[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL and mail attribute help

I changed my slapd.conf as follows (just removed the cn=powell, which seemed
to be a problem, and ou=people from the ldap URL, which should not matter):

password-hash	{CLEARTEXT}

I turned saslauthd off because experimentation made it apparent that
openldap uses the SASL libraries, but does not require the daemon.

My previously given simple bind using a filter of mail=pacifico@example.com
continues to work correctly (as shown previously, near the bottom of this

Still, trying authenticating with the email address fails:
	[pacifico@powell data]$ ldapsearch -U 'pacifico@example.com' -Y
DIGEST-MD5 -W 'mail=pacifico@example.com' 'cn'
	Enter LDAP Password:
	SASL/DIGEST-MD5 authentication started
	ldap_sasl_interactive_bind_s: Internal (implementation specific)
error 	(80)
	        additional com: SASL(-13): user not found: no secret in

Examining the error output of slapd -d 7 (follows below, with lines numbered
for reference purposes) reveals that sasl-regexp has done its job perfectly
(lines 193-5 below), but the sought-after entry does not match the filter
(lines 236-240). I suppose lines 257-264 indicate a fallback to a sasldb
which would be expected to fail and apparently does, giving the same message
on line 264 as on 255.

Any suggestions? What am I missing?

output of slapd -d 7: (I must apologize for the residual verbosity)
   181	do_sasl_bind: dn () mech DIGEST-MD5
   182	==> sasl_bind: dn="" mech=<continuing> datalen=270
   183	SASL [conn=0] Debug: DIGEST-MD5 server step 2
   184	SASL Canonicalize [conn=0]: authcid="pacifico@example.com"
   185	slap_sasl_getdn: id=pacifico@example.com [len=20]
   186	slap_sasl_getdn: u:id converted to
   187	>>> dnNormalize: <uid=pacifico@example.com,cn=DIGEST-MD5,cn=auth>
   188	=> ldap_bv2dn(uid=pacifico@example.com,cn=DIGEST-MD5,cn=auth,0)
   189	<= ldap_bv2dn(uid=pacifico@example.com,cn=DIGEST-MD5,cn=auth,0)=0
   190	=> ldap_dn2bv(272)
   191	<= ldap_dn2bv(uid=pacifico@example.com,cn=digest-md5,cn=auth,272)=0
   192	<<< dnNormalize: <uid=pacifico@example.com,cn=digest-md5,cn=auth>
   193	==>slap_sasl2dn: converting SASL name
uid=pacifico@example.com,cn=digest-md5,cn=auth to a DN
   194	slap_sasl_regexp: converting SASL name
   195	slap_sasl_regexp: converted SASL name to
   196	slap_parseURI: parsing
   198	put_filter: "(mail=pacifico@example.com)"
   199	put_filter: simple
   200	put_simple_filter: "mail=pacifico@example.com"
   201	ber_scanf fmt ({mm}) ber:
   202	>>> dnNormalize: <dc=example,dc=com>
   203	=> ldap_bv2dn(dc=example,dc=com,0)
   204	<= ldap_bv2dn(dc=example,dc=com,0)=0
   205	=> ldap_dn2bv(272)
   206	<= ldap_dn2bv(dc=example,dc=com,272)=0
   207	<<< dnNormalize: <dc=example,dc=com>
   208	slap_sasl2dn: performing internal search (base=dc=example,dc=com,
   209	=> bdb_search
   210	bdb_dn2entry("dc=example,dc=com")
   211	=> bdb_dn2id( "dc=example,dc=com" )
   212	<= bdb_dn2id: got id=0x00000001
   213	entry_decode: "dc=example,dc=com"
   214	<= entry_decode(dc=example,dc=com)
   215	search_candidates: base="dc=example,dc=com" (0x00000001) scope=2
   216	=> bdb_dn2idl( "dc=example,dc=com" )
   217	=> bdb_equality_candidates (objectClass)
   218	<= bdb_equality_candidates: (objectClass) index_param failed (18)
   219	=> bdb_equality_candidates (mail)
   220	=> key_read
   221	bdb_idl_fetch_key: [3ffb653f]
   222	<= bdb_index_read 1 candidates
   223	<= bdb_equality_candidates: id=1, first=4, last=4
   224	bdb_search_candidates: id=-1 first=1 last=10
   225	bdb_search: 1 does not match filter
   226	entry_decode: "ou=people,dc=example,dc=com"
   227	<= entry_decode(ou=people,dc=example,dc=com)
   228	=> bdb_dn2id( "ou=people,dc=example,dc=com" )
   229	<= bdb_dn2id: got id=0x00000002
   230	bdb_search: 2 does not match filter
   231	entry_decode: "ou=clients,dc=example,dc=com"
   232	<= entry_decode(ou=clients,dc=example,dc=com)
   233	=> bdb_dn2id( "ou=clients,dc=example,dc=com" )
   234	<= bdb_dn2id: got id=0x00000003
   235	bdb_search: 3 does not match filter
   236	entry_decode: "cn=Al Pacifico,ou=People,dc=example,dc=com"
   237	<= entry_decode(cn=Al Pacifico,ou=People,dc=example,dc=com)
   238	=> bdb_dn2id( "cn=al pacifico,ou=people,dc=example,dc=com" )
   239	<= bdb_dn2id: got id=0x00000004
   240	bdb_search: 4 does not match filter
   241	entry_decode: "cn=ldapsync,dc=example,dc=com"
   242	<= entry_decode(cn=ldapsync,dc=example,dc=com)
   243	=> bdb_dn2id( "cn=ldapsync,dc=example,dc=com" )
   244	<= bdb_dn2id: got id=0x00000006
   245	entry_decode: "ou=groups,dc=example,dc=com"
   246	<= entry_decode(ou=groups,dc=example,dc=com)
   247	=> bdb_dn2id( "ou=groups,dc=example,dc=com" )
   248	<= bdb_dn2id: got id=0x00000007
   249	bdb_search: 7 does not match filter
   250	entry_decode: "cn=administrators,ou=groups,dc=example,dc=com"
   251	<= entry_decode(cn=administrators,ou=groups,dc=example,dc=com)
   252	=> bdb_dn2id( "cn=administrators,ou=groups,dc=example,dc=com" )
   253	<= bdb_dn2id: got id=0x0000000a
   254	bdb_search: 10 does not match filter
   255	send_ldap_result: conn=0 op=0 p=3
   256	send_ldap_result: err=0 matched="" text=""
   257	<==slap_sasl2dn: Converted SASL name to <nothing>
   258	SASL Canonicalize [conn=0]:
   259	SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No
such file or directory
   260	SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No
such file or directory
   261	SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No
such file or directory
   262	SASL Canonicalize [conn=0]: authzid="pacifico@example.com"
   263	SASL [conn=0] Failure: no secret in database
   264	send_ldap_result: conn=0 op=1 p=3
   265	send_ldap_result: err=80 matched="" text="SASL(-13): user not found:
no secret in database"
   266	send_ldap_response: msgid=2 tag=97 err=80

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Al Pacifico
Sent: Wednesday, June 01, 2005 12:30 PM
To: OpenLDAP-software@OpenLDAP.org
Subject: RE: SASL and mail attribute help

Michael and Hallvard-
Thank you for your responses! The reinforcement regarding the context of uid
was essential.

However, I'm still having troubles...

My slapd.conf contains:

	password-hash   {CLEARTEXT}

My realm should be my fully-qualified domain name, correct?

	[pacifico@powell data]$ hostname --fqdn

A simple bind finds an entry without problem:

	[pacifico@powell data]$ ldapsearch -x -D 'cn=Al
Pacifico,ou=people,dc=example,dc=com' -W 'mail=pacifico@example.com' 	'cn'
	Enter LDAP Password:
	# extended LDIF
	# LDAPv3
	# base <> with scope sub
	# filter: mail=pacifico@example.com
	# requesting: cn
	# Al Pacifico, People, example.com
	dn: cn=Al Pacifico,ou=People,dc=example,dc=com
	cn: Al Pacifico
	# search result
	search: 2
	result: 0 Success
	# numResponses: 2
	# numEntries: 1

Now, authenticating with email address:
	[pacifico@powell data]$ ldapsearch -U 'pacifico@example.com' -Y
DIGEST-MD5 -W 'mail=pacifico@example.com' 'cn'
	Enter LDAP Password:
	SASL/DIGEST-MD5 authentication started
	ldap_sasl_interactive_bind_s: Internal (implementation specific)
error 	(80)
	        additional com: SASL(-13): user not found: no secret in

Additional information:
	1. Substituting -D for -U seems to halt earlier in the process.
	2. Adding the -D option and argument from the simple bind example
produces the same result.
	3. Adding the -v flag provides no additional useful information.
	4. I've confirmed saslauthd is running on my machine and the error
message implies it is running as well.

I suspect I've omitted something SASL-related from my slapd.conf or made
some simple error in the sasl-regexp. Suggestions?


-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Michael Ströder
Sent: Wednesday, June 01, 2005 10:15 AM
To: Al Pacifico
Cc: OpenLDAP-software@OpenLDAP.org
Subject: Re: SASL and mail attribute help

Michael Ströder wrote:
> Al Pacifico wrote:
>>The examples at OpenLDAP show use of the uid attribute, which is not
>>for all entries in my directory. I'm not sure how to map to the correct
>>authentication request DN.
> Simply fill the attribute uid of all entries by assigning each user who
> has to bind to OpenLDAP a unique user name.
> Or use another unique attribute like 'employeeNumber'.

Sorry, got you wrong.

What you're probably after is (example not tested!):


Note 'mail=$' in the LDAP URL.

Ciao, Michael