[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: SASL/Plain against Windows NT

To: "'openldap-software@OpenLDAP.org'" <openldap-software@OpenLDAP.org>
Subject: RE: SASL/Plain against Windows NT
From: "Sen Montero, Roger" <roger_sen@merck.com>
Date: Tue, 08 Jul 2003 10:35:55 -0400
Content-return: allowed
Hi all!!

 The solution is using simple bind in the client, not a SASL login.
This way works correctly:

ldapsearch  -x -w <password> -b "o=msd.com" -D
"cn=senroger,ou=People,o=msd.com" "(cn=ruizhern)"

 Obviously, this is highly insecure, and tunneling the query using SSL/TLS
is the way to go.

 Regards,
rogersm.

-----Original Message-----
From: Sen Montero, Roger [mailto:roger_sen@merck.com]
Sent: Monday, July 07, 2003 6:25 PM
To: 'openldap-software@OpenLDAP.org'
Subject: SASL/Plain against Windows NT


Hi all!!

 Just installed everything for authenticating my user's passwords against
windows NT. Everything works fine if I provide the authcid (SASL
authentication identity):

# ldapsearch  -b "o=msd.com"  -U europe_senroger \
   -D "cn=senroger,ou=People,o=msd.com" -Y PLAIN "(objectclass=*)" 

We're using the following LDIF: 

dn: cn=senroger,ou=People,o=msd.com
objectclass: inetorgperson
cn: senroger
sn: sen
uid: senroger
userPassword: {SASL}europe_senroger

and this slapd.conf: 

sasl-secprops none
sasl-regexp
          uid=(.*),cn=PLAIN,cn=auth
          uid=$1,ou=People,o=msd.com
password-hash {CLEARTEXT}

as stated in the Admin guide and some emails.

openldap-2.1.22 is compiled with --with-cyrus-sasl --enable-spasswd
--enable-monitor --prefix=/usr/local/ldap

 But we're going to use the LDAP server from Java applications (JNDI and
jldap API) so I suppose the java API won't be using the -U parameter. Also,
we want to reference the dn: without domain, so our cn:/uid: has only the
<account> and the systemPassword has <domain>_<account. Unfortunately, I'm
getting the following error when I try to use the ldapsearch without the
authcid.

# ldapsearch  -b "o=msd.com" -D "cn=senroger,ou=People,o=msd.com" \
	"(objectclass=*)"  -Y PLAIN
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: Password
verification failed

I can see in the server log (with -d 255) it's not getting userPassword:
{SASL}europe_senroger as a string to pass to SASL. Instead is using 'root'
(my user account) as authcid and composing a user id:
uid=root,cn=PLAIN,cn=auth.

 I've been reading the forums and the admin manual, and I'm unable to find
the problem. Why is the client sending root as a 'SASL authentication
identity'

 Also, in a Java only client, is SASL going to be a problem for standard
java applications? In the java applications we can only provide a dn as a
bind account and a password. Supposing we need to provide a 'SASL
authentication identity' and a 'SASL authorization identity', is the java
API capable of doing SASL auth with only a dn and a password?


 Full log:

<<< dnPrettyNormal: <cn=senroger,ou=People,o=msd.com>,
<cn=senroger,ou=people,o=msd.com>
do_sasl_bind: dn (cn=senroger,ou=People,o=msd.com) mech PLAIN
==> sasl_bind: dn="cn=senroger,ou=People,o=msd.com" mech=PLAIN datalen=18
SASL Canonicalize [conn=1]: authcid="root"
slap_sasl_getdn: id=root [len=4]
getdn: u:id converted to uid=root,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=root,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=root,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=root,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=root,ou=people,o=msd.com,272)=0
<<< dnNormalize: <uid=root,ou=people,o=msd.com>
<==slap_sasl2dn: Converted SASL name to uid=root,ou=people,o=msd.com
getdn: dn:id converted to uid=root,ou=people,o=msd.com
SASL Canonicalize [conn=1]: authcDN="uid=root,ou=people,o=msd.com"
slap_sasl_getdn: id=root [len=0]
getdn: u:id converted to uid=root,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=root,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=root,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=root,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=root,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=root,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=root,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=root,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to uid=root,ou=People,o=msd.com
slap_parseURI: parsing uid=root,ou=People,o=msd.com
ldap_url_parse_ext(uid=root,ou=People,o=msd.com)
>>> dnNormalize: <uid=root,ou=People,o=msd.com>
=> ldap_bv2dn(uid=root,ou=People,o=msd.com,0)
<= ldap_bv2dn(uid=root,ou=People,o=msd.com,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=root,ou=people,o=msd.com,272)=0
<<< dnNormalize: <uid=root,ou=people,o=msd.com>
<==slap_sasl2dn: Converted SASL name to uid=root,ou=people,o=msd.com
getdn: dn:id converted to uid=root,ou=people,o=msd.com
=> bdb_back_search
bdb_dn2entry_rw("uid=root,ou=people,o=msd.com")
=> bdb_dn2id_matched( "uid=root,ou=people,o=msd.com" )
<= bdb_dn2id_matched: id=0x00000005: matched ou=people,o=msd.com
entry_decode: "ou=People,o=msd.com"
<= entry_decode(ou=People,o=msd.com)
====> bdb_cache_return_entry_r( 5 ): created (0)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=10 matched="ou=People,o=msd.com" text=""
ldap_err2string
SASL [conn=1] Failure: Invalid credentials
SASL [conn=1] Failure: Password verification failed
send_ldap_result: conn=1 op=0 p=3
send_ldap_result: err=49 matched="" text="SASL(-13): authentication failure:
Password verification failed"
send_ldap_response: msgid=1 tag=97 err=49

 Thanks,
rogersm.

----------------------------------------------------------------------------
--
Notice: This e-mail message, together with any attachments, contains 
information of Merck & Co., Inc. (Whitehouse Station, New Jersey, 
USA) that may be confidential, proprietary copyrighted and/or legally 
privileged, and is intended solely for the use of the individual or entity
named on this message. If you are not the intended recipient, and
have received this message in error, please immediately return this by 
e-mail and then delete it.
----------------------------------------------------------------------------
--

----------------------------------------------------------------------------
--
Notice: This e-mail message, together with any attachments, contains 
information of Merck & Co., Inc. (Whitehouse Station, New Jersey, 
USA) that may be confidential, proprietary copyrighted and/or legally 
privileged, and is intended solely for the use of the individual or entity
named on this message. If you are not the intended recipient, and
have received this message in error, please immediately return this by 
e-mail and then delete it.
----------------------------------------------------------------------------
--

------------------------------------------------------------------------------
Notice: This e-mail message, together with any attachments, contains 
information of Merck & Co., Inc. (Whitehouse Station, New Jersey, 
USA) that may be confidential, proprietary copyrighted and/or legally 
privileged, and is intended solely for the use of the individual or entity
named on this message. If you are not the intended recipient, and
have received this message in error, please immediately return this by 
e-mail and then delete it.
------------------------------------------------------------------------------
Prev by Date: slapadd and initial loading of ldap
Next by Date: RE: Monitoring slapd (2.2.0)
Index(es):
- Chronological
- Thread