[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL problems


I'm trying to debug some SASL problems I'm having with OpenLDAP 2.0.22
on Linux.

For example, in the conf file I have:

sasl-realm "agestado.com.br"

access to attribute=userPassword
        by dn="uid=repl\+realm=agestado.com.br" read

When I try something like

% ldapsearch -U repl -Y DIGEST-MD5 "mail=anr@testdomain.enet"

I don't see the userPassword attribute.

The log shows that the first two binds fail, the third succeeds with ssf=1:

slapd[7481]: do_bind 
slapd[7481]: do_sasl_bind: dn () mech DIGEST-MD5 
slapd[7481]: conn=11 op=0 BIND dn="" method=163 
slapd[7481]: send_ldap_sasl: err=14 len=129 
slapd[7481]: send_ldap_response: msgid=1 tag=97 err=14 
slapd[7481]: <== slap_sasl_bind: rc=14 

slapd[7483]: do_bind 
slapd[7483]: do_sasl_bind: dn () mech DIGEST-MD5 
slapd[7483]: conn=11 op=1 BIND dn="" method=163 
slapd[7483]: send_ldap_sasl: err=14 len=40 
slapd[7483]: send_ldap_response: msgid=2 tag=97 err=14 
slapd[7483]: <== slap_sasl_bind: rc=14 

slapd[7481]: do_bind 
slapd[7481]: do_sasl_bind: dn () mech DIGEST-MD5 
slapd[7481]: conn=11 op=2 BIND dn="" method=163 
slapd[7481]: SASL Authorize [conn=11]: "repl" as "u:repl" 
slapd[7481]: slap_sasl_bind: username="u:repl" realm="agestado.com.br" ssf=1 
slapd[7481]: <== slap_sasl_bind: authzdn: "uid=repl + realm=agestado.com.br" 
slapd[7481]: send_ldap_sasl: err=0 len=-1 
slapd[7481]: send_ldap_response: msgid=3 tag=97 err=0 
slapd[7481]: <== slap_sasl_bind: rc=0 

Then the acl fails:

slapd[7483]: => acl_mask: access to entry "uid=anr@testdomain.enet,ou=accounts,dc=agestado,dc=com,dc=br", attr "userPassword" requested 
slapd[7483]: => acl_mask: to all values by "UID=REPL+REALM=AGESTADO.COM.BR", (=n)  
slapd[7483]: <= check a_dn_pat: uid=repl+realm=agestado.com.br 
slapd[7483]: => string_expand: pattern:  uid=repl+realm=agestado.com.br 
slapd[7483]: => string_expand: expanded: uid=repl+realm=agestado.com.br 
slapd[7483]: => regex_matches: string:   UID=REPL+REALM=AGESTADO.COM.BR 
slapd[7483]: => regex_matches: rc: 1 no matches 

I must be overlooking something. Any hints?