[Date Prev][Date Next] [Chronological] [Thread] [Top]

Confused about SASL behavoir


I have a black box windows app that I was able to get working with SASL authentication. I am now doing some additional testing so I want to get the SASL auth working from ldapsearch for testing, but am not able to. My details are:

Running openldap 2.4.23 on debian.

slapd.conf SASL section is:

password-hash   {CLEARTEXT}
sasl-host       ldap.nsd.org
sasl-realm      OL.NSD.ORG


When the windows app connects I get in the logs:

1 slap_sasl_getdn: dn:id converted to uid=ckacoroski,ou=people,dc=nsd,dc=org
2 SASL Canonicalize [conn=1003]: slapAuthcDN="uid=ckacoroski,ou=people,dc=nsd,dc=org"
3 => bdb_search
4 bdb_dn2entry("uid=ckacoroski,ou=people,dc=nsd,dc=org")
5 base_candidates: base: "uid=ckacoroski,ou=people,dc=nsd,dc=org" (0x000000ef)
6 slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
7 send_ldap_result: conn=1003 op=2 p=3
8 send_ldap_result: err=0 matched="" text=""
9 SASL Canonicalize [conn=1003]: authzid="ckacoroski"
10 SASL proxy authorize [conn=1003]: authcid="ckacoroski@OL.NSD.ORG" authzid="ckacoroski@OL.NSD.ORG" 11 conn=1003 op=2 BIND authcid="ckacoroski@OL.NSD.ORG" authzid="ckacoroski@OL.NSD.ORG"

When I connect with

ldapsearch -Y DIGEST-MD5 -U ckacoroski -h ldapm '(objectclass=*)'

I get in the logs:

12 slap_sasl_getdn: dn:id converted to uid=ckacoroski,ou=people,dc=nsd,dc=org 13 SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ckacoroski,ou=people,dc=nsd,dc=org"
14 => bdb_search
15 bdb_dn2entry("uid=ckacoroski,ou=people,dc=nsd,dc=org")
16 => bdb_dn2id("ou=people,dc=nsd,dc=org")
17 <= bdb_dn2id: got id=0x2
18 => bdb_dn2id("uid=ckacoroski,ou=people,dc=nsd,dc=org")
19 <= bdb_dn2id: got id=0xef
20 entry_decode: "uid=ckacoroski,ou=People,dc=nsd,dc=org"
21 <= entry_decode(uid=ckacoroski,ou=People,dc=nsd,dc=org)
22 base_candidates: base: "uid=ckacoroski,ou=people,dc=nsd,dc=org" (0x000000ef)
23 bdb_search: 239 does not match filter
24 send_ldap_result: conn=1000 op=1 p=3
25 send_ldap_result: err=0 matched="" text=""
26 SASL Canonicalize [conn=1000]: authzid="ckacoroski"
27 SASL [conn=1000] Failure: no secret in database

It seems to break at line 23 and 27. I am not sure what is different about how the windows app and ldapsearch use SASL, but something sure is :). So my question is how do I get ldapsearch to work using SASL?

Thanks in advance for your help.



"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ckacoroski@nsd.org, 206-501-9803
or ski98033 on most IM services