[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Digest-MD5 SASL binds
- To: openldap-software@OpenLDAP.org
- Subject: Digest-MD5 SASL binds
- From: "Dr. Lars Hanke" <lars@lhanke.de>
- Date: Tue, 15 Feb 2005 21:42:31 +0100
- Content-disposition: inline
- Organization: Microsystem Accessory Consult
- User-agent: KMail/1.6.2
Hi,
I'm totally lost concerning ideas of what might be going on. I'm trying to do
a SASL bind using DIGEST-MD5 authentication with OL 2.2.23, Cyrus-SASL
2.1.19.
My test command:
ldapsearch -U mailadmin -W -b 'ou=mailbox,dc=uac,dc=mgr' -Y DIGEST-MD5
This SASL user is internally converted by a regexp:
sasl-regexp
uid=(.*)admin,cn=mgr,cn=.*,cn=auth
ldap:///ou=administrators,ou=it,dc=uac,dc=mgr??one?(uid=$1)
However, the strange things start before LDAP cares about looking up the user
(slapd -1):
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=176
send_ldap_response: msgid=1 tag=97 err=14
ber_flush: 195 bytes to sd 12
<== slap_sasl_bind: rc=14
... now it waits for a minute or two; can anybody explain what this log wants
to tell me? Afterwards, the bind starts over ...
onnection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 291 contents:
ber_get_next
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
Are these server steps an internal counter or does slapd try something
different?
=> ldap_dn2bv(16)
ldap_err2string
<= ldap_dn2bv(uid=mailadmin,cn=MGR,cn=DIGEST-MD5,cn=auth)=0 Success
And here we go ... (cut out all that lookup stuff) ...
<==slap_sasl2dn: Converted SASL name to
cn=mail,ou=administrators,ou=it,dc=uac,dc=mgr
getdn: dn:id converted to cn=mail,ou=administrators,ou=it,dc=uac,dc=mgr
SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: Permission
denied
SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: Permission
denied
SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: Permission
denied
=> bdb_search
bdb_dn2entry("cn=mail,ou=administrators,ou=it,dc=uac,dc=mgr")
slap_auxprop: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=0 op=0 p=3
SASL Authorize [conn=0]: proxy authorization allowed
send_ldap_sasl: err=0 len=40
send_ldap_response: msgid=2 tag=97 err=0
ber_flush: 56 bytes to sd 12
<== slap_sasl_bind: rc=0
do_bind: SASL/DIGEST-MD5 bind:
dn="cn=mail,ou=administrators,ou=it,dc=uac,dc=mgr" ssf=128
Et voila! By the way, there is no sasldb2 file for purpose. Why the heck is it
looking for it, when the password is in the LDAP tree? And which attribute
may be undefined?
And most of all, why can slapd SASL authenticate in the second run, instead
immediately? What is it waiting for all the long time?
Any help appreciated,
- lars.