[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL External : only bind with existing dn

To: "Francois Beretti" <francois.beretti@enatel.com>, "Liste OpenLDAP Software" <openldap-software@OpenLDAP.org>
Subject: RE: SASL External : only bind with existing dn
From: "Chapman, Kyle" <Kyle_Chapman@G1.com>
Date: Mon, 10 Mar 2003 11:09:12 -0500
Content-class: urn:content-classes:message
Importance: normal
Thread-index: AcLnHsDMGNyNLLESQgaEI3vXpOGg1gAAMAXg
Thread-topic: SASL External : only bind with existing dn

have you set any acls?
the default is read for all

-----Original Message-----
From: Francois Beretti [mailto:francois.beretti@enatel.com]
Sent: Monday, March 10, 2003 11:01 AM
To: Liste OpenLDAP Software
Subject: SASL External : only bind with existing dn


Hello all

I managed to get SASL External working,
with certificates DNs of same form as my directory DNs
(cn=francois,ou=people,dc=enatel,dc=local), without using
sasl-regexp

but now any user with a certificate with a dn of this form can bind to
the directory, even if no entry matching his dn exist

It is normal, as I read in the doc.
But is it a good thing ?
I have found in the doc that by putting this in slapd.conf I can solve
that, forcing slapd to find a matching entry in the database before
authorizing the connection :

sasl-regexp
 cn=(.*),ou=people,dc=enatel,dc=local
 ldap:///ou=people,dc=enatel,dc=local??sub?(cn=$1)

but it doesn't work
I still can have this, while I have _no_ entry in my directory (so I
have no user "francois") :

[francois@linux-integ ssl]$ ldapsearch -Y external -ZZ
SASL/EXTERNAL authentication started
SASL username: CN=francois,OU=people,DC=enatel,DC=local
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 3
result: 32 No such object
# numResponses: 1

I also have an error in my log :
SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
file or directory

just before seeming to be authorized
What can I think of this ?
I use to think that sasl external doesn't need any secret
to be stored by sasl
on several posts on this list I have seen :
saslpasswd2 -c <username>
but never for sasl external

what must I do to solve this ?
it seems to be a little error but I don't know what to do...

thanks in advance

Francois


PS : Here is my log for the ldapsearch :

do_sasl_bind: dn () mech EXTERNAL
daemon: select: listen=6 active_threads=1 tvp=NULL
conn=5 op=1 BIND dn="" method=163
daemon: select: listen=7 active_threads=1 tvp=NULL
==> sasl_bind: dn="" mech=EXTERNAL datalen=0
SASL Canonicalize [conn=5]:
authcid="cn=francois,ou=people,dc=enatel,dc=local"
slap_sasl_getdn: id=cn=francois,ou=people,dc=enatel,dc=local
==>slap_sasl2dn: converting SASL name
cn=francois,ou=people,dc=enatel,dc=local to a DN
slap_sasl_regexp: converting SASL name
cn=francois,ou=people,dc=enatel,dc=local
slap_sasl_regexp: converted SASL name to
ldap:///ou=people,dc=enatel,dc=local??sub?(cn=francois)
slap_parseURI: parsing
ldap:///ou=people,dc=enatel,dc=local??sub?(cn=francois)
str2filter "(cn=francois)"
begin get_filter
EQUALITY
end get_filter 0
>>> dnNormalize: <ou=people,dc=enatel,dc=local>
<<< dnNormalize: <ou=people,dc=enatel,dc=local>
slap_sasl2dn: performing internal search
(base=ou=people,dc=enatel,dc=local, scope=2)
=> ldbm_back_search
dn2entry_r: dn: "ou=people,dc=enatel,dc=local"
=> dn2id( "ou=people,dc=enatel,dc=local" )
=> ldbm_cache_open( "dn2id.dbb", 73, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id NOID
dn2entry_r: dn: "dc=enatel,dc=local"
=> dn2id( "dc=enatel,dc=local" )
=> ldbm_cache_open( "dn2id.dbb", 73, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id NOID
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=10 matched="" text=""
conn=0 op=0 RESULT tag=101 err=32 text=
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=5]:
authcDN="cn=francois,ou=people,dc=enatel,dc=local"
SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
file or directory
SASL Authorize [conn=5]:
authcid="cn=francois,ou=people,dc=enatel,dc=local"
authzid="cn=francois,ou=people,dc=enatel,dc=local"
conn=5 op=1 BIND authcid="cn=francois,ou=people,dc=enatel,dc=local"
SASL Authorize [conn=5]:  authorization allowed
send_ldap_sasl: err=0 len=-1
send_ldap_response: msgid=2 tag=97 err=0
<== slap_sasl_bind: rc=0
conn=5 op=1 AUTHZ dn="cn=francois,ou=people,dc=enatel,dc=local"
mech=EXTERNAL ssf=0
do_bind: SASL/EXTERNAL bind:
dn="cn=francois,ou=people,dc=enatel,dc=local" ssf=0
daemon: activity on 1 descriptors
daemon: activity on:
 10r

daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=5
connection_read(10): checking for input on id=5
ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
do_search
daemon: select: listen=6 active_threads=1 tvp=NULL
>>> dnPrettyNormal: <dc=enatel,dc=local>
daemon: select: listen=7 active_threads=1 tvp=NULL
<<< dnPrettyNormal: <dc=enatel,dc=local>, <dc=enatel,dc=local>
daemon: activity on 1 descriptors
SRCH "dc=enatel,dc=local" 2 0
daemon: select: listen=6 active_threads=1 tvp=NULL
    0 0 0
daemon: select: listen=7 active_threads=1 tvp=NULL
begin get_filter
PRESENT
end get_filter 0
    filter: (objectClass=*)
    attrs:

conn=5 op=2 SRCH base="dc=enatel,dc=local" scope=2
filter="(objectClass=*)"
=> ldbm_back_search
dn2entry_r: dn: "dc=enatel,dc=local"
=> dn2id( "dc=enatel,dc=local" )
=> ldbm_cache_open( "dn2id.dbb", 73, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id NOID
send_ldap_result: conn=5 op=2 p=3
send_ldap_result: err=10 matched="" text=""
send_ldap_response: msgid=3 tag=101 err=32
conn=5 op=2 RESULT tag=101 err=32 text=
daemon: activity on 1 descriptors
daemon: activity on:
 10r

daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=5
connection_read(10): checking for input on id=5
ber_get_next on fd 10 failed errno=0 (Success)
do_unbind
connection_read(10): input error=-2 id=5, closing.
conn=5 op=3 UNBIND
connection_closing: readying conn=5 sd=10 for close
connection_close: deferring conn=5 sd=10
connection_resched: attempting closing conn=5 sd=10
daemon: select: listen=6 active_threads=1 tvp=NULL
connection_close: conn=5 sd=10
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: removing 10
daemon: activity on 1 descriptors
conn=5 fd=10 closed
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.

Follow-Ups:
- RE: SASL External : only bind with existing dn
  - From: Francois Beretti <francois.beretti@enatel.com>

Prev by Date: updateref bug?
Next by Date: RE: Ldap with Php
Index(es):
- Chronological
- Thread