[Date Prev][Date Next] [Chronological] [Thread] [Top]

Pls help with the auth for the ROOTDN and SASL2. Maybe I've missed something?

To: openldap-software@OpenLDAP.org
Subject: Pls help with the auth for the ROOTDN and SASL2. Maybe I've missed something?
From: Ilya Basin <lanmot@cwrussia.ru> (by way of Ilya Basin <lanmot@cwrussia.ru>)
Date: Mon, 24 Nov 2003 18:14:11 +0300
Content-disposition: inline
Organization: WIDEXS IONIP
User-agent: KMail/1.5.4

Hi!

Could you please give me any advise how to set up the authentication of the
rootdn using SASL? I'd like to store the passwd into sasldb2....

I have Slackware 9.1
SASL 2.1.15 (with digest-md5,plain,cram-md5,otp,srp)
OpenLDAP 2.1.23
ldd slapd gives the right output (sasl libs are linked)

My slapd.conf:
#########################
allow           bind_v2
backend      bdb
database     bdb
pidfile         /var/run/slapd.pid
argsfile       /var/openldap/slapd.args
directory     /var/openldap/openldap-data
include       /etc/openldap/schema/core.schema
include       /etc/openldap/schema/misc.schema
include       /etc/openldap/schema/cosine.schema
include       /etc/openldap/schema/inetorgperson.schema
modulepath      /usr/libexec/openldap
moduleload      back_passwd.la
loglevel        -1
suffix          "dc=myorg dc=org"
sasl-regexp
                uid=(.*),cn=.*,cn=auth
                uid=$1,dc=myorg,dc=org
rootdn          "cn=ldapadm,dc=myorg,dc=org"
index           cn,sn,uid pres,eq,approx,sub
index           objectClass eq
access to attr=userPassword
    by self write
    by anonymous auth
    by dn.base="cn=ldapadm,dc=myorg,dc=org" write
    by * none
access to *
    by self write
    by dn.base="cn=ldapadm,dc=myorg,dc=org" write
    by * read

the entry for the sasldb2:
#########################
ldapadm@myhost: userPassword
ldapadm@myhost: cmusaslsecretSRP
ldapadm@myhost: cmusaslsecretOTP

the DN entry has been inserted with LDAP auth, whet all sasl related entries
have been remarked(slapd.conf with):
#########################
rootdn          "cn=ldapadm,dc=myorg,dc=org"
rootpw	   secret

the strat ldiff entry has been:
#########################
dn: dc=myorg, dc=org
objectclass: dcObject
objectClass: organization
dc: myorg
o: My Org
description: My Organization.

dn: cn=ldapadm,dc=myorg,dc=org
objectClass: InetOrgPerson
cn: ldapadm
uid: ldapadm
sn: ldapadm

after that the slapd has been restarted with the slapd.conf listed above (all
sasl entries, including sasl_regexp and all other...
trying to use ldapadd I receive the error:
#########################
ldapadm@myhost:/etc/openldap$ ldapadd -X 
 "uid=ldapadm,cn=auth,cn=digest-md5"\ -W -f
 /etc/openldap/orig/organization.ldiff
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: unable authorization ID
ldapadm@myhost:/etc/openldap$

and the debug gives me a list of entries:
#########################
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({o) ber:
ber_scanf fmt (m) ber:

ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=323
SASL [conn=0] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=0]: authcid="ldapadm"
slap_sasl_getdn: id=ldapadm [len=7]
getdn: u:id converted to uid=ldapadm,cn=DIGEST-MD5,cn=auth

>>> dnNormalize: <uid=ldapadm,cn=DIGEST-MD5,cn=auth>

=> ldap_bv2dn(uid=ldapadm,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=ldapadm,cn=DIGEST-MD5,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldapadm,cn=digest-md5,cn=auth,272)=0
<<< dnNormalize: <uid=ldapadm,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=ldapadm,cn=digest-md5,cn=auth to a
DN
slap_sasl_regexp: converting SASL name uid=ldapadm,cn=digest-md5,cn=auth
slap_sasl_regexp: converted SASL name to uid=ldapadm,dc=myorg,dc=org
slap_parseURI: parsing uid=ldapadm,dc=myorg,dc=org
ldap_url_parse_ext(uid=ldapadm,dc=myorg,dc=org)

>>> dnNormalize: <uid=ldapadm,dc=myorg,dc=org>

=> ldap_bv2dn(uid=ldapadm,dc=myorg,dc=org,0)
<= ldap_bv2dn(uid=ldapadm,dc=myorg,dc=org,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldapadm,dc=myorg,dc=org,272)=0
<<< dnNormalize: <uid=ldapadm,dc=myorg,dc=org>
<==slap_sasl2dn: Converted SASL name to uid=ldapadm,dc=myorg,dc=org
getdn: dn:id converted to uid=ldapadm,dc=myorg,dc=org
SASL Canonicalize [conn=0]: authcDN="uid=ldapadm,dc=myorg,dc=org"
=> bdb_back_search
bdb_dn2entry_rw("uid=ldapadm,dc=myorg,dc=org")
=> bdb_dn2id_matched( "uid=ldapadm,dc=myorg,dc=org" )
<= bdb_dn2id_matched: id=0x00000001: matched dc=myorg,dc=org
entry_decode: "dc=myorg,dc=org"
<= entry_decode(dc=myorg,dc=org)
====> bdb_cache_return_entry_r( 1 ): created (0)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=10 matched="dc=myorg,dc=org" text=""
SASL Canonicalize [conn=0]: authzid="uid=ldapadm,cn=auth,cn=digest-md5"
slap_sasl_getdn: id=uid=ldapadm,cn=auth,cn=digest-md5 [len=33]
ldap_err2string
SASL [conn=0] Failure: Inappropriate authentication
SASL [conn=0] Failure: unable authorization ID
send_ldap_result: conn=0 op=2 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure:
unable authorization ID"
send_ldap_response: msgid=3 tag=97 err=50
ber_flush: 71 bytes to sd 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=12 for close
connection_close: deferring conn=0 sd=12
<== slap_sasl_bind: rc=50
connection_resched: attempting closing conn=0 sd=12
connection_close: conn=0 sd=12


Thank you in advance.

Ilya

Prev by Date: Authenticationg only on port 636
Next by Date: Re: failed assertion `LBER_VALID( ber )'
Index(es):
- Chronological
- Thread