[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple Bind pass-through to SASL/PLAIN

Without seeing any output from your SASL/PLAIN bind, I suspect that
saslauthd may not be working with your slapd installation.

If that's the case, double check the permissions on your saslauthd mux, and
specify a saslauthd_path parameter within your sasl slapd.conf config if

On 10/03/11 15:42 -0700, Zach Schimke wrote:
Okay, I get nothing from saslauthd. The relevent logging slapd gives me:
   daemon: epoll: listen=7 active_threads=0 tvp=NULL
   daemon: epoll: listen=8 active_threads=0 tvp=NULL
   daemon: epoll: listen=9 active_threads=0 tvp=NULL
   daemon: epoll: listen=10 active_threads=0 tvp=NULL
dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>
<<< dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>, <cn=zach schimke - test,ou=people,o=mars> do_bind: version=3 dn="cn=zach schimke - test,ou=people,o=mars" method=128
    ==> hdb_bind: dn: cn=zach schimke - test,ou=people,o=mars
   bdb_dn2entry("cn=zach schimke - test,ou=people,o=mars")
=> access_allowed: auth access to "cn=Zach Schimke - TEST,ou=people,o=mars" "userPassword" requested
    => dn: [1] o=new
    => dn: [2] ou=rooms,o=mars
    => dn: [3] ou=acl,o=mars
    => dn: [4] ou=groups,o=mars
    => dn: [5] ou=people,o=mars
    => acl_get: [5] matched
    => acl_get: [5] attr userPassword
   access_allowed: no res from state (userPassword)
=> acl_mask: access to entry "cn=Zach Schimke - TEST,ou=people,o=mars", attr "userPassword" requested
    => acl_mask: to value by "", (=0)
<= check a_dn_pat: ou=admins,ou=people,o=mars
<= check a_dn_pat: cn=mars admin,ou=role,ou=people,o=mars
<= check a_dn_pat: *
<= acl_mask: [3] applying read(=rscxd) (stop)
<= acl_mask: [3] mask: read(=rscxd)
    => access_allowed: auth access granted by read(=rscxd)
   send_ldap_result: conn=4 op=0 p=3
   send_ldap_result: err=49 matched="" text=""
   send_ldap_response: msgid=1 tag=97 err=49
   daemon: activity on 1 descriptor
   daemon: activity on:

So, I do not see anything looking at SASL. Is there something special I need to put in slapd.access to make the pass-through bit work? It seems to be an ACL problem at this point (but regular password binds work properly with other users).

Zach Schimke
Mars Space Flight Facility

On 3/4/2011 2:09 PM, Dan White wrote:
On 04/03/11 13:59 -0700, Zach Schimke wrote:
I'm using openldap-2.3.32, loglevel = -1 (log grows at 2MB/minute), and neither of those tests work. I've even tried with and without the @REALM.

Can you run your slapd in debug mode (-d -1), and your saslauthd in debug
mode (-d)?

Try performing your SASL PLAIN bind, and then your non-sasl pass-through
bind, and let us have a look at any relevant output you're seeing from
either daemon. It might help to have a look at both to compare.

Dan White
BTC Broadband
Ph  918.366.0248 (direct)   main: (918)366-8000
Fax 918.366.6610            email: dwhite@olp.net