[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cmusaslsecretPLAIN attribute



John Burian wrote:
I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and OpenSSL:

OpenLDAP 2.3.27
Cyrus-SASL 2.1.22
OpenSSL 0.9.8b

I've created a CA on the server, used that to sign a cert, and put the appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to trust the CA). If I run 'ldapwhoami:

$ ldapwhoami
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: Password verification failed


and in the logs (appended below) I see text about an undefined attribute type 'cmusaslsecretPLAIN'. I've looked around for that string, and all the fixes I've seen seem to want to patch Cyrus-SASL.

What fixes are you talking about? Since this isn't a bug, it doesn't make sense to fix anything.


I'd like to stick with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I need to include, that defines that attribute? I'd also like to keep my auth information in LDAP, rather than have a separate SASL password database.

No CMU-specific schema is needed. The SASL plugins always look for a generic userPassword attribute first, then the cmusaslsecret* attributes. In practice, no SASL software uses the cmusaslsecret* attributes any more; they're a holdover from early Cyrus SASL 1.x and totally obsolete.


> My understanding is that the PLAIN authentication will be
secured by the underlying SASL/TLS transport, is that correct? Thanks,

SASL/PLAIN is, as the name implies, plaintext and as such the SASL layer doesn't provide any security for this mechanism. But yes, if you're using it with TLS then the TLS protections (if any) will apply.


It sounds to me like you haven't read the OpenLDAP Admin Guide yet.

John

Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0)
Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self
Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb
Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: *
Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd) (stop)
Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd)
Jul 3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access granted by auth(=xd)
Jul 3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined
Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3
Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched="" text=""
Jul 3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password verification failed

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/