[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL DIGEST-MD5 works but PLAIN/LOGIN fails

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
From: Michael Ströder <michael@stroeder.com>
Date: Sat, 08 Feb 2014 11:45:52 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24

HI!

I'd like let users authenticate via SASL/PLAIN or SASL/LOGIN so they do not
have to deal with full bind-DNs, my client does not have to search the user
and to avoid slapo-rwm.

Yes, the connection is protected with TLS.
Later it has to work with hashed userPassword values.
It should be feasible. Or not?

Test system:
latest OpenLDAP RE24
cyrus-sasl-2.1.25-28.1.2.x86_64 shipped with openSUSE 13.1

In my test setup everything works with DIGEST-MD5 but not with PLAIN or LOGIN
(clear-text userPassword value for testing).
The log shows that the SASL username gets mapped by authz-regexp to the
correct LDAP user entry:

52f60408 <==slap_sasl2dn: Converted SASL name to uid=user,ou=dept,o=example
52f60408 slap_sasl_getdn: dn:id converted to uid=user,ou=dept,o=example

But SASL does not use "pwcheck_method: slapd" for mechs PLAIN/LOGIN but works
with DIGEST-MD5:

$ ldapwhoami -H ldapi:/// -Y DIGEST-MD5 -U user -w secret
SASL/DIGEST-MD5 authentication started
SASL username: user
SASL SSF: 128
SASL data security layer installed.
dn:uid=user,ou=dept,o=example
$ ldapwhoami -H ldapi:/// -Y LOGIN -U user -w secret
SASL/LOGIN authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
	additional info: SASL(-4): no mechanism available: checkpass failed
$ ldapwhoami -H ldapi:/// -Y PLAIN -U user -w secret
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
	additional info: SASL(-4): no mechanism available: Password verification failed

The trace shows for PLAIN or LOGIN
(running slapd -d config,stats,stats2,acl,args,trace):

SASL [conn=1002] Error: unknown password verifier(s) slapd

My /usr/lib64/sasl.conf contains:
---------------------------- snip ----------------------------
pwcheck_method: slapd
mech_list: plain login digest-md5 external
---------------------------- snip ----------------------------
I've checked that this is the right file by setting "pwcheck_method: foobar"
which appears in the logs then.


My slapd.conf contains:
---------------------------- snip ----------------------------
disallow bind_anon
require bind LDAPv3 strong

# SSF value for ldapi://
localSSF 256
# minimum required SSF value (security strength factor)
security transport=128 sasl=0
# Since we require TLS we can relax this
sasl-secprops none,minssf=0
---------------------------- snip ----------------------------

Any clue?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
  - From: Howard Chu <hyc@symas.com>
- Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
  - From: Dan White <dwhite@olp.net>
- Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: OpenLDAP static configuration
Next by Date: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
Index(es):
- Chronological
- Thread