[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cmusaslsecretPLAIN attribute

To: openldap-software@openldap.org
Subject: Re: cmusaslsecretPLAIN attribute
From: TechnoSophos <technosophos@gmail.com>
Date: Tue, 3 Jul 2007 10:42:36 -0600
Content-disposition: inline
In-reply-to: <468A3B46.9000502@burian.org>
References: <468A3B46.9000502@burian.org>

You might want to start by supplying some more information to ldapwhoami.

It sounds like you would like to not use SASL (at least for now),
using a simple bind instead. Thus, according to 'man ldapwhoami', you
want something like this:

$ ldapwhoami -x -W -D <dn> -H <ldap URL>

Where <dn> should be replaced with your DN, and <ldap URL> should be
replaced with an LDAP URL.

If you are testing StartTLS, you probably also want -ZZ

Matt

On 7/3/07, John Burian <john@burian.org> wrote:

I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and
OpenSSL:

OpenLDAP 2.3.27
Cyrus-SASL 2.1.22
OpenSSL 0.9.8b

I've created a CA on the server, used that to sign a cert, and put the
appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to
trust the CA). If I run 'ldapwhoami:

$ ldapwhoami
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: Password
verification failed

and in the logs (appended below) I see text about an undefined attribute
type 'cmusaslsecretPLAIN'. I've looked around for that string, and all
the fixes I've seen seem to want to patch Cyrus-SASL. I'd like to stick
with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I
need to include, that defines that attribute? I'd also like to keep my
auth information in LDAP, rather than have a separate SASL password
database. My understanding is that the PLAIN authentication will be
secured by the underlying SASL/TLS transport, is that correct? Thanks,

John

Jul  3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword
Jul  3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry
"uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested
Jul  3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0)
Jul  3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self
Jul  3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat:
uid=root,ou=people,dc=cqcb
Jul  3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: *
Jul  3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd)
(stop)
Jul  3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd)
Jul  3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access
granted by auth(=xd)
Jul  3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup:
str2ad(cmusaslsecretPLAIN): attribute type undefined
Jul  3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3
Jul  3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched=""
text=""
Jul  3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password
verification failed

References:
- cmusaslsecretPLAIN attribute
  - From: John Burian <john@burian.org>

Prev by Date: Re: cmusaslsecretPLAIN attribute
Next by Date: Re: cmusaslsecretPLAIN attribute
Index(es):
- Chronological
- Thread