[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl_regexp: won't work with internal search URL



Oh... wow... I'm a dork. :-) That's pretty obvious... yet for _hours_ it eluded me. Thanks!

*** It still doesn't seem to work, unfortunately.***   My config is now:

  sasl-regexp
	uid=(.*),cn=plain,cn=auth
	ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=$1)(objectclass=person))


Debug output from ldapsearch (see original post for command) is now as seen below. It's now doing something different... but still without succuess. Any thoughts?


Thanks for the help thus far!

Charles

# TLS connection setup ommited...
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({o) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech PLAIN
==> sasl_bind: dn="" mech=PLAIN datalen=15
SASL Canonicalize [conn=0]: authcid="testj"
slap_sasl_getdn: id=testj [len=5]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth
dnNormalize: <uid=testj,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to ldap:///ou=people,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(objectclas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
dnNormalize: <ou=people,dc=enc,dc=edu>
=> ldap_bv2dn(ou=people,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=people,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=people,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=people,dc=enc,dc=edu, scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=people,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=people,dc=enc,dc=edu" )
<= bdb_dn2id_matched: id=0x00000002: entry ou=people,dc=enc,dc=edu
entry_decode: "ou=people,dc=enc,dc=edu"
<= entry_decode(ou=people,dc=enc,dc=edu)
search_candidates: base="ou=people,dc=enc,dc=edu" (0x00000002) scope=2
=> bdb_filter_candidates
       AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
       DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=enc,dc=edu" )
bdb_idl_fetch_key: @ou=people,dc=enc,dc=edu
<= bdb_dn2idl: id=2 first=2 last=12
<= bdb_filter_candidates: id=2 first=2 last=12
=> bdb_filter_candidates
       OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
       EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
       AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
       EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [6de55cac]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=2 last=0
<= bdb_filter_candidates: id=0 first=2 last=0
bdb_search_candidates: id=0 first=2 last=0
====> bdb_cache_return_entry_r( 2 ): created (0)
bdb_search: no candidates
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=testj,cn=plain,cn=auth"
SASL [conn=0] Failure: Could not open db
slap_sasl_getdn: id=testj [len=0]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth
dnNormalize: <uid=testj,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to ldap:///ou=people,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(objectclas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
dnNormalize: <ou=people,dc=enc,dc=edu>
=> ldap_bv2dn(ou=people,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=people,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=people,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=people,dc=enc,dc=edu, scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=people,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=people,dc=enc,dc=edu" )
====> bdb_cache_find_entry_dn2id("ou=people,dc=enc,dc=edu"): 2 (1 tries)
====> bdb_cache_find_entry_id( 2 ) "ou=people,dc=enc,dc=edu" (found) (1 tries)
search_candidates: base="ou=people,dc=enc,dc=edu" (0x00000002) scope=2
=> bdb_filter_candidates
       AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
       DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=enc,dc=edu" )
bdb_idl_fetch_key: @ou=people,dc=enc,dc=edu
<= bdb_dn2idl: id=2 first=2 last=12
<= bdb_filter_candidates: id=2 first=2 last=12
=> bdb_filter_candidates
       OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
       EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
       AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
       EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [6de55cac]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=2 last=0
<= bdb_filter_candidates: id=0 first=2 last=0
bdb_search_candidates: id=0 first=2 last=0
====> bdb_cache_return_entry_r( 2 ): returned (0)
bdb_search: no candidates
<==slap_sasl2dn: Converted SASL name to <nothing>
ldap_err2string
SASL [conn=0] Failure: Invalid credentials
SASL Canonicalize [conn=0]: authcid="testj"
slap_sasl_getdn: id=testj [len=5]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth
dnNormalize: <uid=testj,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to ldap:///ou=people,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(objectclas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
dnNormalize: <ou=people,dc=enc,dc=edu>
=> ldap_bv2dn(ou=people,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=people,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=people,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=people,dc=enc,dc=edu, scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=people,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=people,dc=enc,dc=edu" )
====> bdb_cache_find_entry_dn2id("ou=people,dc=enc,dc=edu"): 2 (1 tries)
====> bdb_cache_find_entry_id( 2 ) "ou=people,dc=enc,dc=edu" (found) (1 tries)
search_candidates: base="ou=people,dc=enc,dc=edu" (0x00000002) scope=2
=> bdb_filter_candidates
       AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
       DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=enc,dc=edu" )
bdb_idl_fetch_key: @ou=people,dc=enc,dc=edu
<= bdb_dn2idl: id=2 first=2 last=12
<= bdb_filter_candidates: id=2 first=2 last=12
=> bdb_filter_candidates
       OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
       EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
       AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
       EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [6de55cac]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=2 last=0
<= bdb_filter_candidates: id=0 first=2 last=0
bdb_search_candidates: id=0 first=2 last=0
====> bdb_cache_return_entry_r( 2 ): returned (0)
bdb_search: no candidates
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=testj,cn=plain,cn=auth"
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Password verification failed
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=80 matched="" text="SASL(-13): user not found: Password ve
rification failed"
send_ldap_response: msgid=2 tag=97 err=80
ber_flush: 69 bytes to sd 13
<== slap_sasl_bind: rc=80
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13

...TLS connection closes...



Howard Chu wrote:

Well for one thing, the DN you search for has to actually exist.

You originally set up an example using "ou=people,dc=enc,dc=edu" and then you
changed it to search for "ou=person,dc=enc,dc=edu" and the slapd log
indicates that there is no such DN in your database.


  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Charles Owens

Howdy,

I've been able to successfully use sasl_regexp in its more
basic form...
directly mapping an authorization DN to a real entry DN.
I'm coming up
dry, however, when trying to have slapd search for the
authententicating
user's entry. This technique is documented in Admin Guide section
10.2.5. Is anyone out there using this technique in
production?





Are there any known gotchas with it?







-- ------------------------------------------------------------------------- Charles N. Owens Email: owensc@enc.edu http://www.enc.edu/~owensc Senior Technology Officer Information Technology Services Eastern Nazarene College -------------------------------------------------------------------------