[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl/plain with hashed password not working

To: openldap-technical@openldap.org
Subject: sasl/plain with hashed password not working
From: btb <btb@bitrate.net>
Date: Wed, 02 Oct 2013 09:08:20 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=bitrate.net; s=default; t=1380718084; bh=ycPgcBTdVaVEumqWxQwTW90WfuqAxE96g+SHpXpN29Y=; h=Date:From:To:Subject; b=BcKCKYe3Z6/Ib8FY1l5Hjv4QNkMPVOTMzjingGgBRx7xHJXI6FufyG7KBeQVyUsap znYzkGSEIQUJ5VhwvkFpDOSr2yn5wygg+fvrdMSBXGfr0Q0uQtmxgwHGhaWQ9k6lBH QrTjgWab1ptbXfBSn41EggmqNzyMSIWqxWemQKFI=
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8

i've enabled the plain sasl mech, and testing with ldapwhoami works, butonly if the userpassword is left as plaintext. if hashing [ssha] isused, it fails. a simple bind succeeds. what am i doing wrong?

>ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w'xxxxxxxx'

SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: Password verification failed

524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 slap_listener_activate(7):
524b7989 daemon: epoll: listen=7 busy
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 >>> slap_listener(ldap:///)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 daemon: listen=7, new connection on 16
524b7989 daemon: added 16r (active) listener=(nil)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 conn=1014 fd=16 ACCEPT from IP=192.168.1.81:35171 (IP=0.0.0.0:389)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989  16r524b7989
524b7989 daemon: read active on 16
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 connection_get(16)
524b7989 connection_get(16): got connid=1014
524b7989 connection_read(16): checking for input on id=1014
ber_get_next
ldap_read: want=8, got=8

0000: 30 22 02 01 01 60 1d 02 0"...`..

ldap_read: want=28, got=28

0000: 01 03 04 00 a3 16 04 05 50 4c 41 49 4e 04 0d 00........PLAIN...0010: 66 6c 61 73 68 00 74 69 67 67 65 72flash.xxxxxxx

ber_get_next: tag 0x30 len 34 contents:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103750 end=0x7f1580103772 len=34

0000: 02 01 01 60 1d 02 01 03 04 00 a3 16 04 05 50 4c...`..........PL0010: 41 49 4e 04 0d 00 66 6c 61 73 68 00 74 69 67 67AIN...flash.xxxx0020: 65 72 xxxxxx

524b7989 op tag 0x60, time 1380678025
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
524b7989 conn=1014 op=0 do_bind
524b7989 daemon: activity on 1 descriptor
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103753 end=0x7f1580103772 len=31

0000: 60 1d 02 01 03 04 00 a3 16 04 05 50 4c 41 49 4e`..........PLAIN0010: 04 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72...flash.xxxxxxxx

ber_scanf fmt ({m) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f158010375a end=0x7f1580103772 len=24

0000: 00 16 04 05 50 4c 41 49 4e 04 0d 00 66 6c 61 73....PLAIN...flas0010: 68 00 74 69 67 67 65 72 h.xxxxxxxxx

ber_scanf fmt (m) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103763 end=0x7f1580103772 len=15

0000: 00 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72...flash.xxxxxxx

ber_scanf fmt (}}) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103772 end=0x7f1580103772 len=0

524b7989 >>> dnPrettyNormal: <>
524b7989 <<< dnPrettyNormal: <>, <>
524b7989 conn=1014 op=0 BIND dn="" method=163
524b7989 do_bind: dn () SASL mech PLAIN
524b7989 ==> sasl_bind: dn="" mech=PLAIN datalen=13
524b7989 SASL Canonicalize [conn=1014]: authcid="flash"
524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0
524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth
524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0
524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth>

524b7989 ==>slap_sasl2dn: converting SASL nameuid=flash,cn=plain,cn=auth to a DN524b7989 ==> rewrite_context_apply [depth=1]string='uid=flash,cn=plain,cn=auth'524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth'string='uid=flash,cn=plain,cn=auth' [1 pass(es)]524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth'string='uid=flash,cn=plain,cn=auth' [1 pass(es)]524b7989 ==> rewrite_context_apply [depth=1]res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'}524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" ->"uid=flash,ou=people,ou=accounts,dc=example,dc=com"524b7989 slap_parseURI: parsinguid=flash,ou=people,ou=accounts,dc=example,dc=com

ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)

524b7989 >>> dnNormalize:<uid=flash,ou=people,ou=accounts,dc=example,dc=com>

=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0

524b7989 <<< dnNormalize:<uid=flash,ou=people,ou=accounts,dc=example,dc=com>524b7989 <==slap_sasl2dn: Converted SASL name touid=flash,ou=people,ou=accounts,dc=example,dc=com524b7989 slap_sasl_getdn: dn:id converted touid=flash,ou=people,ou=accounts,dc=example,dc=com524b7989 SASL Canonicalize [conn=1014]:slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com"

524b7989 SASL Canonicalize [conn=1014]: authcid="flash"
524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0
524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth
524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0
524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth>

ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)

524b7989 >>> dnNormalize:<uid=flash,ou=people,ou=accounts,dc=example,dc=com>

=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0

524b7989 => mdb_search
524b7989 mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=com")
524b7989 => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=com")
524b7989 <= mdb_dn2id: got id=0x2c
524b7989 => mdb_entry_decode:
524b7989 <= mdb_entry_decode

524b7989 => access_allowed: auth access to"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "entry" requested

524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 => acl_get: [2] matched
524b7989 => acl_get: [2] attr entry

524b7989 => acl_mask: access to entry"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "entry" requested

524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: self
524b7989 <= check a_dn_pat: users
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [3] applying auth(=xd) (stop)
524b7989 <= acl_mask: [3] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)

524b7989 base_candidates: base:"uid=flash,ou=people,ou=accounts,dc=example,dc=com" (0x0000002c)

524b7989 => test_filter
524b7989 daemon: activity on:524b7989     PRESENT

524b7989 => access_allowed: auth access to"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "objectClass" requested

524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 => acl_get: [2] matched
524b7989 => acl_get: [2] attr objectClass

524b7989 => acl_mask: access to entry"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "objectClass"requested

524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: self
524b7989 <= check a_dn_pat: users
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [3] applying auth(=xd) (stop)
524b7989 <= acl_mask: [3] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)
524b7989 <= test_filter 6

524b7989 => access_allowed: auth access to"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "userPassword" requested

524b7989 => acl_get: [1] attr userPassword

524b7989 => acl_mask: access to entry"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "userPassword"requested

524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [1] applying auth(=xd) (stop)
524b7989 <= acl_mask: [1] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)

524b7989 slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute typeundefined

524b7989 send_ldap_result: conn=1014 op=0 p=3
524b7989 send_ldap_result: err=0 matched="" text=""
524b7989 SASL [conn=1014] Failure: Password verification failed
524b7989 send_ldap_result: conn=1014 op=0 p=3

524b7989 send_ldap_result: err=49 matched="" text="SASL(-13): user notfound: Password verification failed"

524b7989 send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 69 bytes to sd 16

0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 410C...a>..1...7SA0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13):user no0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found:Passwor0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 dverification f0040: 61 69 6c 65 64 ailed

ldap_write: want=69, written=69

524b7989 <== slap_sasl_bind: rc=49
524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989  16r524b7989
524b7989 daemon: read active on 16
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 connection_get(16)
524b7989 connection_get(16): got connid=1014
524b7989 connection_read(16): checking for input on id=1014
ber_get_next
ldap_read: want=8, got=7

0000: 30 05 02 01 02 42 00 0....B.

ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f1584117620 ptr=0x7f1584117620 end=0x7f1584117625 len=5

0000: 02 01 02 42 00 ...B.

524b7989 op tag 0x42, time 1380678025
ber_get_next
ldap_read: want=8, got=0

524b7989 ber_get_next on fd 16 failed errno=0 (Success)
524b7989 connection_read(16): input error=-2 id=1014, closing.
524b7989 connection_closing: readying conn=1014 sd=16 for close
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 connection_close: deferring conn=1014 sd=16
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 conn=1014 op=1 do_unbind
524b7989 conn=1014 op=1 UNBIND
524b7989 connection_resched: attempting closing conn=1014 sd=16
524b7989 connection_close: conn=1014 sd=16
524b7989 daemon: removing 16
524b7989 conn=1014 fd=16 closed

Follow-Ups:
- Re: sasl/plain with hashed password not working
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Openldap server with TLS not working
Next by Date: Re: sasl/plain with hashed password not working
Index(es):
- Chronological
- Thread