[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL replication - the continuing saga



Sounds like you are having some sort of dynamically linking
problem.  You might try forcing no security layers (which
avoids the need for an appropriate cipher).  Setting max_ssf
to 0 and/or setting maxbufsize to 0 should do that.

Anyways, I think these kind of problems are common enough
that folks on the cyrus-sasl list likely be able to resolve
this issue.  I suggest you forward a copy of your last post
with a brief intro to that list.

Kurt

At 05:36 PM 2001-08-29, Kayne McGladrey wrote:
>Hello,
>
>I'm including the output from the sample Cyrus client and server in this 
>email. I'd previously configured this and it appears to be working, though 
>I'm far from an expert on the matter.  Left to it's own devices, it selects 
>"PLAIN" as the best available method.
>
>--- /usr/lib/sasl/slapd.conf ---
>pwcheck_method: sasldb
>
>I picked that tip up from "Cyrus SASL for Systems Aministrators" at:
>http://www.sendmail.org/~ca/email/cyrus/sysadmin.html - I think it's mirrored 
>at other locations as well.
>
>--- Server output: ---
>[root@server sample]# sasldblistusers
>user: REPL.LDAP.COMPANY.COM realm: server.company.com mech: PLAIN
>user: REPL.LDAP.COMPANY.COM realm: server.company.com mech: CRAM-MD5
>user: REPL.LDAP.COMPANY.COM realm: server.company.com mech: DIGEST-MD5
>[root@server sample]# ./sample-server -s slapd
>Generating client mechanism list...
>Sending list of 5 mechanism(s)
>S: UExBSU4gTE9HSU4gRElHRVNULU1ENSBDUkFNLU1ENSBBTk9OWU1PVVM=
>Waiting for client mechanism...
>C: 
>UExBSU4AUkVQTC5MREFQLlNBRkVDTy5DT00AUkVQTC5MREFQLlNBRkVDTy5DT00AYzE5dmZmeHg=
>got 'PLAIN'
>Negotiation complete
>Username: REPL.LDAP.COMPANY.COM
>Realm: server.company.com
>SSF: 0
>
>--- Client output: ---
>[root@server sample]# ./sample-client -s slapd -u REPL.LDAP.COMPANY.COM -a 
>REPL.LDAP.COMPANY.COM
>service=slapd
>Waiting for mechanism list from server...
>S: UExBSU4gTE9HSU4gRElHRVNULU1ENSBDUkFNLU1ENSBBTk9OWU1PVVM=
>Choosing best mechanism from: PLAIN LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS
>Password:
>Using mechanism PLAIN
>Preparing initial.
>Sending initial response...
>C: 
>UExBSU4AUkVQTC5MREFQLlNBRkVDTy5DT00AUkVQTC5MREFQLlNBRkVDTy5DT00AYzE5dmZmeHg=
>Waiting for server reply...
>
>After some digging, I found that there's a -b option for both the client and 
>the server, indicating the number of bits.  As it's there in the slapd.conf, 
>I set this to 112 and watched the output:
>
>--- Server output: ---
>[root@server sample]# ./sample-server -b min=112
>Generating client mechanism list...
>Sending list of 1 mechanism(s)
>S: RElHRVNULU1ENQ==
>Waiting for client mechanism...
>
>--- Client output: ---
>[root@server sample]# ./sample-client -b min=112 -s slapd -u
>REPL.LDAP.COMPANY.COM -a REPL.LDAP.COMPANY.COM service=slapd
>Waiting for mechanism list from server...
>S: RElHRVNULU1ENQ==
>Choosing best mechanism from: DIGEST-MD5
>lt-sample-client: Starting SASL negotiation: no mechanism available
>
>So, it might very well be that SASL isn't working with DIGEST-MD5.  All the
>available evidence points to this.  Which is unusual, as the sasldblistusers
>command lists the REPL.LDAP.COMPANY.COM as having a DIGEST-MD5 password.
>
>When I initially compiled SASL, I used the command: ./configure  
>--enable-sample
>--enable-plain --disable-krb4
>
>According to the limited SASL documentation, DIGEST-MD5 should be 
>automatically detected.  But, just to be thorough, I've since re-compiled 
>with the command: 
>./configure --enable-sample --enable-cram --enable-digest --disable-krb4
>--disable-gssapi
>
>This has not improved matters - the sample client still gets:
>[root@server sample]# ./sample-client -b min=112 -s slapd -u
>REPL.LDAP.COMPANY.COM -a REPL.LDAP.COMPANY.COM service=slapd
>Waiting for mechanism list from server...
>S: RElHRVNULU1ENQ==
>Choosing best mechanism from: DIGEST-MD5
>lt-sample-client: Starting SASL negotiation: no mechanism available
>
>After yet further digging, I found the SASL mailing list.  I can't say that I 
>learned much from it.  I did find an UNANSERED message that almost describes  
>the issue I've encountered:
>http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=digest-md5&msg=642
>
>The main point of interest was that DIGEST-MD5 was only possible if you had 
>installed OpenSSL. Fair enough.  Before I installed Cyrus, I compiled and 
>installed OpenSSL as follows:
>
>        Type tar -xzvf openssl-0.9.6b.tar.gz  and press Enter.
>        Type cd /openssl-0.9.6b and press Enter.
>        Type ./config --prefix=/usr --openssldir=/usr/lib/ssl and press Enter.
>        Type make -f Makefile.ssl all and press Enter.
>        Type make -f Makefile.ssl install and press Enter.
>
>That was based on a newsgroup posting that I don't recall the location of. 
>Typing ./config --help doesn't really help, and the OpenSSL INSTALL file 
>doesn't indicate that DIGEST-MD5 would be turned off OR on by default.  It 
>just specifies how you'd build without a cipher, and I didn't specify that on 
>the command line.  Based on that, I'm assuming that DIGEST-MD5 was installed 
>SOMEWHERE, given that sasldblistusers DOES SHOW the replication account as 
>having a DIGEST-MD5 password.
>
>I'm now 45 hours into this research, and I once again find myself stuck. 
>Further help will be required for me to continue.
>
>Thanks in advance,
>
>
>On Wednesday 29 August 2001 08:20 am, Kurt D. Zeilenga wrote:
>> Have you gotten authentication working using the sample Cyrus
>> SASL client and server?  This is a very important first step.
>> If it doesn't work there, it won't work in OpenLDAP.  I suggest
>> you sort out your DIGEST-MD5 problems there before trying to
>> tackle OpenLDAP specific configuration.
>>
>> At 06:45 AM 2001-08-29, Kayne McGladrey wrote:
>> >Hello everyone,
>> >
>> >I'm continuing my effort to successfully configure OpenLDAP and SASL. 
>> > This effort has thus far taken 40 hours of my time. I'm doing this in the
>> > hopes that I will be able to have OpenLDAP replication use SASL
>> > authentication.
>> >
>> >I had previously not been able to have the supportedSASLMechanisms
>> > attribute report anything.  After some further experimentation with
>> > SASL-SECPROPS and SECURITY in slapd.conf, and /usr/lib/sasl/slapd.conf,
>> > it now reports PLAIN and LOGIN.  I can't get it to recognize DIGEST-MD5,
>> > which is what I'm hoping to have it use.
>> >
>> >As this is progress, I thought I'd try to use either PLAIN or LOGIN for
>> >authentication.  This DOES NOT work. I'm specifically concerned with these
>> >lines in the slurpd output:
>> >
>> >        bind to backup.company.com as repl.ldap.company.com via PLAIN
>> > (SASL) ldap_interactive_sasl_bind_s: user selected: PLAIN
>> >        ldap_int_sasl_bind: PLAIN
>> >
>> >The "user selected: PLAIN" is either a poorly-written debug message or in
>> >error. The user I've specified is repl.ldap.company.com.
>> >
>> >Any assistance would be greatly appreciated.  I hope to consolidate my
>> > efforts into a FAQ or installation guide. This seems to be the most
>> > frequently asked question on the list.
>> >
>> >I'm including full output from the relevant items (ldapsearch,
>> >sasldblistusers, slurpd, slapd.conf).
>> >
>> >--- ldapsearch on server ---
>> >[root@ldap openldap-2.0.11]# ldapsearch -x -b "" -s base -LLL
>> >supportedSASLMechanisms
>> >dn:
>> >supportedSASLMechanisms: PLAIN
>> >supportedSASLMechanisms: LOGIN
>> >
>> >--- ldapsearch on backup ---
>> >[root@backup /root]# ldapsearch -x -b "" -s base -LLL
>> > supportedSASLMechanisms dn:
>> >supportedSASLMechanisms: PLAIN
>> >supportedSASLMechanisms: LOGIN
>> >
>> >--- sasldblistusers on backup ---
>> >[root@backup /root]# sasldblistusers
>> >user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: PLAIN
>> >user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: CRAM-MD5
>> >user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: DIGEST-MD5
>> >
>> >--- slurpd output ---
>> >[root@ldap openldap-2.0.11]# /usr/local/libexec/slurpd -d 255
>> >Config: opening config file "/usr/local/etc/openldap/slapd.conf"
>> >Config: (include               
>> > /usr/local/etc/openldap/schema/core.schema) Config: (include             
>> >   /usr/local/etc/openldap/schema/cosine.schema) Config: (include
>> >/usr/local/etc/openldap/schema/inetorgperson.schema)
>> >Config: (include               
>> > /usr/local/etc/openldap/schema/local.schema) Config: (pidfile            
>> >    /usr/local/var/slapd.pid)
>> >Config: (argsfile       /usr/local/var/slapd.args)
>> >Config: (loglevel 0)
>> >Config: (idletimeout 30)
>> >Config: (sizelimit 100)
>> >Config: (timelimit 120)
>> >Config: (defaultsearchbase "dc=company,dc=com")
>> >Config: (schemacheck on)
>> >Config: (disallows      bind_krbv4)
>> >Config: (sasl-secprops   noanonymous minssf=112)
>> >Config: (security        update_sasl=112 update_ssf=112)
>> >Config: (database       ldbm)
>> >Config: (rootdn         "cn=LDAProot,dc=company,dc=com")
>> >Config: (rootpw         {crypt}papAq5PwY/QQM)
>> >Config: (suffix         "dc=company,dc=com")
>> >Config: (replogfile     /usr/local/etc/openldap/replog/replog.log)
>> >Config: (lastmod                off)
>> >Config: (replica host=backup.company.com:389
>> >binddn="uid=repl.ldap.company.com"       bindmethod=sasl saslmech=PLAIN
>> >authcID="repl.ldap.company.com"  authzID="repl.ldap.company.com"
>> >realm=company.com        credentials="password")
>> >Config: ** successfully added replica "backup.company.com:389"
>> >Config: (security        update_ssf=112)
>> >Config: (directory      /usr/local/var/openldap-ldbm)
>> >Config: (mode   0600)
>> >Config: (index  objectClass                             eq,pres)
>> >Config: (index  uid                                     eq)
>> >Config: (index  cn                                      eq,sub)
>> >Config: (index  mail                                    eq,pres,sub)
>> >Config: (index  givenName                               eq,sub)
>> >Config: (index  sn                                      eq,sub)
>> >Config: (index  o                                       eq,sub)
>> >Config: (access to attr=userPassword    by dn="cn=LDAPRoot, dc=company,
>> >dc=com" write    by * none)
>> >Config: (access to *    by anonymous read       by dn="cn=LDAPRoot,
>> >dc=company, dc=com" write)
>> >Config: (dbnolocking)
>> >Config: (dbnosync)
>> >Config: (cachesize 10000)
>> >Config: (dbcachesize 100000)
>> >Config: ** configuration file successfully read and parsed
>> >Retrieved state information for backup.company.com:389 (timestamp
>> > 997309400.0) begin replication thread for backup.company.com:389
>> >Replica backup.company.com:389, skip repl record for
>> >uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
>> >Initializing session to backup.company.com:389
>> >ldap_create
>> >bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
>> >ldap_interactive_sasl_bind_s: user selected: PLAIN
>> >ldap_int_sasl_bind: PLAIN
>> >ldap_new_connection
>> >ldap_int_open_connection
>> >ldap_connect_to_host
>> >ldap_new_socket: 6
>> >ldap_prepare_socket: 6
>> >ldap_connect_to_host: Trying 192.168.1.2:389
>> >ldap_connect_timeout: fd: 6 tm: -1 async: 0
>> >ldap_ndelay_on: 6
>> >ldap_is_sock_ready: 6
>> >ldap_ndelay_off: 6
>> >ldap_int_sasl_open: backup.company.com
>> >ldap_err2string
>> >Error: LDAP SASL for backup.company.com:389 failed: Unknown authentication
>> >method
>> >ldap_unbind
>> >ldap_free_connection
>> >ldap_send_unbind
>> >ber_flush: 7 bytes to sd 6
>> >  0000:  30 05 02 01 01 42 00                               0....B.
>> >ldap_write: want=7, written=7
>> >  0000:  30 05 02 01 01 42 00                               0....B.
>> >ldap_free_connection: actually freed
>> >fm: exiting
>> >Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on
>> >replica backup.company.com:389
>> >end replication thread for backup.company.com:389
>> >slurpd: terminated.
>> >
>> >--- slapd.conf on server
>> ># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20
>> > 23:32:43 kurt Exp $
>> >#
>> ># See slapd.conf(5) for details on configuration options.
>> ># This file should NOT be world readable.
>> >#
>> >include         /usr/local/etc/openldap/schema/core.schema
>> >include         /usr/local/etc/openldap/schema/cosine.schema
>> >include         /usr/local/etc/openldap/schema/inetorgperson.schema
>> >include         /usr/local/etc/openldap/schema/local.schema
>> >
>> >pidfile         /usr/local/var/slapd.pid
>> >argsfile        /usr/local/var/slapd.args
>> >
>> >loglevel 0
>> >idletimeout 30
>> >sizelimit 100
>> >timelimit 120
>> >defaultsearchbase "dc=company,dc=com"
>> >schemacheck on
>> >disallows       bind_krbv4
>> >
>> >sasl-secprops   noanonymous minssf=112
>> >security        update_sasl=112 update_ssf=112
>> >
>> >#######################################################################
>> ># ldbm database definitions
>> >#######################################################################
>> >
>> >database        ldbm
>> >rootdn          "cn=LDAProot,dc=company,dc=com"
>> >rootpw          {crypt}papAq5PwY/QQM
>> >suffix          "dc=company,dc=com"
>> >
>> >replogfile      /usr/local/etc/openldap/replog/replog.log
>> >lastmod         off
>> >
>> >## REPLICATION OPTIONS
>> >replica host=backup.company.com:389
>> >        binddn="uid=repl.ldap.company.com"
>> >        bindmethod=sasl
>> >        saslmech=PLAIN
>> >        authcID="repl.ldap.company.com"
>> >        authzID="repl.ldap.company.com"
>> >        realm=company.com
>> >        credentials="password"
>> >
>> >security        update_ssf=112
>> >
>> ># The database directory MUST exist prior to running slapd AND
>> ># should only be accessible by the slapd/tools. Mode 700 recommended.
>> >directory       /usr/local/var/openldap-ldbm
>> >mode    0600
>> >
>> ># Indices to maintain
>> >index   objectClass                             eq,pres
>> >index   uid                                     eq
>> >
>> >index   cn                                      eq,sub
>> >index   mail                                    eq,pres,sub
>> >index   givenName                               eq,sub
>> >index   sn                                      eq,sub
>> >index   o                                       eq,sub
>> >
>> >#ldbm access control definitions
>> >access to attr=userPassword
>> >        by dn="cn=LDAPRoot, dc=company, dc=com" write
>> >        by * none
>> >
>> >access to *
>> >        by anonymous read
>> >        by dn="cn=LDAPRoot, dc=company, dc=com" write
>> >
>> >dbnolocking
>> >dbnosync
>> >cachesize 10000
>> >dbcachesize 100000
>> >
>> >--- slapd.conf on backup ---
>> ># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20
>> > 23:32:43 kurt Exp $
>> >#
>> ># See slapd.conf(5) for details on configuration options.
>> ># This file should NOT be world readable.
>> >#
>> >
>> >include         /usr/local/etc/openldap/schema/core.schema
>> >include         /usr/local/etc/openldap/schema/cosine.schema
>> >include         /usr/local/etc/openldap/schema/inetorgperson.schema
>> >include         /usr/local/etc/openldap/schema/local.schema
>> >
>> >pidfile         /usr/local/var/slapd.pid
>> >argsfile        /usr/local/var/slapd.args
>> >
>> >loglevel 0
>> >idletimeout 30
>> >sizelimit 100
>> >timelimit 120
>> >defaultsearchbase "dc=company,dc=com"
>> >schemacheck on
>> >disallows       bind_krbv4
>> >
>> >sasl-secprops   noanonymous minssf=112
>> >security        update_sasl=112 update_ssf=112
>> >
>> >#######################################################################
>> ># ldbm database definitions
>> >#######################################################################
>> >
>> >database        ldbm
>> >rootdn          "cn=LDAProot,dc=company,dc=com"
>> >rootpw          {crypt}papAq5PwY/QQM
>> >suffix          "dc=company,dc=com"
>> >
>> >updatedn        "UID=REPL.LDAP.COMPANY.COM+REALM=BACKUP.COMPANY.COM"
>> >updateref       ldap://ldap.company.com
>> >
>> >security        update_ssf=112
>> >
>> ># The database directory MUST exist prior to running slapd AND
>> ># should only be accessible by the slapd/tools. Mode 700 recommended.
>> >directory       /usr/local/var/openldap-ldbm
>> >mode    0600
>> >
>> ># Indices to maintain
>> >index   objectClass                             eq,pres
>> >index   uid                                     eq
>> >
>> >index   cn                                      eq,sub
>> >index   mail                                    eq,pres,sub
>> >index   givenName                               eq,sub
>> >index   sn                                      eq,sub
>> >index   o                                       eq,sub
>> >
>> >#ldbm access control definitions
>> >access to attr=userPassword
>> >        by dn="cn=LDAPRoot, dc=company, dc=com" write
>> >        by * none
>> >
>> >access to *
>> >        by anonymous read
>> >        by dn="cn=LDAPRoot, dc=company, dc=com" write
>> >
>> >dbnolocking
>> >dbnosync
>> >cachesize 10000
>> >dbcachesize 100000