[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [SOLVED] SASL Digest-md5 authentication w/ openldap 2.1.16



On Sat, 2003-05-31 at 16:09, jawed abbasi wrote:
> how did you figured out this? Please let us know.
>  
> s Ihave sen this phenomena If use SASL and connect with user ID no
> response,but anonymous and root users connect without issue
> 
nohup slapd -d 65535 -u ldap
then in another consoler ran
ldapsearch -U user@dom.tld -b o=MyOrd,c=US

then when ldapsearch returned w/ an error I ctrl-c'd slapd in the other
console and looked at the nohup.out file..

This is what I found.. a good ways through the log there's the execution
of the slap_sasl_regexp and I found that it was splitting my username
correctly into user and realm=dom.tld so I fixed my regexp and made sure
the converted sasl name was the correct DN..
then further down in the log after the error of trying to open the
sasldb2 file it tried to do request auth access to the objectClass
attribute of the dn which was denied by my ACLs.
Fixed that and ran things again and they worked..
upon looking through the log of the "correctly" working configuration.. 
slapd then tries to access the userPassword attribute of the dn..
then does the authorization.

so in my access ACLs I have this (which is pertanant to the execution of
the sasl auth)

access to dn="" by *read
access to dn="cn=Subschema" by users read
access to dn="uid=.*,ou=People,o=MyOrg,c=US"
attr=userPassword,objectClass
   by group="cn=admin,ou=Group,o=MyOrg,c=US" write
   by self write
   by anonymous auth


> Edward Rudd <eddie@omegaware.com> wrote:
>         I finally figured it out..
>         I traced the ACLs and found that openLDAP was trying to get
>         access to
>         the objectClass attribute of the mapped dn which my acls only
>         allowed
>         anonymous to auth with the userPassword attr.
>         
>         On Sat, 2003-05-31 at 02:08, Edward Rudd wrote:
>         > I've read through the admin guide manual way too many
>         times.. and I
>         > can't
>         > find anything wrong with my setup...
>         > Here we go..
>         > I'm trying to get sasl bind authentication to with with
>         openldap 2.1.16.
>         > I
>         > have things set up like this
>         > 
>         > 
>         > ---/etc/openldap/slapd.conf
>         > password-hash {CLEARTEXT}
>         > sasl-regexp
>         > uid=(.*),cn=(.*),cn=digest-md5,cn=auth
>         > uid=$1,ou=People,o=OmegaWare,c=US
>         > ---
>         > for some reason the -R realm arg is being ignored on
>         ldapsearch so I am
>         > passing user@dom.tld in the -U parameter and ignoring the
>         default realm
>         > 
>         > 
>         > ---/usr/lib/sasl2/slapd.conf
>         > mech_list: digest-md5 cram-md5
>         > ---
>         > that is being send this is to disable gssapi as an auth mech
>         > 
>         > 
>         > ---uid entry in LDAP
>         > dn: uid=user@dom.tld,ou=People,o=MyOrg,c=US
>         > objectClass:top
>         > objectClass:person
>         > sn: user
>         > cn: my user
>         > userPassword: test
>         > ---
>         > I'm using GQ to update my LDAP and put userPassword in using
>         CLEAR
>         > 
>         > 
>         > Now on to the errors..
>         > ldapsearch -U user@dom.tld -b o=MyOrg,c=US
>         > SASL/DIGEST-MD5 authentication started
>         > Please enter your password:
>         > ldap_sasl_interactive_bind_s: Internal (implementation
>         specific) error
>         > (80)
>         > additional info: SASL(-13): user not found: no secret in
>         > database
>         > 
>         > with -d 255 I get all the network traffic information and
>         from that I
>         > see
>         > things like.
>         > username="user@dom.tld",realm="myinternal.host.name",....
>         > 
>         > 
>         > in my /var/log/ldap.log (default logging settings I get
>         > --- /var/log/ldap.log
>         > conn=19 fd=13 ACCCEPT from IP=127.0.0.1:1302
>         (ip=0.0.0.0:389)
>         > conn=19 op=0 SRCH base="" scope=0 filter="(objectClass=*)"
>         > conn=19 op=0 SRCH attr=supportedSASLMechanisms
>         > conn=19 op=9 RESULT tag=101 err=0 text=
>         > conn=19 op=1 BIND dn="" method=163
>         > conn=19 op=2 BIND dn="" method=163
>         > SASL [conn=19] Error: unable to open Berkely db
>         /etc/sasldb2: No such
>         > file
>         > or directory
>         > las messager repeated 2 times
>         > conn=0 op=0 RESULT tag=101 err=32 text=
>         > SASL [conn=19] Failure: no secret in database
>         > conn=19 op=2 RESULT tag=97 err=80 text="SASL(-13): user not
>         found: no
>         > secret in database
>         > conn=19 fd=13 closed
>         > ---
>         > 
>         > Now if I create a sasldb2 and add in user in there
>         (user@dom.tld doesn't
>         &g t; work)
>         > I can auth as 
>         > ldapsearch -U user
>         > but I don't want my users in the sasldb.. I want them in the
>         LDAP
>         > directory along with the passwords in the LDAP directory??
>         > Any ideas on what's misconfigured??
>         > I'm using simon matters cyrus-sasl2 rpms and I'm using
>         open-it.org's
>         > openldap RPMS All rebuilt on a RH 7.3 system..
>         > 
>         > Oh and I have simple authentication working perfectly and
>         running.
>         > 
>         > Edward Rudd.
>         -- 
>         Edward Rudd 
> 
> ______________________________________________________________________
> Do you Yahoo!?
> Free online calendar with sync to Outlook(TM).
-- 
Edward Rudd <eddie@omegaware.com>