[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re[2]: SASL MD5 - another try



Hello Oliver,

   This time everything was deinstalled, ports upgraded, then again
   install

OE> Try cd /usr/ports/net/openldap21; make install WITH_SASL=yes

    As a dependancy to OpenLDAP-2.1.22 was installed
    Cyrus-SASL-2.1.15. Then i put my LDAP db and configs back (there
    was slave OpenLDAP 2.1.21 before this experiment, i comment those
    lines with referral - just in case).

OE> Make sure you do not have other OpenLDAP versions installed with
OE> pkg_info -I 'openldap*'

icarus# pkg_info -I openldap\*
openldap-2.1.22     Open source LDAP client and server software

OE> Also some trace info would be useful - add '-d 255' or something (see
OE> man 8 slapd) to slapd_args in /usr/local/etc/rc.d/slapd.sh.

    I put 'loglevel 255' in config - is that ok? I think it's the same
    effect. I have not installed Cyrus-IMAPD. Ok, let's just try to search for
    something.

icarus@root [20:02:00] ~ # ldapsearch -Y DIGEST-MD5 -U lan uid=lan
#
# LDAPv3
# base <> with scope sub
# filter: uid=lan
# requesting: ALL
#

# lan, 33(10), users, startatom.ru
dn: uid=lan,node=33(10),ou=users,dc=startatom,dc=ru
ou: users
displayName:: 0JDQu9C10LrRgdCw0L3QtNGAINCb0YPQvdC10LI=
objectClass: personAccount
uid: lan
mail: lan@startatom.ru
sn:: 0JvRg9C90LXQsg==
givenName:: 0JDQu9C10LrRgdCw0L3QtNGA
middleName:: 0J3QuNC60L7Qu9Cw0LXQstC40Yc=
cn:: 0KHQtdGC0LXQstC+0Lkg0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YA=
building: 19
room: 205
floor: 2
phone: 7923
dialupAccess: 1
proxyAccess: 1
departmentNumber: 33
boss:
node: 33(10)

# search result
search: 2
result: 0 Success

# numResponses: 2    
# numEntries: 1

  In that entry also exists attribute 'userPassword', but we're
  restricted by ACL from reading it as anonymous, part of ACL is:

access to dn="ou=users,dc=startatom,dc=ru" attr=userPassword
        by dn="cn=usermaster,dc=startatom,dc=ru" write
        by dn="cn=replica,dc=startatom,dc=ru" write
        by dn="cn=admin,dc=startatom,dc=ru" read
        by self write
        by * auth  

  Then we'll try to bind to LDAP with SASL auth

icarus@root [20:05:07] ~ # ldapsearch -Y DIGEST-MD5 -U lan uid=lan
SASL/DIGEST-MD5 authentication started
^C
icarus@root [20:06:16] ~ #

  Part of log (from the moment i pressed 'enter' till i'm tired of
  waiting for miracle):

Jul 16 20:05:10 icarus slapd[42067]: daemon: activity on 1 descriptors
Jul 16 20:05:10 icarus slapd[42067]: daemon: new connection on 9
Jul 16 20:05:10 icarus slapd[42067]: daemon: added 9r
Jul 16 20:05:10 icarus slapd[42067]: daemon: activity on:
Jul 16 20:05:10 icarus slapd[42067]:
Jul 16 20:05:10 icarus slapd[42067]: daemon: select: listen=8 active_threads=0 tvp=NULL
Jul 16 20:05:10 icarus slapd[42067]: daemon: activity on 1 descriptors
Jul 16 20:05:10 icarus slapd[42067]: daemon: activity on:
Jul 16 20:05:10 icarus slapd[42067]:  9r
Jul 16 20:05:10 icarus slapd[42067]:
Jul 16 20:05:10 icarus slapd[42067]: daemon: read activity on 9
Jul 16 20:05:10 icarus slapd[42067]: connection_get(9)
Jul 16 20:05:10 icarus slapd[42067]: connection_get(9): got connid=1
Jul 16 20:05:10 icarus slapd[42067]: connection_read(9): checking for input on id=1
Jul 16 20:05:10 icarus slapd[42067]: ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
Jul 16 20:05:10 icarus slapd[42067]: do_bind
Jul 16 20:05:10 icarus slapd[42067]: >>> dnPrettyNormal: <>
Jul 16 20:05:10 icarus slapd[42067]: <<< dnPrettyNormal: <>, <>
Jul 16 20:05:10 icarus slapd[42067]: do_sasl_bind: dn () mech DIGEST-MD5
Jul 16 20:05:10 icarus slapd[42067]: ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
Jul 16 20:05:10 icarus slapd[42067]: SASL [conn=1] Debug: DIGEST-MD5 server step 1
Jul 16 20:05:10 icarus slapd[42067]: daemon: select: listen=8 active_threads=1 tvp=NULL

  And here i pressed Ctrl-C - it's been 66 sec, as you can see, in that
  66sec there was nothing. No errors, no warnings, nothing. Silence.

Jul 16 20:06:16 icarus slapd[42067]: daemon: activity on 1 descriptors
Jul 16 20:06:16 icarus slapd[42067]: daemon: activity on:
Jul 16 20:06:16 icarus slapd[42067]:  9r
Jul 16 20:06:16 icarus slapd[42067]:
Jul 16 20:06:16 icarus slapd[42067]: daemon: read activity on 9
Jul 16 20:06:16 icarus slapd[42067]: connection_get(9)
Jul 16 20:06:16 icarus slapd[42067]: connection_get(9): got connid=1
Jul 16 20:06:16 icarus slapd[42067]: connection_read(9): checking for input on id=1
Jul 16 20:06:16 icarus slapd[42067]: ber_get_next on fd 9 failed errno=0 (Undefined error: 0)
Jul 16 20:06:16 icarus slapd[42067]: connection_read(9): input error=-2 id=1, closing.
Jul 16 20:06:16 icarus slapd[42067]: connection_closing: readying conn=1 sd=9 for close
Jul 16 20:06:16 icarus slapd[42067]: connection_close: deferring conn=1 sd=9
Jul 16 20:06:16 icarus slapd[42067]: daemon: select: listen=8 active_threads=1 tvp=NULL
Jul 16 20:06:16 icarus slapd[42067]: daemon: activity on 1 descriptors
Jul 16 20:06:16 icarus slapd[42067]: daemon: select: listen=8 active_threads=1 tvp=NULL

  My config  files and full logfile (from the moment slapd start till stop) is in attachment.

  And also - after i'm trying to bind with SASL and after i fail, then
  i exec '/usr/local/etc/rc.d/slapd.sh stop' to stop slapd daemon i
  found that 1 process 'slapd' remains in 'ps ax' list, 'killall
  slapd' doesn't do anything, only 'kill -9 $processnum' helps. When
  i'm not trying to bind with SASL - it stops normally, without that
  effect of zombie (but it's definitely not a zombie, it just don't
  stops).

icarus@root [20:07:10] ~ # /usr/local/etc/rc.d/slapd.sh stop
 slapd
icarus@root [20:07:56] ~ # ps ax | grep slapd
42067  ??  Rs     0:17,66 /usr/local/libexec/slapd
42169  p0  R+     0:00,00 grep slapd
42064  p1  S+     0:00,63 tail -f slapd.log
icarus@root [20:08:32] ~ # kill -9 42067
icarus@root [20:09:26] ~ # ps ax | grep slapd
42175  p0  R+     0:00,00 grep slapd
42173  p1  S+     0:00,00 tail -f slapd.log

  Machine is Celeron-800, 128M RAM, motherboard Gygabyte based on i815
  chipset.

icarus@root [20:09:32] ~ # uname -a
FreeBSD icarus.startatom.ru 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Sun May  4 17:53
:38 MSD 2003     root@icarus.startatom.ru:/usr/obj/usr/src/sys/icarus  i386
icarus@root [20:10:16] ~ # pkg_info -I openldap\* cyrus\*
cyrus-sasl-2.1.15   RFC 2222 SASL (Simple Authentication and Security Layer)
openldap-2.1.22     Open source LDAP client and server software
icarus@root [20:10:27] ~ #

  Now - what should i do? Do i have to forget about SASL with
  OpenLDAP?

-- 
Best regards,
 Alexander                            mailto:lan_mailing@startatom.ru

Attachment: slapd.acl
Description: Binary data

Attachment: slapd.conf
Description: Binary data

Attachment: slapd.log.gz
Description: GNU Zip compressed data

Attachment: ldap.conf
Description: Binary data