[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Got error while enabling SASL

To: Gaurav Gugnani <gugnanigaurav@gmail.com>
Subject: Re: Got error while enabling SASL
From: Dan White <dwhite@olp.net>
Date: Mon, 6 Feb 2012 09:47:31 -0600
Cc: openldap-technical@openldap.org, Raffael Sahli <public@raffaelsahli.com>
Content-disposition: inline
In-reply-to: <CANnGQdji3se+egdHjk0eiWwfyp1ip-HUGw4dW6hw-f6+guHfDQ@mail.gmail.com>
References: <CANnGQdiXKTHN5yJaUdXAOU3oyVHx_8b7ZvPteVPjxT1rpfKtkA@mail.gmail.com> <CANnGQdgj3yUnxTQa1jOhydOEfcD5G3xdnQ3uptnbo-=NQhMSAQ@mail.gmail.com> <4F2A6684.1070208@raffaelsahli.com> <CANnGQdjcsqoLpUvkM_AZnRFtmuSOLRW5Nhe1rS9JaeieH9G__A@mail.gmail.com> <20120202153307.GB4617@dan.olp.net> <CANnGQdjVuzogcTVzCd7Gy13rkQZJy5dDoQeoZi8V-6weg6XKOg@mail.gmail.com> <CANnGQdiA893Xux2D+sR+RKjSpQemz8pK2nryrho0mpe-xXraRQ@mail.gmail.com> <20120203151430.GC4828@dan.olp.net> <CANnGQdji3se+egdHjk0eiWwfyp1ip-HUGw4dW6hw-f6+guHfDQ@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:

Hello All,

Thks for helping me out, however i'm still stuck in middle of it and the
issue has not yet resolved.


You should run your server in debug mode to determine what's going awry.

*Error:*
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U
sasluser7 -b 'o=xyz'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
       additional info: SASL(-13): user not found: no secret in database

I checked for ACL and also now i'm using authz with following lines:

authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz

access to attrs="userpassword"
       by self write
       by anonymous auth
       by dn="uid=sasluser7,ou=System,o=xyz" read
access to dn.base="o=xyz"
       by dn="uid=sasluser7,ou=System,o=xyz" read
       by users read
access to dn.subtree="ou=Subscribers,o=xyz"
       by dn="uid=sasluser7,ou=System,o=xyz" read
access to *
       by self write
       by dn="uid=sasluser7,ou=System,o=xyz" read

I hope it is fine.


I have 'by anonymous auth' on the following:

access to dn.base="ou=people,dc=example,dc=net"
access to attrs=userPassword
access to attrs=authzTo
access to attrs=objectClass
access to attrs=entry,uidNumber

You could determine if that's sufficient for you piecemeal wise but, again,
use debug output to figure it out. For example:

slapd -d -1 -h ldap:/// -u openldap -g openldap

See the manpage for slapd for details.

Moreover, we can say that the user is created:
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -W -D
'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=xyz'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=sasluser7,ou=System,o=xyz> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sasluser7, System, xyz
dn: uid=sasluser7,ou=System,o=xyz
uid: sasluser7
ou: System
description: Special account for SASL Testing
userPassword:: c2FzbVHzZXI3


Be aware that the above is a simple uuencoding of your password. It should
now be considered publicly known.

objectClass: account
objectClass: simpleSecurityObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Also, i would like to highlight one thing:

That when i check for sasl dblist users - it thorws me an error. Can that
be an issue point?
/u01/app/openldap/product/2.4.26/etc/openldap>sasldblistusers
-bash: sasldblistusers: command not found


Any of the cyrus sasl* commands are most likely doing the wrong thing,
which default to using the sasldb auxprop store (which uses /etc/sasldb2)
rather that slapd or ldapdb. I would not use them at this point as they're
bound to confuse the matter.

--
Dan White

Follow-Ups:
- Re: Got error while enabling SASL
  - From: Gaurav Gugnani <gugnanigaurav@gmail.com>

References:
- Got error while enabling SASL
  - From: Gaurav Gugnani <gugnanigaurav@gmail.com>
- Re: Got error while enabling SASL
  - From: Gaurav Gugnani <gugnanigaurav@gmail.com>
- Re: Got error while enabling SASL
  - From: Raffael Sahli <public@raffaelsahli.com>
- Re: Got error while enabling SASL
  - From: Gaurav Gugnani <gugnanigaurav@gmail.com>
- Re: Got error while enabling SASL
  - From: Dan White <dwhite@olp.net>
- Re: Got error while enabling SASL
  - From: Gaurav Gugnani <gugnanigaurav@gmail.com>
- Re: Got error while enabling SASL
  - From: Gaurav Gugnani <gugnanigaurav@gmail.com>
- Re: Got error while enabling SASL
  - From: Dan White <dwhite@olp.net>
- Re: Got error while enabling SASL
  - From: Gaurav Gugnani <gugnanigaurav@gmail.com>

Prev by Date: Re: Search on whole tree gives result, search on subtree not
Next by Date: Help on ACL
Index(es):
- Chronological
- Thread