[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl_regexp: won't work with internal search URL



You just have to love those "DOH!" moments.....

Reassuring to know I'm not the only one that has them ;)

Jimi

-----Original Message-----
From: Charles Owens [mailto:owensc@enc.edu] 
Sent: Tuesday, August 05, 2003 1:32 PM
To: Howard Chu
Cc: 'openldap-software@openldap.org'
Subject: Re: sasl_regexp: won't work with internal search URL

Oh... wow... I'm a dork.   :-)   That's pretty obvious... yet for 
_hours_ it eluded me.  Thanks!

*** It still doesn't seem to work, unfortunately.***   My config is now:

   sasl-regexp
	uid=(.*),cn=plain,cn=auth
	ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=$1)(objectclass=person))


Debug output from ldapsearch (see original post for command) is now as 
seen below.   It's now doing something different... but still without 
succuess.   Any thoughts?

Thanks for the help thus far!

Charles

# TLS connection setup ommited...
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({o) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech PLAIN
==> sasl_bind: dn="" mech=PLAIN datalen=15
SASL Canonicalize [conn=0]: authcid="testj"
slap_sasl_getdn: id=testj [len=5]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=testj,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to
ldap:///ou=people,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing
ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
clas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
>>> dnNormalize: <ou=people,dc=enc,dc=edu>
=> ldap_bv2dn(ou=people,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=people,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=people,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=people,dc=enc,dc=edu,
scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=people,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=people,dc=enc,dc=edu" )
<= bdb_dn2id_matched: id=0x00000002: entry ou=people,dc=enc,dc=edu
entry_decode: "ou=people,dc=enc,dc=edu"
<= entry_decode(ou=people,dc=enc,dc=edu)
search_candidates: base="ou=people,dc=enc,dc=edu" (0x00000002) scope=2
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=enc,dc=edu" )
bdb_idl_fetch_key: @ou=people,dc=enc,dc=edu
<= bdb_dn2idl: id=2 first=2 last=12
<= bdb_filter_candidates: id=2 first=2 last=12
=> bdb_filter_candidates
        OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [6de55cac]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=2 last=0
<= bdb_filter_candidates: id=0 first=2 last=0
bdb_search_candidates: id=0 first=2 last=0
====> bdb_cache_return_entry_r( 2 ): created (0)
bdb_search: no candidates
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=testj,cn=plain,cn=auth"
SASL [conn=0] Failure: Could not open db
slap_sasl_getdn: id=testj [len=0]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=testj,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to
ldap:///ou=people,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing
ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
clas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
>>> dnNormalize: <ou=people,dc=enc,dc=edu>
=> ldap_bv2dn(ou=people,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=people,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=people,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=people,dc=enc,dc=edu,
scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=people,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=people,dc=enc,dc=edu" )
====> bdb_cache_find_entry_dn2id("ou=people,dc=enc,dc=edu"): 2 (1 tries)
====> bdb_cache_find_entry_id( 2 ) "ou=people,dc=enc,dc=edu" (found) (1
tries)
search_candidates: base="ou=people,dc=enc,dc=edu" (0x00000002) scope=2
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=enc,dc=edu" )
bdb_idl_fetch_key: @ou=people,dc=enc,dc=edu
<= bdb_dn2idl: id=2 first=2 last=12
<= bdb_filter_candidates: id=2 first=2 last=12
=> bdb_filter_candidates
        OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [6de55cac]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=2 last=0
<= bdb_filter_candidates: id=0 first=2 last=0
bdb_search_candidates: id=0 first=2 last=0
====> bdb_cache_return_entry_r( 2 ): returned (0)
bdb_search: no candidates
<==slap_sasl2dn: Converted SASL name to <nothing>
ldap_err2string
SASL [conn=0] Failure: Invalid credentials
SASL Canonicalize [conn=0]: authcid="testj"
slap_sasl_getdn: id=testj [len=5]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=testj,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to
ldap:///ou=people,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing
ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=people,dc=enc,dc=edu??sub?(&(uid=testj)(object
clas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0
>>> dnNormalize: <ou=people,dc=enc,dc=edu>
=> ldap_bv2dn(ou=people,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=people,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=people,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=people,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=people,dc=enc,dc=edu,
scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=people,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=people,dc=enc,dc=edu" )
====> bdb_cache_find_entry_dn2id("ou=people,dc=enc,dc=edu"): 2 (1 tries)
====> bdb_cache_find_entry_id( 2 ) "ou=people,dc=enc,dc=edu" (found) (1
tries)
search_candidates: base="ou=people,dc=enc,dc=edu" (0x00000002) scope=2
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        DN SUBTREE
=> bdb_dn2idl( "ou=people,dc=enc,dc=edu" )
bdb_idl_fetch_key: @ou=people,dc=enc,dc=edu
<= bdb_dn2idl: id=2 first=2 last=12
<= bdb_filter_candidates: id=2 first=2 last=12
=> bdb_filter_candidates
        OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
        AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
        EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [6de55cac]
<= bdb_index_read: failed (-30991)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=0 last=0
<= bdb_filter_candidates: id=0 first=0 last=0
<= bdb_list_candidates: id=0 first=2 last=0
<= bdb_filter_candidates: id=0 first=2 last=0
bdb_search_candidates: id=0 first=2 last=0
====> bdb_cache_return_entry_r( 2 ): returned (0)
bdb_search: no candidates
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=testj,cn=plain,cn=auth"
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Password verification failed
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=80 matched="" text="SASL(-13): user not found:
Password ve
rification failed"
send_ldap_response: msgid=2 tag=97 err=80
ber_flush: 69 bytes to sd 13
<== slap_sasl_bind: rc=80
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=13 for close
connection_close: conn=0 sd=13

...TLS connection closes...



Howard Chu wrote:

> Well for one thing, the DN you search for has to actually exist.
>
> You originally set up an example using "ou=people,dc=enc,dc=edu" and 
> then you
> changed it to search for "ou=person,dc=enc,dc=edu" and the slapd log
> indicates that there is no such DN in your database.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
>>-----Original Message-----
>>From: owner-openldap-software@OpenLDAP.org
>>[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Charles Owens
>>
>>Howdy,
>>
>>I've been able to successfully use sasl_regexp in its more
>>basic form...
>>directly mapping an authorization DN to a real entry DN.
>>I'm coming up
>>dry, however, when trying to have slapd search for the
>>authententicating
>>user's entry.  This technique is documented in Admin Guide section
>>10.2.5.   Is anyone out there using this technique in
>>production?
>>    
>>
>
>  
>
>>Are there any known gotchas with it?
>>    
>>
>
>
>  
>

-- 
-------------------------------------------------------------------------
  Charles N. Owens                                Email: owensc@enc.edu
                                             http://www.enc.edu/~owensc
  Senior Technology Officer
  Information Technology Services              Eastern Nazarene College
-------------------------------------------------------------------------