[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PROBLEM: can't use SASL to authentication openldap client



Title: RE: PROBLEM: can't use SASL to authentication openldap client

Hi,

I tried again with following steps:

1. saslpasswd2 -c admin

2. configure slapd.conf:

 sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever

 database      bdb

 suffix          "ou=people,o=Ever"

  rootdn          "uid=admin,ou=People,o=Ever"

3. I use the following LDIF file

dn: o=Ever

o: Ever

description: Organization Root

objectClass: top

objectClass: organization

dn: ou=Staff, o=Ever

ou: Staff

description: These are privileged users that can interact with Organization products

objectClass: top

objectClass: organizationalUnit

dn: ou=People, o=Ever

ou: People

objectClass: top

objectClass: organizationalUnit

dn: uid=admin, ou=Staff, o=Ever

uid: admin

cn: LDAP Adminstrator

sn: admin

userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=

objectClass: Top

objectClass: Person

objectClass: Organizationalperson

objectClass: Inetorgperson

dn: uid=admin,ou=People,o=Ever

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=

displayName: admin

mail: admin@eversystems.com.br

uid: admin

cn: Administrator

sn: admin

4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256

5. ./ldapsearch -U admin -Y DIGEST-MD5

Please enter your password:

ldap_sasl_interactive_bind_s: Invalid credentials (49)

        additional info: SASL(-13): user not found: no secret in database

6.slapd log is :

 slap_listener_activate(7):

>>> slap_listener(ldap:///)

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 32 contents:

op tag 0x60, time 1277198750

ber_get_next

conn=0 op=0 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=0] Debug: DIGEST-MD5 server step 1

send_ldap_sasl: err=14 len=180

send_ldap_response: msgid=1 tag=97 err=14

ber_flush2: 233 bytes to sd 12

<== slap_sasl_bind: rc=14

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 296 contents:

op tag 0x60, time 1277198752

ber_get_next

conn=0 op=1 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=0] Debug: DIGEST-MD5 server step 2

slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth

>>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>

<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>

==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN

==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth'

==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]

==> rewrite_context_apply [depth=1] res={0,'uid=admin,ou=People,o=Ever'}

slap_parseURI: parsing uid=admin,ou=People,o=Ever

ldap_url_parse_ext(uid=admin,ou=People,o=Ever)

>>> dnNormalize: <uid=admin,ou=People,o=Ever>

<<< dnNormalize: <uid=admin,ou=people,o=ever>

<==slap_sasl2dn: Converted SASL name to uid=admin,ou=people,o=ever

slap_sasl_getdn: dn:id converted to uid=admin,ou=people,o=ever

=> bdb_search

bdb_dn2entry("uid=admin,ou=people,o=ever")

=> bdb_dn2id("ou=people,o=ever")

<= bdb_dn2id: got id=0x1

=> bdb_dn2id("uid=admin,ou=people,o=ever")

<= bdb_dn2id: got id=0x2

entry_decode: "uid=admin,ou=People,o=Ever"

<= entry_decode(uid=admin,ou=People,o=Ever)

slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined

send_ldap_result: conn=0 op=1 p=3

SASL [conn=0] Failure: no secret in database

send_ldap_result: conn=0 op=1 p=3

send_ldap_response: msgid=2 tag=97 err=49

ber_flush2: 70 bytes to sd 12

<== slap_sasl_bind: rc=49

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

ber_get_next

ber_get_next on fd 12 failed errno=0 (Success)

connection_close: conn=0 sd=12

why would this happen?


-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Tuesday, June 22, 2010 1:06 AM
To: LI Ji D
Cc: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client

On 21/06/10 09:52 +0800, LI Ji D wrote:

> 3. Then I configure the slapd.conf to be like this:

  

>    authz-policy to

>    sasl-regexp     "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth"

>    database      bdb

>    suffix          "dc=example,dc=com"

>    rootdn "uid=111,cn=digest-md5,cn=auth"

>

> 4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content:

>

>    pwcheck_method: auxprop

>    auxprop_plugin: sasldb

>    mech_list: plain login ntlm cram-md5 digest-md5

>

> 5. Then I start slapd with command 'slapd -d 1', and run

>ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p

>389', but fails with reason: user not found: no secret in database.

> The log of slapd is:

>

>slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth

>

>>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>

>

><<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>

>

>==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to

>a DN

 

>slap_sasl_getdn: dn:id converted to

>uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

>

>SASL [conn=1] Failure: no secret in database

It's not clear which user credentials are being retrieved from sasldb. Is

it uid=liji1,cn=digest-md5,cn=auth or liji1?

You could increase your cyrus debugging to get more information out of

syslog: Add an:

auth.debug...

to your syslog configuration, and add this to your

/usr/lib/sasl2/slapd.conf:

log_level: 7

--

Dan White