[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PROBLEM: can't use SASL to authentication openldap client

To: "Dan White" <dwhite@olp.net>
Subject: RE: PROBLEM: can't use SASL to authentication openldap client
From: "LI Ji D" <Ji.d.Li@alcatel-lucent.com>
Date: Fri, 6 Aug 2010 11:09:15 +0800
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-technical@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <20100806023511.GA2604@dan.olp.net>
References: <87r5jx1xvh.fsf@magenta.l4b.de> <D9224B7C263C0446ADF2F9E9F434631904FF4762@CNSHGSMBS01.ad4.ad.alcatel.com> <20100806023511.GA2604@dan.olp.net>
Thread-index: Acs1ECd+heKpzXlJRwCUG0tmfza56gABHGqw
Thread-topic: PROBLEM: can't use SASL to authentication openldap client

Hi,
	I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
slap_listener_activate(7): 
>>> slap_listener(ldap:///)
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1281064438
ber_get_next
conn=2 op=0 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> send_search_entry: conn 2 dn=""
ber_flush2: 72 bytes to sd 12
<= send_search_entry: conn 2 exit.
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1281064438
ber_get_next
conn=2 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=2] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 233 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1281064441
ber_get_next
conn=2 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=2] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'}
slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin)
ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin))
put_filter: "(cn=admin)"
put_filter: simple
put_simple_filter: "cn=admin"
ber_scanf fmt ({mm}) ber:
>>> dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com>
slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1)
=> bdb_search
bdb_dn2entry("ou=people,dc=example,dc=com")
search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1
=> bdb_dn2idl("ou=people,dc=example,dc=com")
<= bdb_dn2idl: id=1 first=2 last=2
=> bdb_equality_candidates (objectClass)
<= bdb_equality_candidates: (objectClass) not indexed
=> bdb_equality_candidates (cn)
<= bdb_equality_candidates: (cn) not indexed
bdb_search_candidates: id=1 first=2 last=2
send_ldap_result: conn=2 op=2 p=3
<==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
=> bdb_search
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com")
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=2 op=2 p=3
SASL Authorize [conn=2]:  proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=40
do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128
send_ldap_response: msgid=3 tag=97 err=0
ber_flush2: 64 bytes to sd 12
<== slap_sasl_bind: rc=0
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ldap_pvt_sasl_generic_install
ber_get_next
ber_get_next: tag 0x30 len 72 contents:
op tag 0x63, time 1281064441
ber_get_next
conn=2 op=3 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <ou=people,dc=example,dc=com>
<<< dnPrettyNormal: <ou=people,dc=example,dc=com>, <ou=people,dc=example,dc=com>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> bdb_search
bdb_dn2entry("ou=people,dc=example,dc=com")
search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=2
=> bdb_dn2idl("ou=people,dc=example,dc=com")
=> bdb_presence_candidates (objectClass)
bdb_search_candidates: id=-1 first=1 last=2
=> send_search_entry: conn 2 dn="ou=people,dc=example,dc=com"
ber_flush2: 172 bytes to sd 12
<= send_search_entry: conn 2 exit.
=> send_search_entry: conn 2 dn="cn=admin,ou=people,dc=example,dc=com"
ber_flush2: 452 bytes to sd 12
<= send_search_entry: conn 2 exit.
send_ldap_result: conn=2 op=3 p=3
send_ldap_response: msgid=4 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
op tag 0x42, time 1281064441
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
conn=2 op=4 do_unbind
connection_close: conn=2 sd=12

-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] 
Sent: Friday, August 06, 2010 10:35 AM
To: LI Ji D
Cc: Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client

On 05/08/10 16:35 +0800, LI Ji D wrote:
>Hi, Klünter
>	Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
>	1. My slapd.conf is below:
>include         /usr/local/openldap/schema/core.schema
>include         /usr/local/openldap/schema/cosine.schema
>include         /usr/local/openldap/schema/inetorgperson.schema
>include         /usr/local/openldap/schema/openldap.schema
>include         /usr/local/openldap/schema/nis.schema
>pidfile         /usr/local/openldap/slapd.1.pid
>argsfile        /usr/local/openldap/slapd.1.args
>password-hash {CLEARTEXT}
>authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
>
>database bdb
>suffix   "ou=people,dc=example,dc=com"
>rootdn   "cn=admin,ou=people,dc=example,dc=com"
>	
>	2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
>content is :
>pwcheck_method: auxprop
>auxprop_plugin: sasldb
>mech_list: digest-md5

You may have hit the same issue that Brent did. Most likely you will need
to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.

Alternatively, you can set the environment variable SASL_CONF_PATH to
instruct the sasl glue library where to search for config files. See the
man page for sasl_getconfpath_t for details.

-- 
Dan White

Follow-Ups:
- Re: PROBLEM: can't use SASL to authentication openldap client
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- RE: PROBLEM: can't use SASL to authentication openldap client
  - From: "LI Ji D" <Ji.d.Li@alcatel-lucent.com>
- Re: PROBLEM: can't use SASL to authentication openldap client
  - From: Dan White <dwhite@olp.net>

Prev by Date: RE: PROBLEM: can't use SASL to authentication openldap client
Next by Date: Capturing events in OpenLDAP
Index(es):
- Chronological
- Thread