[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Got error while enabling SASL

Hi Gaurav
which SASL DB do you try to access? Do you load the corresponding plugin?
here, we use the /etc/sasldb2 database through the auxprop plugin.
To define this, we need to have in /etc/openldap/slapd.conf
sasl-auxprops sasldb
which in the cn=config subtree gives
olcSaslAuxprops: sasldb

Then we need to have a file /usr/lib64/sasl2/slapd.conf
with the content:
pwcheck_method: auxprop
mech_list: plain login digest-md5 cram-md5
auxprop_plugin: sasldb

To list the users in the database we use
sasldblistusers2

And finally we need to have the file
/etc/sasldb2
which contains the userid and passwords and is created/maintained by
saslpasswd2
It is actually a sleepycat database and can be read by the sleepycat tools.
this file must not be accessible by all users, but it must be readable by the userid/group under which the slapd runs. 

Also check to see, what is in your slapd-log, which in our installation is
/var/log/localmessages.

suomi

On 02/06/2012 07:10 AM, Gaurav Gugnani wrote:

Hello All,

Thks for helping me out, however i'm still stuck in middle of it and the
issue has not yet resolved.

*Error:*
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -Y DIGEST-MD5
-U sasluser7 -b 'o=xyz'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
         additional info: SASL(-13): user not found: no secret in database

I checked for ACL and also now i'm using authz with following lines:

authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz

access to attrs="userpassword"
         by self write
         by anonymous auth
         by dn="uid=sasluser7,ou=System,o=xyz" read
access to dn.base="o=xyz"
         by dn="uid=sasluser7,ou=System,o=xyz" read
         by users read
access to dn.subtree="ou=Subscribers,o=xyz"
         by dn="uid=sasluser7,ou=System,o=xyz" read
access to *
         by self write
         by dn="uid=sasluser7,ou=System,o=xyz" read

I hope it is fine.

Moreover, we can say that the user is created:
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -W -D
'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=xyz'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=sasluser7,ou=System,o=xyz> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sasluser7, System, xyz
dn: uid=sasluser7,ou=System,o=xyz
uid: sasluser7
ou: System
description: Special account for SASL Testing
userPassword:: c2FzbVHzZXI3
objectClass: account
objectClass: simpleSecurityObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Also, i would like to highlight one thing:

That when i check for sasl dblist users - it thorws me an error. Can
that be an issue point?
/u01/app/openldap/product/2.4.26/etc/openldap>sasldblistusers
-bash: sasldblistusers: command not found

Please help me out in moving forward. Thks a lot for your support.

Regards,
Gaurav Gugnani

On Fri, Feb 3, 2012 at 8:44 PM, Dan White <dwhite@olp.net
<mailto:dwhite@olp.net>> wrote:

    On 02/03/12 16:12 +0530, Gaurav Gugnani wrote:

        Hello All,

        I've installed the cyrus-sasl-md5-2.1.22-5.el5_4.__3.x86_64.rpm
        package.

        *Logs:*


        /root>pluginviewer

        Installed SASL (server side) mechanisms are:

        *CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL*

        ......


        **


        /u01/app/openldap/product/2.4.__26/etc/openldap>ldapsearch -x
          -b "" -s base
        -LLL supportedSASLMechanisms
        dn:
        *supportedSASLMechanisms: CRAM-MD5
        supportedSASLMechanisms: DIGEST-MD5**


        *
        and again started with SASL process (tried several times) but
        everytime...
        got an error:
        *Steps i followed:*

        1> saslpasswd2 -c sasluser3
        2> sasldblistusers2


    These two steps are not necessary.

        3> Stop LDAP
        4> edit slapd.conf and add following lines:
           password-hash   {CLEARTEXT}
           sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
        5> Start LDAP
        6> Add account from ldif:
        add_sasl_accnt3.ldif
        ----------------------------
        # TEST Account for SASL:
        dn: uid=sasluser3,ou=System,o=xyz
        uid: sasluser3
        ou: System
        description: Special account for SASL Testing
        userPassword: sasluser3
        objectClass: account
        objectClass: simpleSecurityObject
        7> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt3.ldif
        8> *ldapsearch -Y DIGEST-MD5 -U sasluser3 -b 'o=xyz'*
            Or
           *ldapsearch -U sasluser5 -b 'o=xyz'*


        But evrytime got error as:
        SASL/DIGEST-MD5 authentication started
        Please enter your password:
        ldap_sasl_interactive_bind_s: Invalid credentials (49)
               additional info: SASL(-13): user not found: no secret in
        database


    This is an error indicating that the user entry within ldap could not be
    found, and two possible reasons are you do not have ACLs configured
    properly, or your sasl-regexp is misconfigured.

    Depending on the version of slapd, 'sasl-regexp' should instead be
    'authz-regexp'. It appears from the output below that you are using
    version
    2.4.26, so you should using 'authz-regexp'.

    For documentation on configuring them, reference the OpenLDAP 2.4 Admin
    Guide.

    For trouble shooting ACL misconfigurations, try running slapd in debug
    mode, or increase your logging.


        On Thu, Feb 2, 2012 at 11:13 PM, Gaurav Gugnani
        <gugnanigaurav@gmail.com <mailto:gugnanigaurav@gmail.com>>__wrote:

            Hello,

            Thks for helping me out. Yes, the package is missing.

            The O/P of plugin viewer:
            /u01/app/openldap/product/2.4.__26/etc/openldap>pluginviewer
            Installed SASL (server side) mechanisms are:
            ANONYMOUS PLAIN LOGIN EXTERNAL


    --
    Dan White