[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: EXTERNAL mech missing



On 12/17/12 16:40 +0000, Emmanuel Dreyfus wrote:
On Thu, Dec 13, 2012 at 11:46:57AM -0600, Dan White wrote:
Look at your sasl slapd.conf if it exists (e.g. /usr/lib/sasl2/slapd.conf,
or /etc/sasl/slapd.conf).

If you have a mech_list listed within that file, then either comment it
out, or add EXTERNAL to it.

That fixes it. The goal is to let the slapd pseudo-user reconnect to
slapd so that SASL LDAPDB plugin works. It does connect but LDAPDB
does not work. here is the config:

sasl2/slapd.conf:
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: EXTERNAL DIGEST-MD5 PLAIN LOGIN
ldapdb_uri: ldapi:///
ldapdb_id: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net
ldapdb_mech: EXTERNAL
log_level: 7

You should not use the ldapdb auxprop plugin within slapd's sasl config.
You should be using 'slapd' instead, which is the default (it's an internal
auxprop plugin distributed with OpenLDAP).

If you are running version 2.4.17 or newer, the 'auxprop_plugin' option is
ignored anyway, and you must configure olcSaslAuxprops if you really
wish to use a different auxprop plugin.

in openldap/dlapd.conf:
authz-regexp "uidNumber=401,cn=peercred,cn=external,cn=auth"
   "cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net"
authz-regexp uid=([^,]*),cn=external,cn=auth
   "ldap:///dc=example,dc=net??sub?(uid=$1)


in /etc/passwd:
slapd:*:401:1000:openldap-server slapd user:/nonexistent:/sbin/nologin

In LDAP DIT:
dn: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net
objectClass: organizationalRole
cn: ldap.example.net
ou: pseudo-users
authzTo: {0}dn:*

This works:
# su -m slapd -c 'ldapwhoami -Y EXTERNAL -H ldapi:///'
SASL/EXTERNAL authentication started
SASL username: gidNumber=1000+uidNumber=401,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net

This also works:
# su -m slapd -c 'ldapwhoami -X u:someone -Y EXTERNAL -H ldapi:///'
SASL/EXTERNAL authentication started
SASL username: u:someone
SASL SSF: 0
dn:uid=someone,dc=example,dc=net



However this does not work:
# su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \
	-Y PLAIN -H ldaps://ldap.example.com'

logs say:
conn=2455 op=0 BIND dn="uid=someone,dc=example,dc=net" method=163
SASL [conn=2455] Failure: Password verification failed
conn=2455 op=0 RESULT tag=97 err=49 text=SASL(-13): user not found: Password verification failed
conn=2455 op=1 UNBIND

I must be missing how the LDAPDB plugin works. Any hint?

That command doesn't make sense. '-U uid=someone,dc=example,dc=net' should be '-U
someone' instead, and you should create new authz-regexp rules to map a
sasl PLAIN identity of 'someone' to uid=someone,dc=example,dc=net.

You could also do:

su -m someone -c 'ldapwhoami -Y EXTERNAL -H ldapi:///'

with an appropriately written authz-regexp rule. 'someone' would need unix
file permissions to access your ldapi unix socket.

--
Dan White