[Date Prev][Date Next] [Chronological] [Thread] [Top]

Confused about SASL behavoir



Hi,

I have a black box windows app that I was able to get working with SASL authentication. I am now doing some additional testing so I want to get the SASL auth working from ldapsearch for testing, but am not able to. My details are:

Running openldap 2.4.23 on debian.

slapd.conf SASL section is:

password-hash   {CLEARTEXT}
sasl-host       ldap.nsd.org
sasl-realm      OL.NSD.ORG
authz-regexp
  uid=(.*),cn=OL.NSD.ORG,cn=digest-md5,cn=auth
  uid=$1,ou=people,dc=nsd,dc=org

authz-regexp
  uid=(.*),cn=digest-md5,cn=auth
  uid=$1,ou=people,dc=nsd,dc=org

When the windows app connects I get in the logs:

1 slap_sasl_getdn: dn:id converted to uid=ckacoroski,ou=people,dc=nsd,dc=org
2 SASL Canonicalize [conn=1003]: slapAuthcDN="uid=ckacoroski,ou=people,dc=nsd,dc=org"
3 => bdb_search
4 bdb_dn2entry("uid=ckacoroski,ou=people,dc=nsd,dc=org")
5 base_candidates: base: "uid=ckacoroski,ou=people,dc=nsd,dc=org" (0x000000ef)
6 slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
7 send_ldap_result: conn=1003 op=2 p=3
8 send_ldap_result: err=0 matched="" text=""
9 SASL Canonicalize [conn=1003]: authzid="ckacoroski"
10 SASL proxy authorize [conn=1003]: authcid="ckacoroski@OL.NSD.ORG" authzid="ckacoroski@OL.NSD.ORG" 11 conn=1003 op=2 BIND authcid="ckacoroski@OL.NSD.ORG" authzid="ckacoroski@OL.NSD.ORG"

When I connect with

ldapsearch -Y DIGEST-MD5 -U ckacoroski -h ldapm '(objectclass=*)'

I get in the logs:

12 slap_sasl_getdn: dn:id converted to uid=ckacoroski,ou=people,dc=nsd,dc=org 13 SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ckacoroski,ou=people,dc=nsd,dc=org"
14 => bdb_search
15 bdb_dn2entry("uid=ckacoroski,ou=people,dc=nsd,dc=org")
16 => bdb_dn2id("ou=people,dc=nsd,dc=org")
17 <= bdb_dn2id: got id=0x2
18 => bdb_dn2id("uid=ckacoroski,ou=people,dc=nsd,dc=org")
19 <= bdb_dn2id: got id=0xef
20 entry_decode: "uid=ckacoroski,ou=People,dc=nsd,dc=org"
21 <= entry_decode(uid=ckacoroski,ou=People,dc=nsd,dc=org)
22 base_candidates: base: "uid=ckacoroski,ou=people,dc=nsd,dc=org" (0x000000ef)
23 bdb_search: 239 does not match filter
24 send_ldap_result: conn=1000 op=1 p=3
25 send_ldap_result: err=0 matched="" text=""
26 SASL Canonicalize [conn=1000]: authzid="ckacoroski"
27 SASL [conn=1000] Failure: no secret in database

It seems to break at line 23 and 27. I am not sure what is different about how the windows app and ldapsearch use SASL, but something sure is :). So my question is how do I get ldapsearch to work using SASL?

Thanks in advance for your help.

cheers,

ski

--
"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ckacoroski@nsd.org, 206-501-9803
or ski98033 on most IM services