[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PROBLEM: can't use SASL to authentication openldap client



Title: RE: PROBLEM: can't use SASL to authentication openldap client

Hi,

I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below:

SASL/DIGEST-MD5 authentication started

Please enter your password:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

        additional info: SASL(0): successful result

that's because slapd program is stopped for some reason, here is the log of slapd:

slap_listener_activate(7):

>>> slap_listener(ldap:///)

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 70 contents:

op tag 0x63, time 1281422959

ber_get_next

conn=0 op=0 do_search

ber_scanf fmt ({miiiib) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

ber_scanf fmt (m) ber:

ber_scanf fmt ({M}}) ber:

=> send_search_entry: conn 0 dn=""

ber_flush2: 72 bytes to sd 12

<= send_search_entry: conn 0 exit.

send_ldap_result: conn=0 op=0 p=3

send_ldap_response: msgid=1 tag=101 err=0

ber_flush2: 22 bytes to sd 12

connection_get(12): got c>

connection_read(12): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 32 contents:

op tag 0x60, time 1281422959

ber_get_next

conn=0 op=1 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=0] Debug: DIGEST-MD5 server step 1

send_ldap_sasl: err=14 len=195

send_ldap_response: msgid=2 tag=97 err=14

ber_flush2: 248 bytes to sd 12

<== slap_sasl_bind: rc=14

connection_get(12): got connid=0

connection_read(12): checking for input on id=0

ber_get_next

ber_get_next: tag 0x30 len 326 contents:

op tag 0x60, time 1281422960

ber_get_next

conn=0 op=2 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=0] Debug: DIGEST-MD5 server step 2

slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth

>>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>

<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>

==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN

==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth'

==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]

==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'}

slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin)

ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin))

put_filter: "(cn=admin)"

put_filter: simple

put_simple_filter: "cn=admin"

ber_scanf fmt ({mm}) ber:

>>> dnNormalize: <ou=people,dc=example,dc=com>

<<< dnNormalize: <ou=people,dc=example,dc=com>

slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1)

=> bdb_search

bdb_dn2entry("ou=people,dc=example,dc=com")

=> bdb_dn2id("ou=people,dc=example,dc=com")

<= bdb_dn2id: got id=0x1

entry_decode: "ou=people,dc=example,dc=com"

<= entry_decode(ou=people,dc=example,dc=com)

search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1

=> bdb_dn2idl("ou=people,dc=example,dc=com")

<= bdb_dn2idl: id=1 first=2 last=2

=> bdb_equality_candidates (objectClass)

<= bdb_equality_candidates: (objectClass) not indexed

=> bdb_equality_candidates (cn)

<= bdb_equality_candidates: (cn) not indexed

bdb_search_candidates: id=1 first=2 last=2

entry_decode: "cn=admin,ou=people,dc=example,dc=com"

<= entry_decode(cn=admin,ou=people,dc=example,dc=com)

=> bdb_dn2id("cn=admin,ou=people,dc=example,dc=com")

<= bdb_dn2id: got id=0x2

send_ldap_result: conn=0 op=2 p=3

<==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com

slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com

Segmentation fault

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client

Dan White wrote:

> On 09/08/10 14:52 -0700, Howard Chu wrote:

>> Dan White wrote:

>>> On 09/08/10 16:56 +0800, LI Ji D wrote:

>>>> Hi,

>>>>    My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses  the password stored in userpassword attribute of this user which is a item of openldap.

>>>>    So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.

>>>

>>> I attempted to do this as well and failed. Setting auxprop_plugin to sasldb

>>> did not provide the expected response. Regardless of whether I set it to

>>> slapd or sasldb, the server authenticates my digest-md5 sasl bind using the

>>> internal slapd plugin.

>>>

>>> I recommend you file a bug report.

>>

>> File the bug with the correct people. OpenLDAP doesn't do anything in

>> particular with SASL configuration. If you can't get the desired behavior

>> by setting the SASL config file, then file a bug against Cyrus SASL.

>

> It does! for auxprop_plugin, and auxprop_plugin only. After some digging I

> found the insertion of a SASL_CB_GETOPT function which replaces whatever

> auxprop_plugin value is found in the sasl config file with the

> sasl-auxprops openldap config option, or defaults to 'slapd' if no

> sasl-auxprops is defined.

>

> It's perfectly documented in the slapd.conf man page... just never occurred

> to me to look.

>

> LI,

>

> setting:

>

> sasl-auxprops sasldb

>

> within the openldap slapd.conf works for me.

My mistake. This was added last year.

http://www.openldap.org/its/index.cgi/Software Bugs?id=6147

--

   -- Howard Chu

   CTO, Symas Corp.           http://www.symas.com

   Director, Highland Sun     http://highlandsun.com/hyc/

   Chief Architect, OpenLDAP  http://www.openldap.org/project/