[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [SOLVED] SASL Digest-md5 authentication w/ openldap 2.1.16

To: OpenLDAP <openldap-software@OpenLDAP.org>
Subject: Re: [SOLVED] SASL Digest-md5 authentication w/ openldap 2.1.16
From: Edward Rudd <eddie@omegaware.com>
Date: 31 May 2003 14:27:14 -0500
In-reply-to: <1054364885.2255.11.camel@urkle.vernon.hills>
Organization:
References: <1054364885.2255.11.camel@urkle.vernon.hills>

I finally figured it out..
I traced the ACLs and found that openLDAP was trying to get access to
the objectClass attribute of the mapped dn which my acls only allowed
anonymous to auth with the userPassword attr.

On Sat, 2003-05-31 at 02:08, Edward Rudd wrote:
> I've read through the admin guide manual way too many times.. and I
> can't
> find anything wrong with my setup...
> Here we go..
> I'm trying to get sasl bind authentication to with with openldap 2.1.16.
> I
> have things set up like this
> 
> 
> ---/etc/openldap/slapd.conf
> password-hash {CLEARTEXT}
> sasl-regexp
>     uid=(.*),cn=(.*),cn=digest-md5,cn=auth
>     uid=$1,ou=People,o=OmegaWare,c=US
> ---
> for some reason the -R realm arg is being ignored on ldapsearch so I am
> passing user@dom.tld in the -U parameter and ignoring the default realm
> 
> 
> ---/usr/lib/sasl2/slapd.conf
> mech_list: digest-md5 cram-md5
> ---
> that is being send this is to disable gssapi as an auth mech
> 
> 
> ---uid entry in LDAP
> dn: uid=user@dom.tld,ou=People,o=MyOrg,c=US
> objectClass:top
> objectClass:person
> sn: user
> cn: my user
> userPassword: test
> ---
> I'm using GQ to update my LDAP and put userPassword in using CLEAR
> 
> 
> Now on to the errors..
> ldapsearch -U user@dom.tld -b o=MyOrg,c=US
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Internal (implementation specific) error
> (80)
>         additional info: SASL(-13): user not found: no secret in
> database
> 
> with -d 255 I get all the network traffic information and from that I
> see
> things like.
> username="user@dom.tld",realm="myinternal.host.name",....
> 
> 
> in my /var/log/ldap.log (default logging settings I get
> --- /var/log/ldap.log
> conn=19 fd=13 ACCCEPT from IP=127.0.0.1:1302 (ip=0.0.0.0:389)
> conn=19 op=0 SRCH base="" scope=0 filter="(objectClass=*)"
> conn=19 op=0 SRCH attr=supportedSASLMechanisms
> conn=19 op=9 RESULT tag=101 err=0 text=
> conn=19 op=1 BIND dn="" method=163
> conn=19 op=2 BIND dn="" method=163
> SASL [conn=19] Error: unable to open Berkely db /etc/sasldb2: No such
> file
> or directory
> las messager repeated 2 times
> conn=0 op=0 RESULT tag=101 err=32 text=
> SASL [conn=19] Failure: no secret in database
> conn=19 op=2 RESULT tag=97 err=80 text="SASL(-13): user not found: no
> secret in database
> conn=19 fd=13 closed
> ---
> 
> Now if I create a sasldb2 and add in user in there (user@dom.tld doesn't
> work)
> I can auth as 
> ldapsearch -U user
> but I don't want my users in the sasldb.. I want them in the LDAP
> directory along with the passwords in the LDAP directory??
> Any ideas on what's misconfigured??
> I'm using simon matters cyrus-sasl2 rpms and I'm using open-it.org's
> openldap RPMS All rebuilt on a RH 7.3 system..
> 
> Oh and I have simple authentication working perfectly and running.
> 
> Edward Rudd.
-- 
Edward Rudd <eddie@omegaware.com>

References:
- SASL Digest-md5 authentication w/ openldap 2.1.16
  - From: Edward Rudd <eddie@omegaware.com>

Prev by Date: Compiling problem
Next by Date: Re: userPassword and non-ASCII characters
Index(es):
- Chronological
- Thread