[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: SASL and Kerberos 5 (sasl-regexp)

To: <matthijs@cacholong.nl>
Subject: Re: SASL and Kerberos 5 (sasl-regexp)
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Sun, 18 Apr 2004 21:53:03 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <1082311500.4173.29.camel@mga-linux>
References: <1082311500.4173.29.camel@mga-linux>
> I can't get this to work:
>
> $ ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b "" -s base
> supportedSASLMechanisms
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> (I've checked my password several times and it's ok)

-x disables SASL bind; try without.
-D is used for LDAP identity (DN); use -U <saslidentity>.

p.

>
> $ testsaslauthd -u ldapadm -p secret -s ldap
> 0: OK "Success."
>
> My ldap tree looks like:
> dc=cacholong,dc=nl
>  |
>  -> ou=Users
>  |    |
>  |    -> uid=matthijs
>  |
>  -> uid=ldapadm (LDAP root account)
>
> First i set sasl-regexp to nothing and loglevel = 1
>
> Apr 18 19:45:52 server slapd[6971]: connection_get(12): got connid=2 Apr
> 18 19:45:52 server slapd[6971]: connection_read(12): checking for input
> on id=2
> Apr 18 19:45:52 server slapd[6971]: ber_get_next on fd 12 failed
> errno=11 (Resource temporarily unavailable)
>
> What happens here ?
>
> Apr 18 19:45:52 server slapd[16250]: do_bind
> Apr 18 19:45:52 server slapd[16250]: >>> dnPrettyNormal:
> <uid=ldapadm,dc=cacholong,dc=nl>
> Apr 18 19:45:52 server slapd[16250]: <<< dnPrettyNormal:
> <uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl> Apr
> 18 19:45:52 server slapd[16250]: do_bind: version=3
> dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
> Apr 18 19:45:52 server slapd[16250]:
> bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
> Apr 18 19:45:52 server slapd[16250]: => bdb_dn2id_matched(
> "uid=ldapadm,dc=cacholong,dc=nl" )
> Apr 18 19:45:52 server slapd[16250]: ====>
> bdb_cache_find_entry_dn2id("uid=ldapadm,dc=cacholong,dc=nl"): 3 (1
> tries)
> Apr 18 19:45:52 server slapd[16250]: ====> bdb_cache_find_entry_id( 3 )
> "uid=ldapadm,dc=cacholong,dc=nl" (found) (1 tries)
> Apr 18 19:45:52 server slapd[16250]: => string_expand: pattern:
> uid=ldapadm,dc=cacholong,dc=nl
> Apr 18 19:45:52 server slapd[16250]: => string_expand: expanded:
> uid=ldapadm,dc=cacholong,dc=nl
> Apr 18 19:45:52 server slapd[16250]: => regex_matches: string:^I
> Apr 18 19:45:52 server slapd[16250]: => regex_matches: rc: 1 no matches
> Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
>
> Interesting part.
>
> Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:45:52 server slapd[16250]: SASL [conn=2] Failure: Invalid
> credentials
> Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:45:52 server slapd[16250]: send_ldap_result: conn=2 op=0 p=3
> Apr 18 19:45:52 server slapd[16250]: send_ldap_response: msgid=1 tag=97
> err=49
> Apr 18 19:45:52 server slapd[16250]: ====> bdb_cache_return_entry_r( 3
> ): returned (0)
> Apr 18 19:45:52 server slapd[6971]: connection_get(12): got connid=2 Apr
> 18 19:45:52 server slapd[6971]: connection_read(12): checking for input
> on id=2
> Apr 18 19:45:52 server slapd[6971]: ber_get_next on fd 12 failed errno=0
> (Success)
> Apr 18 19:45:52 server slapd[6971]: connection_read(12): input error=-2
> id=2, closing.
> Apr 18 19:45:52 server slapd[6971]: connection_closing: readying conn=2
> sd=12 for close
> Apr 18 19:45:52 server slapd[6971]: connection_close: conn=2 sd=12
>
> Now with:
> sasl-regexp	uid=(.*),cn=cacholong.nl,cn=gssapi,cn=auth
> ldap://uid=$1,dc=cacholong,dc=nl
>
> Apr 18 19:54:02 server slapd[6971]: connection_get(12): got connid=3 Apr
> 18 19:54:02 server slapd[6971]: connection_read(12): checking for input
> on id=3
> Apr 18 19:54:02 server slapd[6971]: ber_get_next on fd 12 failed
> errno=11 (Resource temporarily unavailable)
> Apr 18 19:54:02 server slapd[16250]: do_bind
> Apr 18 19:54:02 server slapd[16250]: >>> dnPrettyNormal:
> <uid=ldapadm,dc=cacholong,dc=nl>
> Apr 18 19:54:02 server slapd[16250]: <<< dnPrettyNormal:
> <uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl> Apr
> 18 19:54:02 server slapd[16250]: do_bind: version=3
> dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
> Apr 18 19:54:02 server slapd[16250]:
> bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
> Apr 18 19:54:02 server slapd[16250]: => bdb_dn2id_matched(
> "uid=ldapadm,dc=cacholong,dc=nl" )
> Apr 18 19:54:02 server slapd[16250]: ====>
> bdb_cache_find_entry_dn2id("uid=ldapadm,dc=cacholong,dc=nl"): 3 (1
> tries)
> Apr 18 19:54:02 server slapd[16250]: ====> bdb_cache_find_entry_id( 3 )
> "uid=ldapadm,dc=cacholong,dc=nl" (found) (1 tries)
> Apr 18 19:54:02 server slapd[16250]: => string_expand: pattern:
> uid=ldapadm,dc=cacholong,dc=nl
> Apr 18 19:54:02 server slapd[16250]: => string_expand: expanded:
> uid=ldapadm,dc=cacholong,dc=nl
> Apr 18 19:54:02 server slapd[16250]: => regex_matches: string:^I
> Apr 18 19:54:02 server slapd[16250]: => regex_matches: rc: 1 no matches
> Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:54:02 server slapd[16250]: SASL [conn=3] Failure: Invalid
> credentials
> Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:54:02 server slapd[16250]: send_ldap_result: conn=3 op=0 p=3
> Apr 18 19:54:02 server slapd[16250]: send_ldap_response: msgid=1 tag=97
> err=49
> Apr 18 19:54:02 server slapd[16250]: ====> bdb_cache_return_entry_r( 3
> ): returned (0)
> Apr 18 19:54:02 server slapd[6971]: connection_get(12): got connid=3 Apr
> 18 19:54:02 server slapd[6971]: connection_read(12): checking for input
> on id=3
> Apr 18 19:54:02 server slapd[6971]: ber_get_next on fd 12 failed errno=0
> (Success)
> Apr 18 19:54:02 server slapd[6971]: connection_read(12): input error=-2
> id=3, closing.
> Apr 18 19:54:02 server slapd[6971]: connection_closing: readying conn=3
> sd=12 for close
> Apr 18 19:54:02 server slapd[6971]: connection_close: conn=3 sd=12
>
> Now with two sasl-regexp lines:
> sasl-regexp	uid=service/(.*),cn=CACHOLONG.NL,cn=gssapi,cn=auth
> ldap:///cn=Service,cn=Applications,dc=cacholong,dc=nl??sub?krb5PrincipalName=service/$1@CACHOLONG.NL
>
> sasl-regexp	uid=(.*),cn=CACHOLONG.NL,cn=gssapi,cn=auth
> ldap:///uid=$1,cn=Accounts,dc=cacholong,dc=nl??sub?suSeasStatus=active
>
> Apr 18 19:56:55 server slapd[31206]: connection_get(12): got connid=0
> Apr 18 19:56:55 server slapd[31206]: connection_read(12): checking for
> input on id=0
> Apr 18 19:56:55 server slapd[21574]: do_bind
> Apr 18 19:56:55 server slapd[31206]: ber_get_next on fd 12 failed
> errno=11 (Resource temporarily unavailable)
> Apr 18 19:56:55 server slapd[21574]: >>> dnPrettyNormal:
> <uid=ldapadm,dc=cacholong,dc=nl>
> Apr 18 19:56:55 server slapd[21574]: <<< dnPrettyNormal:
> <uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl> Apr
> 18 19:56:55 server slapd[21574]: do_bind: version=3
> dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
> Apr 18 19:56:55 server slapd[21574]:
> bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
> Apr 18 19:56:55 server slapd[21574]: => bdb_dn2id_matched(
> "uid=ldapadm,dc=cacholong,dc=nl" )
> Apr 18 19:56:55 server slapd[21574]: <= bdb_dn2id_matched:
> id=0x00000003: entry uid=ldapadm,dc=cacholong,dc=nl
> Apr 18 19:56:55 server slapd[21574]: entry_decode:
> "uid=ldapadm,dc=cacholong,dc=nl"
> Apr 18 19:56:55 server slapd[21574]: <=
> entry_decode(uid=ldapadm,dc=cacholong,dc=nl)
> Apr 18 19:56:55 server slapd[21574]: => string_expand: pattern:
> uid=ldapadm,dc=cacholong,dc=nl
> Apr 18 19:56:55 server slapd[21574]: => string_expand: expanded:
> uid=ldapadm,dc=cacholong,dc=nl
> Apr 18 19:56:55 server slapd[21574]: => regex_matches: string:^I
> Apr 18 19:56:55 server slapd[21574]: => regex_matches: rc: 1 no matches
> Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:56:55 server slapd[21574]: SASL [conn=0] Failure: Invalid
> credentials
> Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
> uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
> <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
> <uid=ldapadm,cn=cacholong.nl,cn=auth>
> Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
> name uid=ldapadm,cn=cacholong.nl,cn=auth
> Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
> name to <nothing>
> Apr 18 19:56:55 server slapd[21574]: send_ldap_result: conn=0 op=0 p=3
> Apr 18 19:56:55 server slapd[21574]: send_ldap_response: msgid=1 tag=97
> err=49
> Apr 18 19:56:55 server slapd[21574]: ====> bdb_cache_return_entry_r( 3
> ): created (0)
> Apr 18 19:56:55 server slapd[31206]: connection_get(12): got connid=0
> Apr 18 19:56:55 server slapd[31206]: connection_read(12): checking for
> input on id=0
> Apr 18 19:56:55 server slapd[31206]: ber_get_next on fd 12 failed
> errno=0 (Success)
> Apr 18 19:56:55 server slapd[31206]: connection_read(12): input error=-2
> id=0, closing.
> Apr 18 19:56:55 server slapd[31206]: connection_closing: readying conn=0
> sd=12 for close
> Apr 18 19:56:55 server slapd[31206]: connection_close: conn=0 sd=12
>
> It looks to me that "<==slap_sasl2dn: Converted SASL name to <nothing>"
> this is the interesting part of the log. So i think my regexps are
> wrong.
>
> How can i solve this ?


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
Follow-Ups:
- Re: SASL and Kerberos 5 (sasl-regexp)
  - From: Matthijs <matthijs@cacholong.nl>
References:
- SASL and Kerberos 5 (sasl-regexp)
  - From: Matthijs Mohlmann <matthijs@cacholong.nl>
Prev by Date: Re: adding access control for replication user
Next by Date: ou uid to add and delete accounts
Index(es):
- Chronological
- Thread