[Date Prev][Date Next] [Chronological] [Thread] [Top]
SASL and Kerberos 5 (sasl-regexp)

To: openldap-software@OpenLDAP.org
Subject: SASL and Kerberos 5 (sasl-regexp)
From: Matthijs Mohlmann <matthijs@cacholong.nl>
Date: Sun, 18 Apr 2004 20:05:00 +0200
I can't get this to work:

$ ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b "" -s base
supportedSASLMechanisms
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

(I've checked my password several times and it's ok)

$ testsaslauthd -u ldapadm -p secret -s ldap
0: OK "Success."

My ldap tree looks like:
dc=cacholong,dc=nl
 |
 -> ou=Users
 |    |
 |    -> uid=matthijs
 |
 -> uid=ldapadm (LDAP root account)

First i set sasl-regexp to nothing and loglevel = 1

Apr 18 19:45:52 server slapd[6971]: connection_get(12): got connid=2
Apr 18 19:45:52 server slapd[6971]: connection_read(12): checking for
input on id=2
Apr 18 19:45:52 server slapd[6971]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)

What happens here ?

Apr 18 19:45:52 server slapd[16250]: do_bind
Apr 18 19:45:52 server slapd[16250]: >>> dnPrettyNormal:
<uid=ldapadm,dc=cacholong,dc=nl>
Apr 18 19:45:52 server slapd[16250]: <<< dnPrettyNormal:
<uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl>
Apr 18 19:45:52 server slapd[16250]: do_bind: version=3
dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
Apr 18 19:45:52 server slapd[16250]:
bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
Apr 18 19:45:52 server slapd[16250]: => bdb_dn2id_matched(
"uid=ldapadm,dc=cacholong,dc=nl" )
Apr 18 19:45:52 server slapd[16250]: ====>
bdb_cache_find_entry_dn2id("uid=ldapadm,dc=cacholong,dc=nl"): 3 (1
tries)
Apr 18 19:45:52 server slapd[16250]: ====> bdb_cache_find_entry_id( 3 )
"uid=ldapadm,dc=cacholong,dc=nl" (found) (1 tries)
Apr 18 19:45:52 server slapd[16250]: => string_expand: pattern: 
uid=ldapadm,dc=cacholong,dc=nl
Apr 18 19:45:52 server slapd[16250]: => string_expand: expanded:
uid=ldapadm,dc=cacholong,dc=nl
Apr 18 19:45:52 server slapd[16250]: => regex_matches: string:^I
Apr 18 19:45:52 server slapd[16250]: => regex_matches: rc: 1 no matches
Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
name to <nothing>

Interesting part.

Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:45:52 server slapd[16250]: SASL [conn=2] Failure: Invalid
credentials
Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:45:52 server slapd[16250]: send_ldap_result: conn=2 op=0 p=3
Apr 18 19:45:52 server slapd[16250]: send_ldap_response: msgid=1 tag=97
err=49
Apr 18 19:45:52 server slapd[16250]: ====> bdb_cache_return_entry_r( 3
): returned (0)
Apr 18 19:45:52 server slapd[6971]: connection_get(12): got connid=2
Apr 18 19:45:52 server slapd[6971]: connection_read(12): checking for
input on id=2
Apr 18 19:45:52 server slapd[6971]: ber_get_next on fd 12 failed errno=0
(Success)
Apr 18 19:45:52 server slapd[6971]: connection_read(12): input error=-2
id=2, closing.
Apr 18 19:45:52 server slapd[6971]: connection_closing: readying conn=2
sd=12 for close
Apr 18 19:45:52 server slapd[6971]: connection_close: conn=2 sd=12

Now with:
sasl-regexp	uid=(.*),cn=cacholong.nl,cn=gssapi,cn=auth
ldap://uid=$1,dc=cacholong,dc=nl

Apr 18 19:54:02 server slapd[6971]: connection_get(12): got connid=3
Apr 18 19:54:02 server slapd[6971]: connection_read(12): checking for
input on id=3
Apr 18 19:54:02 server slapd[6971]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Apr 18 19:54:02 server slapd[16250]: do_bind
Apr 18 19:54:02 server slapd[16250]: >>> dnPrettyNormal:
<uid=ldapadm,dc=cacholong,dc=nl>
Apr 18 19:54:02 server slapd[16250]: <<< dnPrettyNormal:
<uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl>
Apr 18 19:54:02 server slapd[16250]: do_bind: version=3
dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
Apr 18 19:54:02 server slapd[16250]:
bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
Apr 18 19:54:02 server slapd[16250]: => bdb_dn2id_matched(
"uid=ldapadm,dc=cacholong,dc=nl" )
Apr 18 19:54:02 server slapd[16250]: ====>
bdb_cache_find_entry_dn2id("uid=ldapadm,dc=cacholong,dc=nl"): 3 (1
tries)
Apr 18 19:54:02 server slapd[16250]: ====> bdb_cache_find_entry_id( 3 )
"uid=ldapadm,dc=cacholong,dc=nl" (found) (1 tries)
Apr 18 19:54:02 server slapd[16250]: => string_expand: pattern: 
uid=ldapadm,dc=cacholong,dc=nl
Apr 18 19:54:02 server slapd[16250]: => string_expand: expanded:
uid=ldapadm,dc=cacholong,dc=nl
Apr 18 19:54:02 server slapd[16250]: => regex_matches: string:^I
Apr 18 19:54:02 server slapd[16250]: => regex_matches: rc: 1 no matches
Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:54:02 server slapd[16250]: SASL [conn=3] Failure: Invalid
credentials
Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:54:02 server slapd[16250]: send_ldap_result: conn=3 op=0 p=3
Apr 18 19:54:02 server slapd[16250]: send_ldap_response: msgid=1 tag=97
err=49
Apr 18 19:54:02 server slapd[16250]: ====> bdb_cache_return_entry_r( 3
): returned (0)
Apr 18 19:54:02 server slapd[6971]: connection_get(12): got connid=3
Apr 18 19:54:02 server slapd[6971]: connection_read(12): checking for
input on id=3
Apr 18 19:54:02 server slapd[6971]: ber_get_next on fd 12 failed errno=0
(Success)
Apr 18 19:54:02 server slapd[6971]: connection_read(12): input error=-2
id=3, closing.
Apr 18 19:54:02 server slapd[6971]: connection_closing: readying conn=3
sd=12 for close
Apr 18 19:54:02 server slapd[6971]: connection_close: conn=3 sd=12

Now with two sasl-regexp lines:
sasl-regexp	uid=service/(.*),cn=CACHOLONG.NL,cn=gssapi,cn=auth
ldap:///cn=Service,cn=Applications,dc=cacholong,dc=nl??sub?krb5PrincipalName=service/$1@CACHOLONG.NL

sasl-regexp	uid=(.*),cn=CACHOLONG.NL,cn=gssapi,cn=auth
ldap:///uid=$1,cn=Accounts,dc=cacholong,dc=nl??sub?suSeasStatus=active

Apr 18 19:56:55 server slapd[31206]: connection_get(12): got connid=0
Apr 18 19:56:55 server slapd[31206]: connection_read(12): checking for
input on id=0
Apr 18 19:56:55 server slapd[21574]: do_bind
Apr 18 19:56:55 server slapd[31206]: ber_get_next on fd 12 failed
errno=11 (Resource temporarily unavailable)
Apr 18 19:56:55 server slapd[21574]: >>> dnPrettyNormal:
<uid=ldapadm,dc=cacholong,dc=nl>
Apr 18 19:56:55 server slapd[21574]: <<< dnPrettyNormal:
<uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl>
Apr 18 19:56:55 server slapd[21574]: do_bind: version=3
dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
Apr 18 19:56:55 server slapd[21574]:
bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
Apr 18 19:56:55 server slapd[21574]: => bdb_dn2id_matched(
"uid=ldapadm,dc=cacholong,dc=nl" )
Apr 18 19:56:55 server slapd[21574]: <= bdb_dn2id_matched:
id=0x00000003: entry uid=ldapadm,dc=cacholong,dc=nl
Apr 18 19:56:55 server slapd[21574]: entry_decode:
"uid=ldapadm,dc=cacholong,dc=nl"
Apr 18 19:56:55 server slapd[21574]: <=
entry_decode(uid=ldapadm,dc=cacholong,dc=nl)
Apr 18 19:56:55 server slapd[21574]: => string_expand: pattern: 
uid=ldapadm,dc=cacholong,dc=nl
Apr 18 19:56:55 server slapd[21574]: => string_expand: expanded:
uid=ldapadm,dc=cacholong,dc=nl
Apr 18 19:56:55 server slapd[21574]: => regex_matches: string:^I
Apr 18 19:56:55 server slapd[21574]: => regex_matches: rc: 1 no matches
Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:56:55 server slapd[21574]: SASL [conn=0] Failure: Invalid
credentials
Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
uid=ldapadm,cn=CACHOLONG.NL,cn=auth
Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
<uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
<uid=ldapadm,cn=cacholong.nl,cn=auth>
Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
name uid=ldapadm,cn=cacholong.nl,cn=auth
Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Apr 18 19:56:55 server slapd[21574]: send_ldap_result: conn=0 op=0 p=3
Apr 18 19:56:55 server slapd[21574]: send_ldap_response: msgid=1 tag=97
err=49
Apr 18 19:56:55 server slapd[21574]: ====> bdb_cache_return_entry_r( 3
): created (0)
Apr 18 19:56:55 server slapd[31206]: connection_get(12): got connid=0
Apr 18 19:56:55 server slapd[31206]: connection_read(12): checking for
input on id=0
Apr 18 19:56:55 server slapd[31206]: ber_get_next on fd 12 failed
errno=0 (Success)
Apr 18 19:56:55 server slapd[31206]: connection_read(12): input error=-2
id=0, closing.
Apr 18 19:56:55 server slapd[31206]: connection_closing: readying conn=0
sd=12 for close
Apr 18 19:56:55 server slapd[31206]: connection_close: conn=0 sd=12

It looks to me that "<==slap_sasl2dn: Converted SASL name to <nothing>"
this is the interesting part of the log. So i think my regexps are
wrong.

How can i solve this ?
Follow-Ups:
- Re: SASL and Kerberos 5 (sasl-regexp)
  - From: Matthijs Mohlmann <matthijs@cacholong.nl>
- Re: SASL and Kerberos 5 (sasl-regexp)
  - From: Matthijs Mohlmann <matthijs@cacholong.nl>
- Re: SASL and Kerberos 5 (sasl-regexp)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
Prev by Date: RE: ldapsearch 2.0 vs. 2.1 against a netware LDAP server
Next by Date: Re: SASL and Kerberos 5 (sasl-regexp)
Index(es):
- Chronological
- Thread