[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: SASL and Kerberos 5 (sasl-regexp)

To: ando@sys-net.it
Subject: Re: SASL and Kerberos 5 (sasl-regexp)
From: Matthijs <matthijs@cacholong.nl>
Date: Sun, 18 Apr 2004 23:33:47 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <63636.81.72.89.40.1082317983.squirrel@webmail.sys-net.it>
References: <1082311500.4173.29.camel@mga-linux> <63636.81.72.89.40.1082317983.squirrel@webmail.sys-net.it>
On Sun, 2004-04-18 at 21:53, Pierangelo Masarati wrote:
> > I can't get this to work:
> >
> > $ ldapsearch -x -D "uid=ldapadm,dc=cacholong,dc=nl" -W -b "" -s base
> > supportedSASLMechanisms
> > Enter LDAP Password:
> > ldap_bind: Invalid credentials (49)
> >
> > (I've checked my password several times and it's ok)
> 
> -x disables SASL bind; try without.
> -D is used for LDAP identity (DN); use -U <saslidentity>.
> 
> p.
> 

Sorry i didn't give more information but my userPassword attribute has
the following value:

userPassword: {SASL}ldapadm@CACHOLONG.NL

And this are my acl's:
# These access lines apply to database #1 only
access to attribute=userPassword
        by dn="dc=cacholong,dc=nl" write
        by dn="uid=ldapadm" write
        by anonymous auth
        by self write
        by * none
                                                                                # The admin dn has full write access
access to *
        by dn="dc=cacholong,dc=nl" write
        by dn="uid=ldapadm" write
        by * read

> >
> > $ testsaslauthd -u ldapadm -p secret -s ldap
> > 0: OK "Success."
> >
> > My ldap tree looks like:
> > dc=cacholong,dc=nl
> >  |
> >  -> ou=Users
> >  |    |
> >  |    -> uid=matthijs
> >  |
> >  -> uid=ldapadm (LDAP root account)
> >
> > First i set sasl-regexp to nothing and loglevel = 1
> >
> > Apr 18 19:45:52 server slapd[6971]: connection_get(12): got connid=2 Apr
> > 18 19:45:52 server slapd[6971]: connection_read(12): checking for input
> > on id=2
> > Apr 18 19:45:52 server slapd[6971]: ber_get_next on fd 12 failed
> > errno=11 (Resource temporarily unavailable)
> >
> > What happens here ?
> >
> > Apr 18 19:45:52 server slapd[16250]: do_bind
> > Apr 18 19:45:52 server slapd[16250]: >>> dnPrettyNormal:
> > <uid=ldapadm,dc=cacholong,dc=nl>
> > Apr 18 19:45:52 server slapd[16250]: <<< dnPrettyNormal:
> > <uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl> Apr
> > 18 19:45:52 server slapd[16250]: do_bind: version=3
> > dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
> > Apr 18 19:45:52 server slapd[16250]:
> > bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
> > Apr 18 19:45:52 server slapd[16250]: => bdb_dn2id_matched(
> > "uid=ldapadm,dc=cacholong,dc=nl" )
> > Apr 18 19:45:52 server slapd[16250]: ====>
> > bdb_cache_find_entry_dn2id("uid=ldapadm,dc=cacholong,dc=nl"): 3 (1
> > tries)
> > Apr 18 19:45:52 server slapd[16250]: ====> bdb_cache_find_entry_id( 3 )
> > "uid=ldapadm,dc=cacholong,dc=nl" (found) (1 tries)
> > Apr 18 19:45:52 server slapd[16250]: => string_expand: pattern:
> > uid=ldapadm,dc=cacholong,dc=nl
> > Apr 18 19:45:52 server slapd[16250]: => string_expand: expanded:
> > uid=ldapadm,dc=cacholong,dc=nl
> > Apr 18 19:45:52 server slapd[16250]: => regex_matches: string:^I
> > Apr 18 19:45:52 server slapd[16250]: => regex_matches: rc: 1 no matches
> > Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> >
> > Interesting part.
> >
> > Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:45:52 server slapd[16250]: SASL [conn=2] Failure: Invalid
> > credentials
> > Apr 18 19:45:52 server slapd[16250]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:45:52 server slapd[16250]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:45:52 server slapd[16250]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:45:52 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:45:52 server slapd[16250]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:45:52 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:45:52 server slapd[16250]: send_ldap_result: conn=2 op=0 p=3
> > Apr 18 19:45:52 server slapd[16250]: send_ldap_response: msgid=1 tag=97
> > err=49
> > Apr 18 19:45:52 server slapd[16250]: ====> bdb_cache_return_entry_r( 3
> > ): returned (0)
> > Apr 18 19:45:52 server slapd[6971]: connection_get(12): got connid=2 Apr
> > 18 19:45:52 server slapd[6971]: connection_read(12): checking for input
> > on id=2
> > Apr 18 19:45:52 server slapd[6971]: ber_get_next on fd 12 failed errno=0
> > (Success)
> > Apr 18 19:45:52 server slapd[6971]: connection_read(12): input error=-2
> > id=2, closing.
> > Apr 18 19:45:52 server slapd[6971]: connection_closing: readying conn=2
> > sd=12 for close
> > Apr 18 19:45:52 server slapd[6971]: connection_close: conn=2 sd=12
> >
> > Now with:
> > sasl-regexp	uid=(.*),cn=cacholong.nl,cn=gssapi,cn=auth
> > ldap://uid=$1,dc=cacholong,dc=nl
> >
> > Apr 18 19:54:02 server slapd[6971]: connection_get(12): got connid=3 Apr
> > 18 19:54:02 server slapd[6971]: connection_read(12): checking for input
> > on id=3
> > Apr 18 19:54:02 server slapd[6971]: ber_get_next on fd 12 failed
> > errno=11 (Resource temporarily unavailable)
> > Apr 18 19:54:02 server slapd[16250]: do_bind
> > Apr 18 19:54:02 server slapd[16250]: >>> dnPrettyNormal:
> > <uid=ldapadm,dc=cacholong,dc=nl>
> > Apr 18 19:54:02 server slapd[16250]: <<< dnPrettyNormal:
> > <uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl> Apr
> > 18 19:54:02 server slapd[16250]: do_bind: version=3
> > dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
> > Apr 18 19:54:02 server slapd[16250]:
> > bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
> > Apr 18 19:54:02 server slapd[16250]: => bdb_dn2id_matched(
> > "uid=ldapadm,dc=cacholong,dc=nl" )
> > Apr 18 19:54:02 server slapd[16250]: ====>
> > bdb_cache_find_entry_dn2id("uid=ldapadm,dc=cacholong,dc=nl"): 3 (1
> > tries)
> > Apr 18 19:54:02 server slapd[16250]: ====> bdb_cache_find_entry_id( 3 )
> > "uid=ldapadm,dc=cacholong,dc=nl" (found) (1 tries)
> > Apr 18 19:54:02 server slapd[16250]: => string_expand: pattern:
> > uid=ldapadm,dc=cacholong,dc=nl
> > Apr 18 19:54:02 server slapd[16250]: => string_expand: expanded:
> > uid=ldapadm,dc=cacholong,dc=nl
> > Apr 18 19:54:02 server slapd[16250]: => regex_matches: string:^I
> > Apr 18 19:54:02 server slapd[16250]: => regex_matches: rc: 1 no matches
> > Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:54:02 server slapd[16250]: SASL [conn=3] Failure: Invalid
> > credentials
> > Apr 18 19:54:02 server slapd[16250]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:54:02 server slapd[16250]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:54:02 server slapd[16250]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:54:02 server slapd[16250]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:54:02 server slapd[16250]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:54:02 server slapd[16250]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:54:02 server slapd[16250]: send_ldap_result: conn=3 op=0 p=3
> > Apr 18 19:54:02 server slapd[16250]: send_ldap_response: msgid=1 tag=97
> > err=49
> > Apr 18 19:54:02 server slapd[16250]: ====> bdb_cache_return_entry_r( 3
> > ): returned (0)
> > Apr 18 19:54:02 server slapd[6971]: connection_get(12): got connid=3 Apr
> > 18 19:54:02 server slapd[6971]: connection_read(12): checking for input
> > on id=3
> > Apr 18 19:54:02 server slapd[6971]: ber_get_next on fd 12 failed errno=0
> > (Success)
> > Apr 18 19:54:02 server slapd[6971]: connection_read(12): input error=-2
> > id=3, closing.
> > Apr 18 19:54:02 server slapd[6971]: connection_closing: readying conn=3
> > sd=12 for close
> > Apr 18 19:54:02 server slapd[6971]: connection_close: conn=3 sd=12
> >
> > Now with two sasl-regexp lines:
> > sasl-regexp	uid=service/(.*),cn=CACHOLONG.NL,cn=gssapi,cn=auth
> > ldap:///cn=Service,cn=Applications,dc=cacholong,dc=nl??sub?krb5PrincipalName=service/$1@CACHOLONG.NL
> >
> > sasl-regexp	uid=(.*),cn=CACHOLONG.NL,cn=gssapi,cn=auth
> > ldap:///uid=$1,cn=Accounts,dc=cacholong,dc=nl??sub?suSeasStatus=active
> >
> > Apr 18 19:56:55 server slapd[31206]: connection_get(12): got connid=0
> > Apr 18 19:56:55 server slapd[31206]: connection_read(12): checking for
> > input on id=0
> > Apr 18 19:56:55 server slapd[21574]: do_bind
> > Apr 18 19:56:55 server slapd[31206]: ber_get_next on fd 12 failed
> > errno=11 (Resource temporarily unavailable)
> > Apr 18 19:56:55 server slapd[21574]: >>> dnPrettyNormal:
> > <uid=ldapadm,dc=cacholong,dc=nl>
> > Apr 18 19:56:55 server slapd[21574]: <<< dnPrettyNormal:
> > <uid=ldapadm,dc=cacholong,dc=nl>, <uid=ldapadm,dc=cacholong,dc=nl> Apr
> > 18 19:56:55 server slapd[21574]: do_bind: version=3
> > dn="uid=ldapadm,dc=cacholong,dc=nl" method=128
> > Apr 18 19:56:55 server slapd[21574]:
> > bdb_dn2entry_rw("uid=ldapadm,dc=cacholong,dc=nl")
> > Apr 18 19:56:55 server slapd[21574]: => bdb_dn2id_matched(
> > "uid=ldapadm,dc=cacholong,dc=nl" )
> > Apr 18 19:56:55 server slapd[21574]: <= bdb_dn2id_matched:
> > id=0x00000003: entry uid=ldapadm,dc=cacholong,dc=nl
> > Apr 18 19:56:55 server slapd[21574]: entry_decode:
> > "uid=ldapadm,dc=cacholong,dc=nl"
> > Apr 18 19:56:55 server slapd[21574]: <=
> > entry_decode(uid=ldapadm,dc=cacholong,dc=nl)
> > Apr 18 19:56:55 server slapd[21574]: => string_expand: pattern:
> > uid=ldapadm,dc=cacholong,dc=nl
> > Apr 18 19:56:55 server slapd[21574]: => string_expand: expanded:
> > uid=ldapadm,dc=cacholong,dc=nl
> > Apr 18 19:56:55 server slapd[21574]: => regex_matches: string:^I
> > Apr 18 19:56:55 server slapd[21574]: => regex_matches: rc: 1 no matches
> > Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:56:55 server slapd[21574]: SASL [conn=0] Failure: Invalid
> > credentials
> > Apr 18 19:56:55 server slapd[21574]: getdn: u:id converted to
> > uid=ldapadm,cn=CACHOLONG.NL,cn=auth
> > Apr 18 19:56:55 server slapd[21574]: >>> dnNormalize:
> > <uid=ldapadm,cn=CACHOLONG.NL,cn=auth>
> > Apr 18 19:56:55 server slapd[21574]: <<< dnNormalize:
> > <uid=ldapadm,cn=cacholong.nl,cn=auth>
> > Apr 18 19:56:55 server slapd[21574]: ==>slap_sasl2dn: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth to a DN
> > Apr 18 19:56:55 server slapd[21574]: slap_sasl_regexp: converting SASL
> > name uid=ldapadm,cn=cacholong.nl,cn=auth
> > Apr 18 19:56:55 server slapd[21574]: <==slap_sasl2dn: Converted SASL
> > name to <nothing>
> > Apr 18 19:56:55 server slapd[21574]: send_ldap_result: conn=0 op=0 p=3
> > Apr 18 19:56:55 server slapd[21574]: send_ldap_response: msgid=1 tag=97
> > err=49
> > Apr 18 19:56:55 server slapd[21574]: ====> bdb_cache_return_entry_r( 3
> > ): created (0)
> > Apr 18 19:56:55 server slapd[31206]: connection_get(12): got connid=0
> > Apr 18 19:56:55 server slapd[31206]: connection_read(12): checking for
> > input on id=0
> > Apr 18 19:56:55 server slapd[31206]: ber_get_next on fd 12 failed
> > errno=0 (Success)
> > Apr 18 19:56:55 server slapd[31206]: connection_read(12): input error=-2
> > id=0, closing.
> > Apr 18 19:56:55 server slapd[31206]: connection_closing: readying conn=0
> > sd=12 for close
> > Apr 18 19:56:55 server slapd[31206]: connection_close: conn=0 sd=12
> >
> > It looks to me that "<==slap_sasl2dn: Converted SASL name to <nothing>"
> > this is the interesting part of the log. So i think my regexps are
> > wrong.
> >
> > How can i solve this ?
>
References:
- SASL and Kerberos 5 (sasl-regexp)
  - From: Matthijs Mohlmann <matthijs@cacholong.nl>
- Re: SASL and Kerberos 5 (sasl-regexp)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
Prev by Date: ou uid to add and delete accounts
Next by Date: modification to first entry: ou uid to add and delete accounts
Index(es):
- Chronological
- Thread