[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL External : only bind with existing dn

To: "Chapman, Kyle" <Kyle_Chapman@G1.com>
Subject: RE: SASL External : only bind with existing dn
From: Francois Beretti <francois.beretti@enatel.com>
Date: 10 Mar 2003 17:17:12 +0100
Cc: Liste OpenLDAP Software <openldap-software@OpenLDAP.org>
In-reply-to: <50F0797FBB9C864B8D2DB87AB999E0BA026ABD@mdg1ex01.g1.com>
References: <50F0797FBB9C864B8D2DB87AB999E0BA026ABD@mdg1ex01.g1.com>

Ok, I hadn't thinked of ACLs at all
I am a newbie... sorry
I'm gonna see how I can use them to force a user to exists to be allowed
to bind

thanks, Kyle

Francois

Le lun 10/03/2003 à 17:09, Chapman, Kyle a écrit :
> have you set any acls?
> the default is read for all
> 
> -----Original Message-----
> From: Francois Beretti [mailto:francois.beretti@enatel.com]
> Sent: Monday, March 10, 2003 11:01 AM
> To: Liste OpenLDAP Software
> Subject: SASL External : only bind with existing dn
> 
> 
> Hello all
> 
> I managed to get SASL External working,
> with certificates DNs of same form as my directory DNs
> (cn=francois,ou=people,dc=enatel,dc=local), without using
> sasl-regexp
> 
> but now any user with a certificate with a dn of this form can bind to
> the directory, even if no entry matching his dn exist
> 
> It is normal, as I read in the doc.
> But is it a good thing ?
> I have found in the doc that by putting this in slapd.conf I can solve
> that, forcing slapd to find a matching entry in the database before
> authorizing the connection :
> 
> sasl-regexp
>  cn=(.*),ou=people,dc=enatel,dc=local
>  ldap:///ou=people,dc=enatel,dc=local??sub?(cn=$1)
> 
> but it doesn't work
> I still can have this, while I have _no_ entry in my directory (so I
> have no user "francois") :
> 
> [francois@linux-integ ssl]$ ldapsearch -Y external -ZZ
> SASL/EXTERNAL authentication started
> SASL username: CN=francois,OU=people,DC=enatel,DC=local
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> # search result
> search: 3
> result: 32 No such object
> # numResponses: 1
> 
> I also have an error in my log :
> SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> 
> just before seeming to be authorized
> What can I think of this ?
> I use to think that sasl external doesn't need any secret
> to be stored by sasl
> on several posts on this list I have seen :
> saslpasswd2 -c <username>
> but never for sasl external
> 
> what must I do to solve this ?
> it seems to be a little error but I don't know what to do...
> 
> thanks in advance
> 
> Francois
> 
> 
> PS : Here is my log for the ldapsearch :
> 
> do_sasl_bind: dn () mech EXTERNAL
> daemon: select: listen=6 active_threads=1 tvp=NULL
> conn=5 op=1 BIND dn="" method=163
> daemon: select: listen=7 active_threads=1 tvp=NULL
> ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
> SASL Canonicalize [conn=5]:
> authcid="cn=francois,ou=people,dc=enatel,dc=local"
> slap_sasl_getdn: id=cn=francois,ou=people,dc=enatel,dc=local
> ==>slap_sasl2dn: converting SASL name
> cn=francois,ou=people,dc=enatel,dc=local to a DN
> slap_sasl_regexp: converting SASL name
> cn=francois,ou=people,dc=enatel,dc=local
> slap_sasl_regexp: converted SASL name to
> ldap:///ou=people,dc=enatel,dc=local??sub?(cn=francois)
> slap_parseURI: parsing
> ldap:///ou=people,dc=enatel,dc=local??sub?(cn=francois)
> str2filter "(cn=francois)"
> begin get_filter
> EQUALITY
> end get_filter 0
> >>> dnNormalize: <ou=people,dc=enatel,dc=local>
> <<< dnNormalize: <ou=people,dc=enatel,dc=local>
> slap_sasl2dn: performing internal search
> (base=ou=people,dc=enatel,dc=local, scope=2)
> => ldbm_back_search
> dn2entry_r: dn: "ou=people,dc=enatel,dc=local"
> => dn2id( "ou=people,dc=enatel,dc=local" )
> => ldbm_cache_open( "dn2id.dbb", 73, 600 )
> <= ldbm_cache_open (cache 0)
> <= dn2id NOID
> dn2entry_r: dn: "dc=enatel,dc=local"
> => dn2id( "dc=enatel,dc=local" )
> => ldbm_cache_open( "dn2id.dbb", 73, 600 )
> <= ldbm_cache_open (cache 0)
> <= dn2id NOID
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_result: err=10 matched="" text=""
> conn=0 op=0 RESULT tag=101 err=32 text=
> <==slap_sasl2dn: Converted SASL name to <nothing>
> SASL Canonicalize [conn=5]:
> authcDN="cn=francois,ou=people,dc=enatel,dc=local"
> SASL [conn=5] Error: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> SASL Authorize [conn=5]:
> authcid="cn=francois,ou=people,dc=enatel,dc=local"
> authzid="cn=francois,ou=people,dc=enatel,dc=local"
> conn=5 op=1 BIND authcid="cn=francois,ou=people,dc=enatel,dc=local"
> SASL Authorize [conn=5]:  authorization allowed
> send_ldap_sasl: err=0 len=-1
> send_ldap_response: msgid=2 tag=97 err=0
> <== slap_sasl_bind: rc=0
> conn=5 op=1 AUTHZ dn="cn=francois,ou=people,dc=enatel,dc=local"
> mech=EXTERNAL ssf=0
> do_bind: SASL/EXTERNAL bind:
> dn="cn=francois,ou=people,dc=enatel,dc=local" ssf=0
> daemon: activity on 1 descriptors
> daemon: activity on:
>  10r
> 
> daemon: read activity on 10
> connection_get(10)
> connection_get(10): got connid=5
> connection_read(10): checking for input on id=5
> ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable)
> do_search
> daemon: select: listen=6 active_threads=1 tvp=NULL
> >>> dnPrettyNormal: <dc=enatel,dc=local>
> daemon: select: listen=7 active_threads=1 tvp=NULL
> <<< dnPrettyNormal: <dc=enatel,dc=local>, <dc=enatel,dc=local>
> daemon: activity on 1 descriptors
> SRCH "dc=enatel,dc=local" 2 0
> daemon: select: listen=6 active_threads=1 tvp=NULL
>     0 0 0
> daemon: select: listen=7 active_threads=1 tvp=NULL
> begin get_filter
> PRESENT
> end get_filter 0
>     filter: (objectClass=*)
>     attrs:
> 
> conn=5 op=2 SRCH base="dc=enatel,dc=local" scope=2
> filter="(objectClass=*)"
> => ldbm_back_search
> dn2entry_r: dn: "dc=enatel,dc=local"
> => dn2id( "dc=enatel,dc=local" )
> => ldbm_cache_open( "dn2id.dbb", 73, 600 )
> <= ldbm_cache_open (cache 0)
> <= dn2id NOID
> send_ldap_result: conn=5 op=2 p=3
> send_ldap_result: err=10 matched="" text=""
> send_ldap_response: msgid=3 tag=101 err=32
> conn=5 op=2 RESULT tag=101 err=32 text=
> daemon: activity on 1 descriptors
> daemon: activity on:
>  10r
> 
> daemon: read activity on 10
> connection_get(10)
> connection_get(10): got connid=5
> connection_read(10): checking for input on id=5
> ber_get_next on fd 10 failed errno=0 (Success)
> do_unbind
> connection_read(10): input error=-2 id=5, closing.
> conn=5 op=3 UNBIND
> connection_closing: readying conn=5 sd=10 for close
> connection_close: deferring conn=5 sd=10
> connection_resched: attempting closing conn=5 sd=10
> daemon: select: listen=6 active_threads=1 tvp=NULL
> connection_close: conn=5 sd=10
> daemon: select: listen=7 active_threads=1 tvp=NULL
> daemon: removing 10
> daemon: activity on 1 descriptors
> conn=5 fd=10 closed
> daemon: select: listen=6 active_threads=1 tvp=NULL
> daemon: select: listen=7 active_threads=1 tvp=NULL
> NOTICE: This E-mail may contain confidential information. If you are not
> the addressee or the intended recipient please do not read this E-mail
> and please immediately delete this e-mail message and any attachments
> from your workstation or network mail system. If you are the addressee
> or the intended recipient and you save or print a copy of this E-mail,
> please place it in an appropriate file, depending on whether
> confidential information is contained in the message.

Follow-Ups:
- RE: SASL External : only bind with existing dn
  - From: Francois Beretti <francois.beretti@enatel.com>

References:
- RE: SASL External : only bind with existing dn
  - From: "Chapman, Kyle" <Kyle_Chapman@G1.com>

Prev by Date: RE: Ldap with Php
Next by Date: Re: Referral to Active Directory for Authentication
Index(es):
- Chronological
- Thread