[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL, DIGEST-MD5 and ROOTDN



Hi,

I have set up a simple OPENLDAP server and I want to begin as I mean to
go on and keep the setup secure.  To this end I want the rootdn to be
set to bind via SASL.  According to the administrators guide this can be
achieved by setting the DN to be of the form:

uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth.

I've done this but when I attempt an ldapsearch I get the following:-

ldapsearch -U user supportedSASLMechanisms
SASL/DIGEST-MD5 authentication started
Please enter your password: <password>
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
(80)
        additional info: SASL(-13): user not found: no secret in
database

But when I test the sasl account using testsaslauthd I get the
following:-

/usr/sbin/testsaslauthd -u user -p secret -s slapd
0: OK "Success."

Looking into the logs it appears that ldap never really gets around to
authenticating properly with SASL, but instead appears to be trying to
local an entry in the LDAP database to authenticate against (the
database is of course empty at this point!).
Snippets of the logs and my slapd.conf file are below.  Any suggestions
would be appreciated.

>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
conn=1 op=1 BIND dn="" method=163
==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
SASL [conn=1] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=197
send_ldap_response: msgid=2 tag=97 err=14
do_sasl_bind: dn () mech DIGEST-MD5
conn=1 op=2 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=294
SASL [conn=1] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1]: authcid="user"
slap_sasl_getdn: id=user [len=8]
=> ldap_dn2bv(16)
ldap_err2string
<= ldap_dn2bv(uid=user,cn=DIGEST-MD5,cn=auth)=0 Success
slap_sasl_getdn: u:id converted to uid=user,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=user,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=user,cn=DIGEST-MD5,cn=auth,0)
ldap_err2string
<= ldap_bv2dn(uid=user,cn=DIGEST-MD5,cn=auth)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=user,cn=digest-md5,cn=auth)=0 Success
<<< dnNormalize: <uid=user,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=user,cn=digest-md5,cn=auth to
a DN
slap_sasl_regexp: converting SASL name uid=user,cn=digest-md5,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=1]: slapAuthcDN="uid=user,cn=digest-md5,cn=auth"
SASL [conn=1] Error: unable to open Berkeley db /etc/sasldb2: Permission
denied
SASL [conn=1] Error: unable to open Berkeley db /etc/sasldb2: Permission
denied
SASL [conn=1] Error: unable to open Berkeley db /etc/sasldb2: Permission
denied
SASL Canonicalize [conn=1]: authzid="user"
SASL [conn=1] Failure: no secret in database
send_ldap_result: conn=1 op=2 p=3
send_ldap_result: err=80 matched="" text="SASL(-13): user not found: no
secret in database


include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
allow bind_v2
pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

database	bdb
suffix		"dc=example,dc=com"
rootdn		"uid=user,cn=example.com,cn=DIGEST-MD5,cn=auth"

# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/local/lib/ldap/phyworks-address

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

Regards,

Bernard McAuley
bernard.mcauley@phyworks-ic.com