[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl/plain with hashed password not working

To: btb@bitrate.net
Subject: Re: sasl/plain with hashed password not working
From: Dan White <dwhite@olp.net>
Date: Thu, 10 Oct 2013 08:49:24 -0500
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <66845E40-5820-4D09-A2E0-EA2A8F2948AC@bitrate.net>
References: <524C1AC4.4060109@bitrate.net> <20131002134406.GB6790@dan.olp.net> <6893D0B6-9D44-4916-95C3-A2359AEC292D@bitrate.net> <20131008135637.GA7356@dan.olp.net> <66845E40-5820-4D09-A2E0-EA2A8F2948AC@bitrate.net>
User-agent: Mutt/1.5.21 (2010-09-15)

On 10/09/13 22:20 -0400, btb@bitrate.net wrote:

On Oct 8, 2013, at 09.56, Dan White <dwhite@olp.net> wrote:

without olcauthzregexp, a test with ldapwhoami fails, as expected:

ldapwhoami -H 'ldap://aurora.example.com/' -Y 'digest-md5' -U 'flash' -w 'xxxxxxxx'

SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
	additional info: SASL(-13): user not found: no secret in database


You're comparing apples to oranges here. You should be performing PLAIN
authentication for a closer comparison. Of course, you'll need a clear text
password in your entry for that to succeed.

but when using 'pwcheck_method: saslauthd' [and 'mech_list: plain'], a test with ldapwhoami succeeds, even without olcauthzregexp:

ldapsearch -xLLLH 'ldap://aurora.example.com/' -D 'cn=admin,dc=example,dc=com' -w 'xxxxxxxx' -b 'cn=config' -s base

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /opt/openldap/var/run/slapd.args
olcLogLevel: any
olcPidFile: /opt/openldap/var/run/slapd.pid
olcSaslSecProps: noanonymous

ldapwhoami -H 'ldap://aurora.example.com/' -Y 'plain' -U 'flash' -w 'xxxxxxxx'

SASL/PLAIN authentication started
SASL username: flash
SASL SSF: 0
dn:uid=flash,cn=plain,cn=auth


slapd internally assigns an identity after SASL authentication is
successful. ldapwhoami will still succeed without an olcauthzregexp, but
will simply point to the generated "pseudo" dn, rather than an actual entry
in your tree (unless you have actually created a cn=auth database).

Be aware that even if you have 'pwcheck_method: saslauthd' configured, that
configuration only affects PLAIN/LOGIN. Auxprop is still used for shared
secret mechanisms such as DIGEST-MD5.


i may not be following - if i explicitly set 'pwcheck_method: saslauthd',
yet offer a shared secret mech, that config directive will be ignored and
act as though pwcheck_method: auxprop is set if the shared secret mech is
used?  i guess that makes sense, since such a config would be
contradictory?


Shared secret mechanisms will use your configured auxprop plugin. Shared
secret mechanisms will always disregard your pwcheck_method config.

Another way to get rid of those log entries is to include dummy options for
them:

ldapdb_uri: ldapi:///
sql_select: SELECT %p FROM user_table WHERE username = '%u' and realm = '%r'


using these dummy options does suppress the log messages, but i'd like to
learn what i'm doing wrong if only the slapd plugin is supposed to be in
use to begin with.


I'm not sure that you are. I suppose a better solution is to remove the
ldapdb and sql (and sasldb) shared libraries from your system, in which
case they'll never be loaded in to memory.

--
Dan White

Follow-Ups:
- Re: sasl/plain with hashed password not working
  - From: btb@bitrate.net

References:
- sasl/plain with hashed password not working
  - From: btb <btb@bitrate.net>
- Re: sasl/plain with hashed password not working
  - From: Dan White <dwhite@olp.net>
- Re: sasl/plain with hashed password not working
  - From: btb@bitrate.net
- Re: sasl/plain with hashed password not working
  - From: Dan White <dwhite@olp.net>
- Re: sasl/plain with hashed password not working
  - From: btb@bitrate.net

Prev by Date: Re: Antw: Re: another CSN too old N-WAY master
Next by Date: Re: Antw: Re: another CSN too old N-WAY master
Index(es):
- Chronological
- Thread