[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

To: Dan White <dwhite@olp.net>
Subject: Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
From: Hiroyuki Sato <hiroysato@gmail.com>
Date: Fri, 18 Feb 2011 14:04:30 +0900
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8Nq10McmUmHXFahKv0XkcyDZ1AcKfyvzk3S84Yij80o=; b=STLKZ2DPnnbsTdIXaEY2UUOFl4wB6eBPWL79tCcMSBoOrvoensIV8G8MszGGgcpLLw XxdGlBDtbPBALJ26rbIMMaphKKLFHegF8u1wwSZ/EjH62bpPMnkkhW8FxmU3aMAFj6g8 hX08YYENoX7EPxQkUFUdSUQPz9W4DInKgSj9o=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=NgqgaHUPDUTMx2BFCEx6QwWRlUQH5HyBz8Io9AjwCIEiTWL7r7JFaLed1z7eksMbe6 iYmP2qKVix4qi3kr5QPQj/R+bs4YfJIhLv9daCS7o5JrMpgL2et+FsUtPe8vBN7UPNFn r0/6NIvPzxoBtmLt7K6BTJ/6fWrHgMtMu4xGw=
In-reply-to: <20110217153014.GB4720@dan.olp.net>
References: <AANLkTi=DGG7mgHSus-2s4QSPL=PLqnjLC_PAd_6fYyF_@mail.gmail.com> <20110214194400.GG5057@dan.olp.net> <AANLkTim+LLVn+Qn1KB0shGWdvS-AyGy4sORJWui8bFFw@mail.gmail.com> <20110217033850.GA3919@dan.olp.net> <AANLkTimVc8Q_oTS7XgD2uxH6iz5y3pdpMUrj1LyuWPMe@mail.gmail.com> <AANLkTintVHCxp+u6RYeuS4YwaEgLKMQDb4J==qKRFiAK@mail.gmail.com> <20110217153014.GB4720@dan.olp.net>

Hi Dan

Thank you for your information.
I aslo succeed to auth digest-md5 with sasldb

--
Hiroyuki Sato


Here is my test environment

OpenLDAP

1, Environment

 OS: ubuntu 10.10
 OpenLDAP: 2.4.24
  build from source for gdb debug.
  original ubuntu slapd does not work correctly too.


2, slapd.conf

  This is complete slapd.conf (no ACL)

  include		/usr/local/etc/openldap/schema/core.schema
  include		/usr/local/etc/openldap/schema/cosine.schema
  include		/usr/local/etc/openldap/schema/nis.schema
  pidfile		/usr/local/var/run/slapd.pid
  argsfile	/usr/local/var/run/slapd.args
  database	bdb
  suffix		"dc=mydomain,dc=com"
  rootdn		"cn=Manager,dc=mydomain,dc=com"
  rootpw		secret
  directory	/usr/local/var/openldap-data
  index	objectClass	eq
  loglevel -1
  sasl-regexp
    uid=([^@]+)([^,]+),cn=digest-md5,cn=auth
    uid=$1,ou=users,dc=mydomain,dc=com

  sasl-auxprops sql

3, gdb trace

This is trace

 ldapsearch -h 192.168.10.36 -Y digest-md5  -U ldap_user@mydomain.com
-b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
 Password: password1


(gdb) attach 10590
(gdb) b slap_sasl_authorized
(gdb) continue


Breakpoint 1, slap_sasl_authorized (op=0x9658e28, authcDN=0xb710ae98,
    authzDN=0xb710ae90) at ../../../servers/slapd/saslauthz.c:2041
2041		if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {

(gdb) print * op
$1 = {o_hdr = 0x9658f00, o_tag = 96, o_time = 1298003868, o_tincr = 0,
  o_bd = 0x81db680, o_req_dn = {bv_len = 0, bv_val = 0xb6809010 ""},
  o_req_ndn = {bv_len = 0, bv_val = 0xb6809020 ""}, o_request = {oq_add = {
      rs_modlist = 0xa3, rs_e = 0x12f}, oq_bind = {rb_method = 163, rb_cred = {
        bv_len = 303,
        bv_val = 0x9659460
"username=\"ldap_user@mydomain.com\",realm=\"pxe01.archsystem.com\",nonce=\"9FBkp4LRSgftC5+z7Kh6CofOvvuSvNgpgU756AIC2rI=\",cnonce=\"nqR7oxRAZWWufPf9ZIqj0WPL99kcFatcZSfAGrOTbVM=\",nc=00000001,qop=auth-conf,ciph"...},
rb_edn = {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len =
10,
        bv_val = 0x9659452 "DIGEST-MD5"}}, oq_compare = {rs_ava = 0xa3},
    oq_modify = {rs_mods = {rs_modlist = 0xa3, rs_no_opattrs = 47 '/'},
      rs_increment = 157652064}, oq_modrdn = {rs_mods = {rs_modlist = 0xa3,
        rs_no_opattrs = 47 '/'}, rs_deleteoldrdn = 157652064, rs_newrdn = {
        bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0,
        bv_val = 0xa <Address 0xa out of bounds>}, rs_newSup = 0x9659452,
      rs_nnewSup = 0x0}, oq_search = {rs_scope = 163, rs_deref = 303,
      rs_slimit = 157652064, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly = 0,
      rs_attrs = 0xa, rs_filter = 0x9659452, rs_filterstr = {bv_len = 0,
        bv_val = 0x0}}, oq_abandon = {rs_msgid = 163}, oq_cancel = {
      rs_msgid = 163}, oq_extended = {rs_reqoid = {bv_len = 163,
        bv_val = 0x12f <Address 0x12f out of bounds>}, rs_flags = 157652064,
      rs_reqdata = 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = {
          bv_len = 163, bv_val = 0x12f <Address 0x12f out of bounds>},
        rs_flags = 157652064, rs_reqdata = 0x0}, rs_old = {bv_len = 0,
        bv_val = 0x0}, rs_new = {bv_len = 10,
        bv_val = 0x9659452 "DIGEST-MD5"}, rs_mods = 0x0, rs_modtail = 0x0}},
  o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000',
  o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000',
  o_acl_priv = ACL_NONE, o_nocaching = 0 '\000',
  o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000',
  o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 times>,
  o_controls = 0x9659028, o_authz = {sai_method = 0, sai_mech = {bv_len = 0,
      bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = {
      bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0,
    sai_tls_ssf = 0, sai_sasl_ssf = 0}, o_ber = 0x96590b0, o_res_ber = 0x0,
  o_callback = 0x9658698, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0},
  o_private = 0x0, o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}}
(gdb) print authcDN
$2 = (struct berval *) 0xb710ae98
(gdb) print * authcDN
$3 = {bv_len = 41,
  bv_val = 0x965a0ec "uid=ldap_user,ou=users,dc=mydomain,dc=com"}
(gdb) print * authzDN
$4 = {bv_len = 1936941424, bv_val = 0x965a0c4 "password1"}


(gdb) n
2047		if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) {
(gdb) n
2051		Debug( LDAP_DEBUG_TRACE,
(gdb) n
2057		if ( dn_match( authcDN, authzDN ) ) {
(gdb) n
2063		if( op->o_conn->c_authz_backend &&
(gdb) n
2064			be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
(gdb) n
2063		if( op->o_conn->c_authz_backend &&
(gdb) n
2071		if( authz_policy & SASL_AUTHZ_TO ) {
(gdb) n
2080		if( authz_policy & SASL_AUTHZ_FROM ) {
(gdb) n
2092		Debug( LDAP_DEBUG_TRACE,
(gdb) n
2083			if( rc == LDAP_SUCCESS ) {
(gdb) n
2092		Debug( LDAP_DEBUG_TRACE,
(gdb) n
2096	}
(gdb) print rc
$5 = 48


2011/2/18 Dan White <dwhite@olp.net>:
> On 17/02/11 18:51 +0900, Hiroyuki Sato wrote:
>>
>> However authentication still failed.
>>
>> I'm not sure why slap_sasl_authorized compare input? password.
>>
>> -- from debug message
>> ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
>> become password1?
>
> That's pretty strange. Which version of openldap are you running?
>
> Does this command make any difference?:
>
> ldapsearch -h 192.168.10.36 -Y digest-md5  -U ldap_user@mydomain.com \
>  -X u:ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
>
>
>> 1, new configuration
>>
>>  database       bdb
>>  suffix         "dc=mydomain,dc=com"
>>  rootdn         "cn=Manager,dc=mydomain,dc=com"
>>  sasl-regexp
>>   uid=([^@]+)([^,]+),cn=digest-md5,cn=auth
>>   uid=$1,ou=users,dc=mydomain,dc=com
>>  sasl-auxprops sql
>>
>>  ldapsearch -h 192.168.10.36 -Y digest-md5  -U ldap_user@mydomain.com
>> -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
>>  SASL/DIGEST-MD5 authentication started
>>  Please enter your password:
>>  ldap_sasl_interactive_bind_s: Insufficient access (50)
>>
>> 2, /usr/lib/sasl2/slapd.conf
>> pwcheck_method: auxprop
>> mech_list: DIGEST-MD5
>> log_level: 7
>> auxprop_plugin: sql
>> sql_verbose: yes
>> sql_engine: mysql
>> sql_hostnames: host.addre.ss
>> sql_user: username
>> sql_passwd: password
>> sql_database: database
>> #
>> # no realm
>> #
>> sql_select: select password from sasl_test where username = '%u'
>>
>>
>> 2, log
>
>> conn=1000 op=1 BIND dn="" method=163
>> do_bind: dn () SASL mech DIGEST-MD5
>> ==> sasl_bind: dn="" mech=<continuing> datalen=303
>> SASL [conn=1000] Debug: DIGEST-MD5 server step 2
>> SASL Canonicalize [conn=1000]: authcid="ldap_user@mydomain.com"
>> slap_sasl_getdn: conn 1000 id=ldap_user@mydomain.com [len=22]
>> => ldap_dn2bv(16)
>> <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0
>> slap_sasl_getdn: u:id converted to
>> uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth
>>>>>
>>>>> dnNormalize: <uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth>
>>
>> => ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth,0)
>> <= ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0
>> => ldap_dn2bv(272)
>> <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth)=0
>> <<< dnNormalize: <uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth>
>> ==>slap_sasl2dn: converting SASL name
>> uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth to a DN
>> ==> rewrite_context_apply [depth=1]
>> string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth'
>> ==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth'
>> string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)]
>> ==> rewrite_context_apply [depth=1]
>> res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'}
>> [rw] authid: "uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth" ->
>> "uid=ldap_user,ou=users,dc=mydomain,dc=com"
>> slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com
>> ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
>>>>>
>>>>> dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
>>
>> => ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0)
>> <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
>> => ldap_dn2bv(272)
>> <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
>> <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
>> <==slap_sasl2dn: Converted SASL name to
>> uid=ldap_user,ou=users,dc=mydomain,dc=com
>> slap_sasl_getdn: dn:id converted to
>> uid=ldap_user,ou=users,dc=mydomain,dc=com
>> SASL Canonicalize [conn=1000]:
>> slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com"
>> SASL Canonicalize [conn=1000]: authzid="ldap_user@mydomain.com"
>> SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com"
>> authzid="ldap_user@mydomain.com"
>> ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
>> become password1?
>> <== slap_sasl_authorized: return 48
>> SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48)
>> SASL [conn=1000] Failure: not authorized
>> send_ldap_result: conn=1000 op=1 p=3
>> send_ldap_result: err=50 matched="" text="SASL(-14): authorization
>> failure: not authorized"
>> send_ldap_response: msgid=2 tag=97 err=50
>
> In version 2.4.23, the authorization should succeed at (in
> servers/slapd/saslauthz.c):
>
>
> /* Check if a bind can SASL authorize to another identity.
> * The DNs should not have the dn: prefix
> */
>
> int slap_sasl_authorized( Operation *op,
>   struct berval *authcDN, struct berval *authzDN )
> {
>   int rc = LDAP_INAPPROPRIATE_AUTH;
>
>   /* User binding as anonymous */
>   if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
>       rc = LDAP_SUCCESS;
>       goto DONE;
>   }
>
>   /* User is anonymous */
>   if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) {
>       goto DONE;
>   }
>
>   Debug( LDAP_DEBUG_TRACE,
>      "==>slap_sasl_authorized: can %s become %s?\n",
>       authcDN->bv_len ? authcDN->bv_val : "(null)",
>       authzDN->bv_len ? authzDN->bv_val : "(null)",  0 );
>
>   /* If person is authorizing to self, succeed */
>   if ( dn_match( authcDN, authzDN ) ) {
>       rc = LDAP_SUCCESS;
>       goto DONE;
>   }
> ...
> }
>
>
> So I'm not sure why you would be seeing anything other than:
>
> ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
> become uid=ldap_user,ou=users,dc=mydomain,dc=com?
>
> But it's probably related to why your authentication is failing.
>
> I've gotten this to work before with sasldb and digest-md5:
>
> http://web.olp.net/dwhite/openldap/sasldb-notes.txt
>
> Could you post your slapd config? or at least your ACLs?
>
> --
> Dan White
>

References:
- [Q] Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Hiroyuki Sato <hiroysato@gmail.com>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Dan White <dwhite@olp.net>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Hiroyuki Sato <hiroysato@gmail.com>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Dan White <dwhite@olp.net>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Hiroyuki Sato <hiroysato@gmail.com>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Hiroyuki Sato <hiroysato@gmail.com>
- Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
  - From: Dan White <dwhite@olp.net>

Prev by Date: Syncrepl in openldap 2.3.43
Next by Date: How to make ldappasswd obey password policy restrictions?
Index(es):
- Chronological
- Thread