[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication fail | sasl


>>>>> "Hagen" == Hagen Paul Pfeifer <hagen@jauu.net> writes:

    Hagen> Hello, it concerns the following problem:

    Hagen> If I remove the following entry from slapd.conf

    Hagen> access to * by * read

    Hagen> and I do a

    Hagen> ldapsearch -b "dc=0xdef,dc=net" -D
    Hagen> "uid=pfeifer,ou=users,dc=0xdef,dc=net" "objectclass=*" -Y
    Hagen> digest-md5

    Hagen> ldapsearch returns:

    Hagen> SASL/DIGEST-MD5 authentication started Please enter your
    Hagen> password: ldap_sasl_interactive_bind_s: Internal
    Hagen> (implementation specific) error (80) additional info:
    Hagen> SASL(-13): user not found: no secret in database

    Hagen> But when I added "access to * by * read

    Hagen> sasl mechanism is working!

    Hagen> Now I think sasl haven't the accurate access rights to
    Hagen> access the users ldap userPassword entry ("no secret in
    Hagen> database"), because when there is a worldwide read acces
    Hagen> the mechanisn is ok!?

    Hagen> Here are my sldapd.conf entries for access stuff:

    Hagen> suffix "dc=0xdef,dc=net" rootdn "cn=admin,dc=0xdef,dc=net"
    Hagen> rootpw {SSHA}yVT8vzdssH5+5QlO7RRicsSufwAmCx7v saslRegex
    Hagen>      uid=(.*),cn=digest-md5,cn=auth
    Hagen>      uid=$1,cn=users,dc=0xdef,dc=net
    Hagen> access to dn.base="" by * read

    Hagen> access to attribute=userPassword
    Hagen>           by dn="cn=root,dc=0xdef,dc=net" write by
    Hagen>           anonymous auth by self write by * none

    Hagen>  access to dn.subtree="uid=(.*),ou=users,dc=0xdef,dc=net"
    Hagen>           by dn="uid=(.*),ou=users,dc=0xdef,dc=net" write
    Hagen>           by anonymous auth by * none

Your searchstring starts at dc=0xdef,dc=net but you have no access to
this subtree, not even for auth purposes.See man slapd.access(5) and
http://www.openldap.org/faq/data/cache/1005.html for examples.
Run slapd in loglevel 128 mode to watch authentication procedures.


Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521