[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL replication - the continuing saga



Have you gotten authentication working using the sample Cyrus
SASL client and server?  This is a very important first step.
If it doesn't work there, it won't work in OpenLDAP.  I suggest
you sort out your DIGEST-MD5 problems there before trying to
tackle OpenLDAP specific configuration.

At 06:45 AM 2001-08-29, Kayne McGladrey wrote:
>Hello everyone,
>
>I'm continuing my effort to successfully configure OpenLDAP and SASL.  This
>effort has thus far taken 40 hours of my time. I'm doing this in the hopes 
>that I will be able to have OpenLDAP replication use SASL authentication.
>
>I had previously not been able to have the supportedSASLMechanisms attribute
>report anything.  After some further experimentation with SASL-SECPROPS and
>SECURITY in slapd.conf, and /usr/lib/sasl/slapd.conf, it now reports PLAIN 
>and LOGIN.  I can't get it to recognize DIGEST-MD5, which is what I'm hoping 
>to have it use.
>
>As this is progress, I thought I'd try to use either PLAIN or LOGIN for
>authentication.  This DOES NOT work. I'm specifically concerned with these 
>lines in the slurpd output:
>
>        bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
>        ldap_interactive_sasl_bind_s: user selected: PLAIN
>        ldap_int_sasl_bind: PLAIN
>
>The "user selected: PLAIN" is either a poorly-written debug message or in 
>error. The user I've specified is repl.ldap.company.com.
>
>Any assistance would be greatly appreciated.  I hope to consolidate my efforts
>into a FAQ or installation guide. This seems to be the most frequently asked
>question on the list.
>
>I'm including full output from the relevant items (ldapsearch, 
>sasldblistusers, slurpd, slapd.conf).
>
>--- ldapsearch on server ---
>[root@ldap openldap-2.0.11]# ldapsearch -x -b "" -s base -LLL 
>supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: LOGIN
>
>--- ldapsearch on backup ---
>[root@backup /root]# ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms
>dn:
>supportedSASLMechanisms: PLAIN
>supportedSASLMechanisms: LOGIN
>
>--- sasldblistusers on backup ---
>[root@backup /root]# sasldblistusers
>user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: PLAIN
>user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: CRAM-MD5
>user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: DIGEST-MD5
>
>--- slurpd output ---
>[root@ldap openldap-2.0.11]# /usr/local/libexec/slurpd -d 255
>Config: opening config file "/usr/local/etc/openldap/slapd.conf"
>Config: (include                /usr/local/etc/openldap/schema/core.schema)
>Config: (include                /usr/local/etc/openldap/schema/cosine.schema)
>Config: (include                
>/usr/local/etc/openldap/schema/inetorgperson.schema)
>Config: (include                /usr/local/etc/openldap/schema/local.schema)
>Config: (pidfile                /usr/local/var/slapd.pid)
>Config: (argsfile       /usr/local/var/slapd.args)
>Config: (loglevel 0)
>Config: (idletimeout 30)
>Config: (sizelimit 100)
>Config: (timelimit 120)
>Config: (defaultsearchbase "dc=company,dc=com")
>Config: (schemacheck on)
>Config: (disallows      bind_krbv4)
>Config: (sasl-secprops   noanonymous minssf=112)
>Config: (security        update_sasl=112 update_ssf=112)
>Config: (database       ldbm)
>Config: (rootdn         "cn=LDAProot,dc=company,dc=com")
>Config: (rootpw         {crypt}papAq5PwY/QQM)
>Config: (suffix         "dc=company,dc=com")
>Config: (replogfile     /usr/local/etc/openldap/replog/replog.log)
>Config: (lastmod                off)
>Config: (replica host=backup.company.com:389    
>binddn="uid=repl.ldap.company.com"       bindmethod=sasl saslmech=PLAIN  
>authcID="repl.ldap.company.com"  authzID="repl.ldap.company.com"  
>realm=company.com        credentials="password")
>Config: ** successfully added replica "backup.company.com:389"
>Config: (security        update_ssf=112)
>Config: (directory      /usr/local/var/openldap-ldbm)
>Config: (mode   0600)
>Config: (index  objectClass                             eq,pres)
>Config: (index  uid                                     eq)
>Config: (index  cn                                      eq,sub)
>Config: (index  mail                                    eq,pres,sub)
>Config: (index  givenName                               eq,sub)
>Config: (index  sn                                      eq,sub)
>Config: (index  o                                       eq,sub)
>Config: (access to attr=userPassword    by dn="cn=LDAPRoot, dc=company, 
>dc=com" write    by * none)
>Config: (access to *    by anonymous read       by dn="cn=LDAPRoot, 
>dc=company, dc=com" write)
>Config: (dbnolocking)
>Config: (dbnosync)
>Config: (cachesize 10000)
>Config: (dbcachesize 100000)
>Config: ** configuration file successfully read and parsed
>Retrieved state information for backup.company.com:389 (timestamp 997309400.0)
>begin replication thread for backup.company.com:389
>Replica backup.company.com:389, skip repl record for 
>uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
>Initializing session to backup.company.com:389
>ldap_create
>bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
>ldap_interactive_sasl_bind_s: user selected: PLAIN
>ldap_int_sasl_bind: PLAIN
>ldap_new_connection
>ldap_int_open_connection
>ldap_connect_to_host
>ldap_new_socket: 6
>ldap_prepare_socket: 6
>ldap_connect_to_host: Trying 192.168.1.2:389
>ldap_connect_timeout: fd: 6 tm: -1 async: 0
>ldap_ndelay_on: 6
>ldap_is_sock_ready: 6
>ldap_ndelay_off: 6
>ldap_int_sasl_open: backup.company.com
>ldap_err2string
>Error: LDAP SASL for backup.company.com:389 failed: Unknown authentication 
>method
>ldap_unbind
>ldap_free_connection
>ldap_send_unbind
>ber_flush: 7 bytes to sd 6
>  0000:  30 05 02 01 01 42 00                               0....B.
>ldap_write: want=7, written=7
>  0000:  30 05 02 01 01 42 00                               0....B.
>ldap_free_connection: actually freed
>fm: exiting
>Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on 
>replica backup.company.com:389
>end replication thread for backup.company.com:389
>slurpd: terminated.
>
>--- slapd.conf on server
># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 
>kurt Exp $
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include         /usr/local/etc/openldap/schema/core.schema
>include         /usr/local/etc/openldap/schema/cosine.schema
>include         /usr/local/etc/openldap/schema/inetorgperson.schema
>include         /usr/local/etc/openldap/schema/local.schema
>
>pidfile         /usr/local/var/slapd.pid
>argsfile        /usr/local/var/slapd.args
>
>loglevel 0
>idletimeout 30
>sizelimit 100
>timelimit 120
>defaultsearchbase "dc=company,dc=com"
>schemacheck on
>disallows       bind_krbv4
>
>sasl-secprops   noanonymous minssf=112
>security        update_sasl=112 update_ssf=112
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>
>database        ldbm
>rootdn          "cn=LDAProot,dc=company,dc=com"
>rootpw          {crypt}papAq5PwY/QQM
>suffix          "dc=company,dc=com"
>
>replogfile      /usr/local/etc/openldap/replog/replog.log
>lastmod         off
>
>## REPLICATION OPTIONS
>replica host=backup.company.com:389
>        binddn="uid=repl.ldap.company.com"
>        bindmethod=sasl
>        saslmech=PLAIN
>        authcID="repl.ldap.company.com"
>        authzID="repl.ldap.company.com"
>        realm=company.com
>        credentials="password"
>
>security        update_ssf=112
>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd/tools. Mode 700 recommended.
>directory       /usr/local/var/openldap-ldbm
>mode    0600
>
># Indices to maintain
>index   objectClass                             eq,pres
>index   uid                                     eq
>
>index   cn                                      eq,sub
>index   mail                                    eq,pres,sub
>index   givenName                               eq,sub
>index   sn                                      eq,sub
>index   o                                       eq,sub
>
>#ldbm access control definitions
>access to attr=userPassword
>        by dn="cn=LDAPRoot, dc=company, dc=com" write
>        by * none
>
>access to *
>        by anonymous read
>        by dn="cn=LDAPRoot, dc=company, dc=com" write
>
>dbnolocking
>dbnosync
>cachesize 10000
>dbcachesize 100000
>
>--- slapd.conf on backup ---
># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 
>kurt Exp $
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>
>include         /usr/local/etc/openldap/schema/core.schema
>include         /usr/local/etc/openldap/schema/cosine.schema
>include         /usr/local/etc/openldap/schema/inetorgperson.schema
>include         /usr/local/etc/openldap/schema/local.schema
>
>pidfile         /usr/local/var/slapd.pid
>argsfile        /usr/local/var/slapd.args
>
>loglevel 0
>idletimeout 30
>sizelimit 100
>timelimit 120
>defaultsearchbase "dc=company,dc=com"
>schemacheck on
>disallows       bind_krbv4
>
>sasl-secprops   noanonymous minssf=112
>security        update_sasl=112 update_ssf=112
>
>#######################################################################
># ldbm database definitions
>#######################################################################
>
>database        ldbm
>rootdn          "cn=LDAProot,dc=company,dc=com"
>rootpw          {crypt}papAq5PwY/QQM
>suffix          "dc=company,dc=com"
>
>updatedn        "UID=REPL.LDAP.COMPANY.COM+REALM=BACKUP.COMPANY.COM"
>updateref       ldap://ldap.company.com
>
>security        update_ssf=112
>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd/tools. Mode 700 recommended.
>directory       /usr/local/var/openldap-ldbm
>mode    0600
>
># Indices to maintain
>index   objectClass                             eq,pres
>index   uid                                     eq
>
>index   cn                                      eq,sub
>index   mail                                    eq,pres,sub
>index   givenName                               eq,sub
>index   sn                                      eq,sub
>index   o                                       eq,sub
>
>#ldbm access control definitions
>access to attr=userPassword
>        by dn="cn=LDAPRoot, dc=company, dc=com" write
>        by * none
>
>access to *
>        by anonymous read
>        by dn="cn=LDAPRoot, dc=company, dc=com" write
>
>dbnolocking
>dbnosync
>cachesize 10000
>dbcachesize 100000