-int,a 0070: 75 74 68 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 uth-conf",cipher 0080: 3d 22 72 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c ="rc4-40,rc4-56, 0090: 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 74 66 rc4",charset=utf 00a0: 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 -8,algorithm=md5 00b0: 2d 73 65 73 73 -sess *<== slap_sasl_bind: rc=14* ............................ When i put my password : SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Unknown error (80) additional info: unable to get user's secret and debug : ............. daemon: activity on 1 descriptors daemon: activity on: 13r daemon: read activity on 13 connection_get(13) connection_get(13): got connid=2 connection_read(13): checking for input on id=2 ber_get_next ldap_read: want=9, got=9 0000: 30 82 01 48 02 01 03 60 82 0..H...`. ldap_read: want=323, got=323 0000: 01 41 02 01 03 04 00 a3 82 01 38 04 0a 44 49 47 .A........8..DIG 0010: 45 53 54 2d 4d 44 35 04 82 01 28 75 73 65 72 6e EST-MD5...(*usern* 0020: 61 6d 65 3d 22 72 6f 6f 74 22 2c 72 65 61 6c 6d *ame="root"*,realm 0030: 3d 22 69 6e 74 72 61 6e 65 74 2e 66 72 22 2c 61 ="intranet.fr",a 0040: 75 74 68 7a 69 64 3d 22 75 3a 6d 61 73 74 65 72 uthzid="u:master 0050: 31 22 2c 6e 6f 6e 63 65 3d 22 75 49 43 54 69 49 1",nonce="uICTiI 0060: 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 34 39 59 30 NyLtMQEmejJt49Y0 0070: 39 72 71 61 4e 44 30 4b 4e 34 2b 73 78 44 48 61 9rqaND0KN4+sxDHa 0080: 4c 43 54 35 6b 3d 22 2c 63 6e 6f 6e 63 65 3d 22 LCT5k=",cnonce=" 0090: 38 6b 2f 62 70 6b 65 57 43 66 65 47 61 77 5a 47 8k/bpkeWCfeGawZG 00a0: 67 4c 51 62 4d 68 33 67 72 42 66 61 47 47 35 57 gLQbMh3grBfaGG5W 00b0: 33 33 35 6f 4d 54 31 54 4a 43 34 3d 22 2c 6e 63 335oMT1TJC4=",nc 00c0: 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 3d 61 75 =00000001,qop=au 00d0: 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 72 3d 22 th-conf,cipher=" 00e0: 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 74 66 rc4",charset=utf 00f0: 2d 38 2c 64 69 67 65 73 74 2d 75 72 69 3d 22 6c -8,digest-uri="l 0100: 64 61 70 2f 6f 70 65 6e 6d 61 69 6c 2e 69 6e 74 dap/openmail.int 0110: 72 61 6e 65 74 2e 66 72 22 2c 72 65 73 70 6f 6e ranet.fr",respon 0120: 73 65 3d 62 30 66 61 39 64 39 36 32 30 61 61 66 se=b0fa9d9620aaf 0130: 61 35 35 39 37 30 33 32 33 62 62 32 61 32 30 35 a55970323bb2a205 0140: 63 66 33 cf3 ber_get_next: tag 0x30 len 328 contents: ber_dump: buf=0x081ebc00 ptr=0x081ebc00 end=0x081ebd48 len=328 0000: 02 01 03 60 82 01 41 02 01 03 04 00 a3 82 01 38 ...`..A........8 0010: 04 0a 44 49 47 45 53 54 2d 4d 44 35 04 82 01 28 ..DIGEST-MD5...( 0020: 75 73 65 72 6e 61 6d 65 3d 22 72 6f 6f 74 22 2c username="root", 0030: 72 65 61 6c 6d 3d 22 69 6e 74 72 61 6e 65 74 2e realm="intranet. 0040: 66 72 22 2c 61 75 74 68 7a 69 64 3d 22 75 3a 6d fr",authzid="u:m 0050: 61 73 74 65 72 31 22 2c 6e 6f 6e 63 65 3d 22 75 aster1",nonce="u 0060: 49 43 54 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a ICTiINyLtMQEmejJ 0070: 74 34 39 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b t49Y09rqaND0KN4+ 0080: 73 78 44 48 61 4c 43 54 35 6b 3d 22 2c 63 6e 6f sxDHaLCT5k=",cno 0090: 6e 63 65 3d 22 38 6b 2f 62 70 6b 65 57 43 66 65 nce="8k/bpkeWCfe 00a0: 47 61 77 5a 47 67 4c 51 62 4d 68 33 67 72 42 66 GawZGgLQbMh3grBf 00b0: 61 47 47 35 57 33 33 35 6f 4d 54 31 54 4a 43 34 aGG5W335oMT1TJC4 00c0: 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 =",nc=00000001,q 00d0: 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 op=auth-conf,cip 00e0: 68 65 72 3d 22 72 63 34 22 2c 63 68 61 72 73 65 her="rc4",charse 00f0: 74 3d 75 74 66 2d 38 2c 64 69 67 65 73 74 2d 75 t=utf-8,digest-u 0100: 72 69 3d 22 6c 64 61 70 2f 6f 70 65 6e 6d 61 69 ri="ldap/openmai 0110: 6c 2e 69 6e 74 72 61 6e 65 74 2e 66 72 22 2c 72 l.intranet.fr",r 0120: 65 73 70 6f 6e 73 65 3d 62 30 66 61 39 64 39 36 esponse=b0fa9d96 0130: 32 30 61 61 66 61 35 35 39 37 30 33 32 33 62 62 20aafa55970323bb 0140: 32 61 32 30 35 63 66 33 2a205cf3 ber_get_next ldap_read: want=9 error=Resource temporarily unavailable ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable) do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x081ebc00 ptr=0x081ebc03 end=0x081ebd48 len=325 0000: 60 82 01 41 02 01 03 04 00 a3 82 01 38 04 0a 44 `..A........8..D 0010: 49 47 45 53 54 2d 4d 44 35 04 82 01 28 75 73 65 IGEST-MD5...(use 0020: 72 6e 61 6d 65 3d 22 72 6f 6f 74 22 2c 72 65 61 rname="root",rea 0030: 6c 6d 3d 22 69 6e 74 72 61 6e 65 74 2e 66 72 22 lm="intranet.fr" 0040: 2c 61 75 74 68 7a 69 64 3d 22 75 3a 6d 61 73 74 ,authzid="u:mast 0050: 65 72 31 22 2c 6e 6f 6e 63 65 3d 22 75 49 43 54 er1",nonce="uICT 0060: 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 34 39 iINyLtMQEmejJt49 0070: 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b 73 78 44 Y09rqaND0KN4+sxD 0080: 48 61 4c 43 54 35 6b 3d 22 2c 63 6e 6f 6e 63 65 HaLCT5k=",cnonce 0090: 3d 22 38 6b 2f 62 70 6b 65 57 43 66 65 47 61 77 ="8k/bpkeWCfeGaw 00a0: 5a 47 67 4c 51 62 4d 68 33 67 72 42 66 61 47 47 ZGgLQbMh3grBfaGG 00b0: 35 57 33 33 35 6f 4d 54 31 54 4a 43 34 3d 22 2c 5W335oMT1TJC4=", 00c0: 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 3d nc=00000001,qop= 00d0: 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 72 auth-conf,cipher 00e0: 3d 22 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 ="rc4",charset=u 00f0: 74 66 2d 38 2c 64 69 67 65 73 74 2d 75 72 69 3d tf-8,digest-uri= 0100: 22 6c 64 61 70 2f 6f 70 65 6e 6d 61 69 6c 2e 69 "ldap/openmail.i 0110: 6e 74 72 61 6e 65 74 2e 66 72 22 2c 72 65 73 70 ntranet.fr",resp 0120: 6f 6e 73 65 3d 62 30 66 61 39 64 39 36 32 30 61 onse=b0fa9d9620a 0130: 61 66 61 35 35 39 37 30 33 32 33 62 62 32 61 32 afa55970323bb2a2 0140: 30 35 63 66 33 05cf3 ber_scanf fmt ({o) ber: ber_dump: buf=0x081ebc00 ptr=0x081ebc0c end=0x081ebd48 len=316 0000: 00 82 01 38 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...8..DIGEST-MD5 0010: 04 82 01 28 75 73 65 72 6e 61 6d 65 3d 22 72 6f ...(username="ro 0020: 6f 74 22 2c 72 65 61 6c 6d 3d 22 69 6e 74 72 61 ot",realm="intra 0030: 6e 65 74 2e 66 72 22 2c 61 75 74 68 7a 69 64 3d net.fr",authzid= 0040: 22 75 3a 6d 61 73 74 65 72 31 22 2c 6e 6f 6e 63 "u:master1",nonc 0050: 65 3d 22 75 49 43 54 69 49 4e 79 4c 74 4d 51 45 e="uICTiINyLtMQE 0060: 6d 65 6a 4a 74 34 39 59 30 39 72 71 61 4e 44 30 mejJt49Y09rqaND0 0070: 4b 4e 34 2b 73 78 44 48 61 4c 43 54 35 6b 3d 22 KN4+sxDHaLCT5k=" 0080: 2c 63 6e 6f 6e 63 65 3d 22 38 6b 2f 62 70 6b 65 ,cnonce="8k/bpke 0090: 57 43 66 65 47 61 77 5a 47 67 4c 51 62 4d 68 33 WCfeGawZGgLQbMh3 00a0: 67 72 42 66 61 47 47 35 57 33 33 35 6f 4d 54 31 grBfaGG5W335oMT1 00b0: 54 4a 43 34 3d 22 2c 6e 63 3d 30 30 30 30 30 30 TJC4=",nc=000000 00c0: 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 01,qop=auth-conf 00d0: 2c 63 69 70 68 65 72 3d 22 72 63 34 22 2c 63 68 ,cipher="rc4",ch 00e0: 61 72 73 65 74 3d 75 74 66 2d 38 2c 64 69 67 65 arset=utf-8,dige 00f0: 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 6f 70 65 st-uri="ldap/ope 0100: 6e 6d 61 69 6c 2e 69 6e 74 72 61 6e 65 74 2e 66 nmail.intranet.f 0110: 72 22 2c 72 65 73 70 6f 6e 73 65 3d 62 30 66 61 r",response=b0fa 0120: 39 64 39 36 32 30 61 61 66 61 35 35 39 37 30 33 9d9620aafa559703 0130: 32 33 62 62 32 61 32 30 35 63 66 33 23bb2a205cf3 ber_scanf fmt (m) ber: ber_dump: buf=0x081ebc00 ptr=0x081ebc1c end=0x081ebd48 len=300 0000: 04 82 01 28 75 73 65 72 6e 61 6d 65 3d 22 72 6f ...(username="ro 0010: 6f 74 22 2c 72 65 61 6c 6d 3d 22 69 6e 74 72 61 ot",realm="intra 0020: 6e 65 74 2e 66 72 22 2c 61 75 74 68 7a 69 64 3d net.fr",authzid= 0030: 22 75 3a 6d 61 73 74 65 72 31 22 2c 6e 6f 6e 63 "u:master1",nonc 0040: 65 3d 22 75 49 43 54 69 49 4e 79 4c 74 4d 51 45 e="uICTiINyLtMQE 0050: 6d 65 6a 4a 74 34 39 59 30 39 72 71 61 4e 44 30 mejJt49Y09rqaND0 0060: 4b 4e 34 2b 73 78 44 48 61 4c 43 54 35 6b 3d 22 KN4+sxDHaLCT5k=" 0070: 2c 63 6e 6f 6e 63 65 3d 22 38 6b 2f 62 70 6b 65 ,cnonce="8k/bpke 0080: 57 43 66 65 47 61 77 5a 47 67 4c 51 62 4d 68 33 WCfeGawZGgLQbMh3 0090: 67 72 42 66 61 47 47 35 57 33 33 35 6f 4d 54 31 grBfaGG5W335oMT1 00a0: 54 4a 43 34 3d 22 2c 6e 63 3d 30 30 30 30 30 30 TJC4=",nc=000000 00b0: 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 01,qop=auth-conf 00c0: 2c 63 69 70 68 65 72 3d 22 72 63 34 22 2c 63 68 ,cipher="rc4",ch 00d0: 61 72 73 65 74 3d 75 74 66 2d 38 2c 64 69 67 65 arset=utf-8,dige 00e0: 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 6f 70 65 st-uri="ldap/ope 00f0: 6e 6d 61 69 6c 2e 69 6e 74 72 61 6e 65 74 2e 66 nmail.intranet.f 0100: 72 22 2c 72 65 73 70 6f 6e 73 65 3d 62 30 66 61 r",response=b0fa 0110: 39 64 39 36 32 30 61 61 66 61 35 35 39 37 30 33 9d9620aafa559703 0120: 32 33 62 62 32 61 32 30 35 63 66 33 23bb2a205cf3 ber_scanf fmt (}}) ber: ber_dump: buf=0x081ebc00 ptr=0x081ebd48 end=0x081ebd48 len=0

*>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> do_sasl_bind: dn () mech DIGEST-MD5 conn=2 op=2 BIND dn="" method=163 ==> sasl_bind: dn="" mech=<continuing> datalen=296 send_ldap_result: conn=2 op=2 p=3 send_ldap_result: err=80 matched="" text="unable to get user's secret" send_ldap_response: msgid=3 tag=97 err=80* ber_flush: 41 bytes to sd 13 0000: 30 27 02 01 03 61 22 0a 01 50 04 00 04 1b 75 6e 0'...a"..P....un 0010: 61 62 6c 65 20 74 6f 20 67 65 74 20 75 73 65 72 able to get user 0020: 27 73 20 73 65 63 72 65 74 's secret ldap_write: want=41, written=41 0000: 30 27 02 01 03 61 22 0a 01 50 04 00 04 1b 75 6e 0'...a"..P....un 0010: 61 62 6c 65 20 74 6f 20 67 65 74 20 75 73 65 72 able to get user 0020: 27 73 20 73 65 63 72 65 74 's secret *conn=2 op=2 RESULT tag=97 err=80 text=unable to get user's secret <== slap_sasl_bind: rc=80* daemon: select: listen=6 active_threads=1 tvp=NULL daemon: select: listen=7 active_threads=1 tvp=NULL daemon: activity on 1 descriptors daemon: activity on: 13r daemon: read activity on 13 connection_get(13) connection_get(13): got connid=2 connection_read(13): checking for input on id=2 ber_get_next ldap_read: want=9, got=0
ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=2, closing.
connection_closing: readying conn=2 sd=13 for close
connection_close: conn=2 sd=13
daemon: removing 13
conn=2 fd=13 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
It seems not taking my username...? but root by default..
My ldif for user master1 is :
dn: uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: master1
sn: master1
uid: master1
userPassword: "mycleartextpassword" => like you answer to my last message
So could you help me please, what i'm doing wrong ??
Thierry
|Howard Chu wrote:
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
Fredriksson
"Howard" == Howard Chu <hyc@highlandsun.com> writes:
   Turbo>  And if one uses Kerberos V? My 'userPassword' attribute is
   Turbo> currently of the form '{KERBEROS}USERPRINCIPAL' and I don't
   Turbo> change password in LDAP, but in Kerberos.
   Howard> That is an ugly, insecure, slow-performing hack. If you
   Howard> have Kerberos V then you should be using SASL/GSSAPI to
   Howard> login to LDAP, and completely ignoring the userPassword
   Howard> attribute.
I thought you HAD to use that to be able to use Kerberos V...
Oki, tested with my test user, it works with '*' in userPassword. One
question that comes up though, is WHY (ie, WHO) is this used in the
first place?
I don't know why anyone would use it. I think it may be a holdover from Kerberos IV support in the original UMich distribution, before SASL support existed. At any rate, it has always been a bad idea.

I'll pass on "WHO" and assume you meant "HOW" - the userPassword attribute is used for LDAP Simple Binds. The user's "secret" password is sent across the network in the clear. Unless you have TLS or SSL underneath the session, then using these mechanisms will destroy any security you might have had. If you're just running a public read-only server, perhaps you don't care to worry about security. If you're running Kerberos, security is obviously of some importance to you, and handing out your password like this is just putting all your Kerberos setup effort to waste.

With the in-directory SASL-secret support in 2.1, the userPassword attribute is directly used by many of the SASL mechanisms. E.g., DIGEST-MD5 and CRAM-MD5 both start with the plaintext password and generate their secrets based on that. As such, if you care about the security of your database, you should make sure that Simple Binds are never used over an unprotected connection, otherwise all of your SASL mechanisms' security will be breached at once.
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

References:
- RE: OpenLDAP 2.1 Released
  - From: "Howard Chu" <hyc@highlandsun.com>
- Re: OpenLDAP 2.1 Released
  - From: thierryW <thierryw@libertysurf.fr>

Prev by Date: RE: TSL / SSL
Next by Date: Debug output
Index(es):
- Chronological
- Thread