[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL / DIGEST-MD5

To: Liste OpenLDAP Software <openldap-software@OpenLDAP.org>
Subject: SASL / DIGEST-MD5
From: Francois Beretti <francois.beretti@enatel.com>
Date: 14 Mar 2003 14:16:27 +0100

Hello all

I'm trying to get digest-md5 working with passwords stored in openldap
directory instead of sasldb2

According to the doc, it is possible
however, I got an error when I run this :

$ ldapsearch -Y DIGEST-MD5 -U francois -ZZ
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
(80)
        additional info: SASL(-13): user not found: no secret in
database

and in the logs I got this kind of things :
====> cache_find_entry_id( 4 )
"cn=francois,ou=people,dc=enatel,dc=local" (found) (1 tries)
[...]
=> access_allowed: search access to
"cn=francois,ou=people,dc=enatel,dc=local" "objectClass" requested
[...]
=> acl_mask: access to entry "cn=francois,ou=people,dc=enatel,dc=local",
attr "objectClass" requested
[...]
<= check a_dn_pat: self
<= check a_dn_pat: cn=root,dc=enatel,dc=local
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=x) (stop)
<= acl_mask: [3] mask: auth(=x)
=> access_allowed: search access denied by auth(=x)

then a look up in the sasldb2 file, then the error

I have password-hash {CLEARTEXT} in slapd.conf, and password are
cleartext (I checked)
Here are my acls :

access  to dn=".*,ou=people,dc=enatel,dc=local"
        by self write
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

access  to *
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

I think there are too restrictive
What is wrong ?

thanks

Francois

Follow-Ups:
- Re: SASL / DIGEST-MD5
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: AW: need confirmation
Next by Date: Re: [ldap] Permsion on Parent
Index(es):
- Chronological
- Thread