[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails

To: openldap-technical@openldap.org
Subject: Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Sat, 8 Feb 2014 22:15:48 +0100
In-reply-to: <52F60AE0.9060401@stroeder.com>
Organization: AVCI
References: <52F60AE0.9060401@stroeder.com>

Hallo Michael,

Am Sat, 08 Feb 2014 11:45:52 +0100
schrieb Michael StrÃder <michael@stroeder.com>:

> HI!
> 
> I'd like let users authenticate via SASL/PLAIN or SASL/LOGIN so they
> do not have to deal with full bind-DNs, my client does not have to
> search the user and to avoid slapo-rwm.
> 
> Yes, the connection is protected with TLS.
> Later it has to work with hashed userPassword values.
> It should be feasible. Or not?
> 
> Test system:
> latest OpenLDAP RE24
> cyrus-sasl-2.1.25-28.1.2.x86_64 shipped with openSUSE 13.1
> 
> In my test setup everything works with DIGEST-MD5 but not with PLAIN
> or LOGIN (clear-text userPassword value for testing).
> The log shows that the SASL username gets mapped by authz-regexp to
> the correct LDAP user entry:
> 
> 52f60408 <==slap_sasl2dn: Converted SASL name to
> uid=user,ou=dept,o=example 52f60408 slap_sasl_getdn: dn:id converted
> to uid=user,ou=dept,o=example
> 
> But SASL does not use "pwcheck_method: slapd" for mechs PLAIN/LOGIN
> but works with DIGEST-MD5:
> 
> $ ldapwhoami -H ldapi:/// -Y DIGEST-MD5 -U user -w secret
> SASL/DIGEST-MD5 authentication started
> SASL username: user
> SASL SSF: 128
> SASL data security layer installed.
> dn:uid=user,ou=dept,o=example
> $ ldapwhoami -H ldapi:/// -Y LOGIN -U user -w secret
> SASL/LOGIN authentication started
> ldap_sasl_interactive_bind_s: Authentication method not supported (7)
> 	additional info: SASL(-4): no mechanism available: checkpass
> failed $ ldapwhoami -H ldapi:/// -Y PLAIN -U user -w secret
> SASL/PLAIN authentication started
> ldap_sasl_interactive_bind_s: Authentication method not supported (7)
> 	additional info: SASL(-4): no mechanism available: Password
> verification failed
> 
> The trace shows for PLAIN or LOGIN
> (running slapd -d config,stats,stats2,acl,args,trace):
> 
> SASL [conn=1002] Error: unknown password verifier(s) slapd
> 
> My /usr/lib64/sasl.conf contains:
> ---------------------------- snip ----------------------------
> pwcheck_method: slapd
> mech_list: plain login digest-md5 external
> ---------------------------- snip ----------------------------
> I've checked that this is the right file by setting "pwcheck_method:
> foobar" which appears in the logs then.


Wrong configuration file. You should configure slapd
in /etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external plain login
auxprop_plugin: slapd
ldapwhoami -Y LOGIN -U mailadmin -w secret -H ldapi:///
SASL/LOGIN authentication started
SASL username: mailadmin
SASL SSF: 0
dn:cn=mailadmin,o=avci,c=de

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E

Follow-Ups:
- Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
  - From: Michael StrÃder <michael@stroeder.com>

References:
- SASL DIGEST-MD5 works but PLAIN/LOGIN fails
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
Next by Date: Re: SASL DIGEST-MD5 works but PLAIN/LOGIN fails
Index(es):
- Chronological
- Thread