[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: Newbie OpenLDAP-SASL question

To: <manig@steltor.com>
Subject: RE: Newbie OpenLDAP-SASL question
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 14 Feb 2002 23:45:14 -0800
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3C6C4488.FE9E7D15@steltor.com>
Using "u:dn:cn=foo,..." is not legal. The docs say you must use either a
"u:" prefix or a "dn:" prefix, you cannot use both at once. And as I noted
in my previous message, the released code only allows a "u:" prefix. This
can be
considered a bug, and you may want to file a bug report in the OpenLDAP ITS
about this. I don't know whether it will get patched for 2.0.x since 2.1 is
so close
and the code is working properly in 2.1.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: manig@steltor.com [mailto:manig@steltor.com]
> Sent: Thursday, February 14, 2002 3:13 PM
> To: Howard Chu
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: Newbie OpenLDAP-SASL question
>
>
> Thanks for the clarifications.
>
> Even after searching the archives and reading many of the posts related
> to this matter, I have yet to solve this problem.
>
> Here is a relevant part of my ldap debug log (this occurs seemingly
> after SASL gives a positive password check):
>
>
>
> SASL Authorize [conn=1]: "dn:cn=Nolan Buschnell,dc=steltor,dc=com" as
> "u:dn:cn=Nolan Buschnell,dc=steltor,dc=com"
> slap_sasl_bind: username="u:dn:cn=Nolan Buschnell,dc=steltor,dc=com"
> realm="c-644.in.steltor.com" ssf=128
> <== slap_sasl_bind: authorization disallowed
>
>
>
> I am setting "dn:cn=Nolan Buschnell,dc=steltor,dc=com" as my
> authentication and authorization id's, which is consistent with both
> ldap utilities documentation, as well as RFC 2829 "Authentication
> Methods for LDAP". Why is it trying to authorize as "u:dn:cn=Nolan
> Buschnell,dc=steltor,dc=com" ?
>
> As I understand it, "u:dn:cn=Nolan Buschnell,dc=steltor,dc=com" has been
> authenticated, however the ldap server is of course not allowed to let
> this be an authorization for "dn:cn=Nolan Buschnell,dc=steltor,dc=com"
> (please let me know if my understanding is totally wrong :) ). As sort
> of a hack to fix this, I put the following lines in my slapd.conf:
>
> access to dn="^cn=(.*),dc=steltor,dc=com"
>  by dn=".*cn=$1,dc=steltor,dc=com.*" write
>
> Would this be the correct way to get something like "u:dn:cn=Nolan
> Buschnell,dc=steltor,dc=com" to authorize as "dn:cn=Nolan
> Buschnell,dc=steltor,dc=com" (forgive me if there are errors, I am rusty
> with regexp's)? After adding these lines my LDAP server does not seem to
> work anymore (I get "ldap_sasl_interactive_bind_s: No such object").
>
> Thanks,
> -Mani
>
> Howard Chu wrote:
> >
> > The reason "saslregexp" is only in the draft developer's admin guide is
> > because it only exists in the development code at the moment;
> it has never
> > been in any released versions. I think the upcoming 2.1alpha will be the
> > first actual release of this feature.
> >
> > Given that the current public release is 2.0.22 I find it difficult to
> > understand why anyone would begin a project today by compiling version
> > 2.0.9. It is in everyone's best interest to check for the
> latest versions of
> > all software before beginning to work with any of it. Sure they
> may be new,
> > as-yet-undiscovered bugs in the newest code, but in general
> more bugs are
> > fixed than introduced.
> >
> > As for mapping SASL IDs to LDAP DNs, this has been covered
> repeatedly in the
> > past couple weeks on this mailing list. The short answer in this case is
> > that slapd always constructs a DN using
> "uid=<sasl-name>+realm=<sasl-realm>"
> > in the released code, and always expects you to specify the name as
> > "u:<sasl-name>" on the command line.
> >
> > As mentioned before, the new code has the "saslregexp" config
> directive for
> > mapping SASL names to DN format, plus other related features to
> make SASL a
> > lot better integrated. Check through the archives of this
> mailing list for
> > more details.
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Brian Arkills
> > > Sent: Thursday, February 14, 2002 1:10 PM
> > > To: 'manig'; openldap-software@OpenLDAP.org
> > > Subject: RE: Newbie OpenLDAP-SASL question
> > >
> > >
> > > Let me begin by saying I've never setup an OpenLDAP server ...
> > > that said ...
> > >
> > > I believe what you are missing is not in the general admin guide
> > > for 2.0, but is in the draft developer's admin guide at:
> > > http://www.openldap.org/devel/admin/sasl.html section 9.2.3
> > > (which is not the same section as in the regular admin guide).
> > > You need to map the authentication id to an authorization id
> > > using the saslregex directive.
> > >
> > > I think the fact that this piece of information is only listed in
> > > the draft developer's guide is very problematic, and it should be
> > > added the the production admin guide to avoid further confusion.
> > >
> > > Brian
> > >
> > > > -----Original Message-----
> > > > From: manig [mailto:manig@steltor.com]
> > > > Sent: Thursday, February 14, 2002 11:04 AM
> > > > To: openldap-software@OpenLDAP.org
> > > > Subject: Newbie OpenLDAP-SASL question
> > > >
> > > >
> > > > To get directory users authenticated using SASL, I have taken the
> > > > following steps:
> > > >
> > > > - compile/install cyrus sasl
> > > > - compile/install openldap 2.0.9 with cyrus sasl support
> > > > - set 'require SASL' in my slapd.conf (i want to prevent any
> > > > other type
> > > > of authentication)
> > > > - create a sasl passwd file (/etc/sasldb) using
> saslpasswd(8), invoked
> > > > like this:
> > > >
> > > > for dn "cn=Manager,dc=example,dc=com":
> > > > % /usr/local/sbin/saslpasswd -c "dn:cn=Manager,dc=example,dc=com"
> > > >
> > > > At this point, running ldapsearch with -D
> > > > "cn=Manager,dc=example,dc=com"
> > > > and -W, I set the authentication id and the authzid to
> > > > "dn:cn=Manager,dc=example,dc=com". Running in debug mode, it
> > > > looks like
> > > > it is authenticating correctly against the sasl database,
> > > > however I get
> > > > the error:
> > > >
> > > > ldap_sasl_interactive_bind_s: Inappropriate authentication
> > > >         additional info: authorization disallowed
> > > >
> > > > (I believe the SASL part of authentication is going through
> correctly,
> > > > because putting in a wrong password gives me "Invalid Credentials
> > > > Error". Running in debug mode showed correct SASL client-server
> > > > communication, with a positive response from the server).
> > > >
> > > > Reading previous posts about SASL authentication, I believe what is
> > > > wrong here is that I am not telling the LDAP server which
> > > > SASL username
> > > > corresponds to which LDAP directory entry. Unfortunately, I couldn't
> > > > find any documentation on this matter.
> > > >
> > > > Thanks,
> > > > Mani
> > > >
> > > > --
> > > > /* Mani Ghasemlou, Software Developer
> > > >  * Steltor Inc., 2000 Peel Street, 4th floor, Montreal.
> > > >  * TELEPHONE: (514) 733-8500 EXT 4217 FAX: (514) 733-8878
> > > >  */
> > > >
>
> --
> /* Mani Ghasemlou, Software Developer
>  * Steltor Inc., 2000 Peel Street, 4th floor, Montreal.
>  * TELEPHONE: (514) 733-8500 EXT 4217 FAX: (514) 733-8878
>  */
Follow-Ups:
- RE: Newbie OpenLDAP-SASL question
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: Newbie OpenLDAP-SASL question
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
References:
- Re: Newbie OpenLDAP-SASL question
  - From: manig <manig@steltor.com>
Prev by Date: Re: slapd shutdown
Next by Date: Re: assertion failure in liblber sockbuf.c
Index(es):
- Chronological
- Thread