[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DIGEST-MD5 returns 'user not found'



lemons_terry@emc.com wrote:
Thanks, as ever, for the help, Kyle.

I started slapd in debug mode.  When I executed the command you suggested, I see:

ldap_err2string
<= ldap_dn2bv(uid=root,cn=digest-md5,cn=auth)=0 Success
<<< dnNormalize: <uid=root,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=root,cn=digest-md5,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL [conn=12] Failure: no secret in database

So, the good news is that "uid=root,cn=digest-md5,cn=auth" does look correct.  But I then see "Converted SASL name to <nothing>".  Here are the final lines in my /etc/openldap/slapd.conf:

# SASL options
password-hash {cleartext}
authz-regexp uid=(.*),cn=tivo2.backup,cn=digest-md5,cn=auth uid=tlemons
authz-regexp uid=(.*),cn=digest-md5,cn=auth uid=tlemons
tivo2:~ #
I thought that the first authz-regexp line would have mapped any account to uid-tlemons, but this apparently didn't happen.

The important thing to note here is that the SASL library is omitting the realm name, which is its normal behavior when using the default realm.


Also, "uid=tlemons" is a pretty short DN. It seems to me you're missing some things, unless you happen to be using a very very small test database.

Also, when is the information in sasldb2 used? It looks to me like it isn't, and that authentication is occurring against entries that should be in the LDAP database itself?

The SASL library tries all available information sources. If there was a "root" user record in your sasldb2 file it would have been used. Since your sasldblistusers2 output shows "root@tivo2" I'd say you have the wrong realm info in your database, as that doesn't match either "root" or "root@tivo2.backup".

Thanks tl


-----Original Message----- From: openldap-software-bounces+lemons_terry=emc.com@openldap.org [mailto:openldap-software-bounces+lemons_terry=emc.com@openldap.org] On Behalf Of Chapman, Kyle Sent: Monday, April 02, 2007 11:42 AM To: openldap-software@openldap.org Subject: RE: DIGEST-MD5 returns 'user not found'

Does:
Ldapsearch -y digest-md5 -U root -R tivo2 -W


Show anything diff. I havent used sasldb2 stuff in a while, however with digestmd5 when secrets are stored in the ldap dit, had to be clear text.

-----Original Message-----
From: openldap-software-bounces+kyle_chapman=g1.com@OpenLDAP.org [mailto:openldap-software-bounces+kyle_chapman=g1.com@OpenLDAP.org] On Behalf Of lemons_terry@emc.com
Sent: Monday, April 02, 2007 10:36 AM
To: openldap-software@openldap.org
Subject: DIGEST-MD5 returns 'user not found'

Hi

I'm trying to use DIGEST-MD5 authentication on a SLES 9 SP3 system running OpenLDAP 2.

tivo2:~ # ldapsearch
SASL/DIGEST-MD5 authentication started
Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-13): user not found: no secret in database


When I run 'ldapsearch -d 2', I see that 'username=root' and 'realm=tivo2.backup'.

I believe that I have the correct entry for 'root' in the SASL database:

sasldblistusers2
root@tivo2: userPassword

So why is SASL saying 'user not found'?

Thanks
tl


Terry Lemons
Backup Platforms Group
EMC²
where information lives
4400 Computer Drive, MS D239
Westboro MA 01580
Phone: 508 898 7312
Email: Lemons_Terry@emc.com NOTICE: This E-mail may contain confidential information. If you are not
the addressee or the intended recipient please do not read this E-mail
and please immediately delete this e-mail message and any attachments
from your workstation or network mail system. If you are the addressee
or the intended recipient and you save or print a copy of this E-mail,
please place it in an appropriate file, depending on whether
confidential information is contained in the message.







--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/