[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL authentication, user not found



The Cyrus documentation states that the default SASL realm is the FQDN of the
host. This is the value that slapd uses. It appears from your sasldblistusers
output that your realm is not fully qualified. This kind of mismatch is known
to cause the user lookups to fail.

Also, the -X option for ldapsearch is only needed for proxy authorization.
Normally you would just use -U to bind with a specific username.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Karl Lattimer

>
> Hi, I've just managed to get cyrus SASL and OpenLDAP talking
> to each other
> properly and I'm a little confused as to what I've done wrong.
>
> Following is a dump of relevant information;
> **************
> [root@LSiaB ldif]# sasldblistusers
> user: testuser realm: LSiaB mech: PLAIN
> user: testuser realm: LSiaB mech: CRAM-MD5
> user: testuser realm: LSiaB mech: DIGEST-MD5
>
> [root@LSiaB ldif]# sasldblistusers2
> testuser@LSiaB: userPassword
>
> [root@LSiaB ldif]# ldapsearch -x -b 'o=lsiab.lan' '(objectclass=*)'
> # lsiab.lan
> dn: o=lsiab.lan
> o: lsiab.lan
> objectClass: top
> objectClass: organization
>
> # admin, lsiab.lan
> dn: cn=admin,o=lsiab.lan
> cn: admin
> objectClass: organizationalRole
>
> # test, lsiab.lan
> dn: ou=test,o=lsiab.lan
> ou: test
> objectClass: organizationalUnit
>
> # testuser, test, lsiab.lan
> dn: uid=testuser,ou=test,o=lsiab.lan
> uid: testuser
> cn: Test User
> sn: User
> givenName: Test
> ou: test
> objectClass: Top
> objectClass: Person
> objectClass: OrganizationalPerson
> objectClass: InetOrgPerson
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 4
>
> [root@LSiaB ldif]# ldapsearch -X 'u:testuser' -b 'o=lsiab.lan'
> '(objectclass=*)'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Internal (implementation
> specific) error (80)
>         additional info: SASL(-13): user not found: no secret
> in database
>
> [root@LSiaB ldif]# ldapsearch -X 'dn:
> uid=testuser,cn=DIGEST-MD5,cn=auth' -b
> 'o=lsiab.lan' '(objectclass=*)'
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Internal (implementation
> specific) error (80)
>         additional info: SASL(-13): user not found: no secret
> in database
>
> --- excerpt from file slapd.conf ---
>
> sasl-regexp
>         uid=(.*),cn=.*,cn=auth
>         uid=$1,ou=test,o=lsiab.lan
> --- eof ---
>
> Cyrus SASL versions
> -------------------
> cyrus-sasl-gssapi-2.1.10-2
> cyrus-sasl-2.1.10-2
> cyrus-sasl-md5-2.1.10-2
> cyrus-sasl-plain-2.1.10-2
>
> OpenLDAP versions
> -----------------
> openldap-servers-2.1.8-1
> openldap-clients-2.1.8-1
> openldap-2.1.8-1
> **************
> I'm wondering if I'm using the correct name to log in, the
> correct username
> in the sasldb and the correct sasl-regexp.
>
> In a recent post to the mailing list I saw that
>
> >> sasl-regexp
> >> 	"uid=(.*),cn=digest-md5,cn=auth"
> >> 	"ldap:///dc=rtp,dc=KiNETWORKS,dc=com??sub?cn=$1";
>
> may work better, would this help in my situation??
>
> Thanks in advance Karl
>
>
>