[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl consumer is not honoring authcid

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: syncrepl consumer is not honoring authcid
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 27 Sep 2004 09:54:26 -0700
Cc: <openldap-software@OpenLDAP.org>
In-reply-to: <m33c134s06.fsf@orange.l4b.de>
References: <m33c134s06.fsf@orange.l4b.de>

At 09:05 AM 9/27/2004, Dieter Kluenter wrote:
>Hello,
>my version: OpenLDAP HEAD
>
>I have setup a syncrepl consumer with following options
>
>,----[ slapd.conf ]
>| syncrepl rid=54
>|         provider=ldap://my.host:389
>|         type=refreshOnly
>|         interval=00:00:30:00
>|         searchbase=ou=adressbuch,o=avci,c=de
>|         scope=one
>|         bindmethod=sasl
>|         authcid=benchmark
>|         credentials=bench
>|         updatedn=cn=admanager,o=avci,c=de
>`----
>
>But the consumer is not binding with the given authcid and SASL
>Mechanism, but as the user running slapd (dieter) and mech GSSAPI, is
>there something wrong with my slapd.conf or is it a bug in syncrepl?

Neither.  authcid is made available to mechanisms, such
as PLAIN, which request an authentication identity from
the user.  GSSAPI doesn't request an authentication identity
from the user, it expects the user to provided an appropriate
Kerberos ticket.  (User, in this case, being the person/entity
which started slapd.)

Same applies to ldapsearch's authcid.

Kurt





>,----[ excerpt from log ]
>| slapd[964]: conn=16 fd=23 ACCEPT from IP=192.168.100.33:32777 (IP=0.0.0.0:389)
>| slapd[964]: connection_get(23) 
>| slapd[964]: connection_get(23): got connid=16 
>| slapd[964]: connection_read(23): checking for input on id=16
>| [...] 
>| slapd[1622]: do_search 
>| slapd[1622]: >>> dnPrettyNormal: <> 
>| slapd[1622]: <<< dnPrettyNormal: <>, <> 
>| slapd[1622]: SRCH "" 0 3
>| slapd[1622]:     0 0 0 
>| slapd[1622]:     filter: (objectClass=*) 
>| slapd[1622]:     attrs:
>| slapd[1622]:  supportedSASLMechanisms
>| [...]
>| slapd[1624]: do_bind 
>| slapd[1624]: >>> dnPrettyNormal: <> 
>| slapd[1624]: <<< dnPrettyNormal: <>, <> 
>| slapd[1624]: do_sasl_bind: dn () mech GSSAPI 
>| slapd[1624]: conn=16 op=1 BIND dn="" method=163 
>| slapd[1624]: ==> sasl_bind: dn="" mech=GSSAPI datalen=536 
>| [...]
>| slapd[1622]: do_sasl_bind: dn () mech GSSAPI 
>| slapd[1622]: conn=16 op=3 BIND dn="" method=163 
>| slapd[1622]: ==> sasl_bind: dn="" mech=<continuing> datalen=65 
>| slapd[1622]: SASL Canonicalize [conn=16]: authcid="dieter" 
>| slapd[1622]: slap_sasl_getdn: id=dieter [len=6] 
>| slapd[1622]: slap_sasl_getdn: u:id converted to uid=dieter,cn=GSSAPI,cn=auth 
>| slapd[1622]: >>> dnNormalize: <uid=dieter,cn=GSSAPI,cn=auth> 
>| slapd[1622]: <<< dnNormalize: <uid=dieter,cn=gssapi,cn=auth> 
>| slapd[1622]: conn=16 op=3 BIND dn="cn=dieter kluenter,ou=partner,o=avci,c=de" mech=GSSAPI ssf=56 
>| slapd[1622]: do_bind: SASL/GSSAPI bind: dn="cn=dieter kluenter,ou=partner,o=avci,c=de" ssf=56 
>| [...]
>| slapd[1624]: => bdb_search 
>| slapd[1624]: bdb_dn2entry("ou=adressbuch,o=avci,c=de") 
>| slapd[1624]: bdb_dn2entry("cn=ldapsync,o=avci,c=de") 
>| slapd[1624]: search_candidates: base="ou=adressbuch,o=avci,c=de" (0x00000004) scope=1 
>| slapd[1624]: => bdb_equality_candidates (objectClass) 
>| slapd[1624]: => key_read 
>| slapd[1624]: => bdb_search 
>| slapd[1624]: bdb_dn2entry("ou=adressbuch,o=avci,c=de") 
>| slapd[1624]: bdb_dn2entry("cn=ldapsync,o=avci,c=de") 
>| slapd[1624]: search_candidates: base="ou=adressbuch,o=avci,c=de" (0x00000004) scope=1 
>| slapd[1624]: => bdb_equality_candidates (objectClass) 
>| slapd[1624]: => key_read 
>`----
>
>-Dieter
>
>-- 
>Dieter Klünter | Systemberatung
>Tel: +49.40.64861967
>Fax: +49.40.64891521
>Key ID: 9B13A25650EF4335

References:
- syncrepl consumer is not honoring authcid
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: Problems with TLS on OpenBSD
Next by Date: Error 325
Index(es):
- Chronological
- Thread