[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[Q] Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
- To: openldap-technical@openldap.org
- Subject: [Q] Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
- From: Hiroyuki Sato <hiroysato@gmail.com>
- Date: Mon, 14 Feb 2011 23:47:04 +0900
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=vjToJIyfKgkK8eXh0iT4hEHepBs5tsajo6ZdweBHYYk=; b=JiqBTL8BZ3oJCnuF+HOZ/3DrPKonMK3L1WtQpiEHzxTcHIeWW8a6UySReQWle/Kt3e mI+10d/863rnyV2o449gzxuP3OR/ptfaHdM+iEqQnCiUecq2rXMmyfVM8ohQN+vkX9df BTQl0RnPJs8kKg9AqXscEReoqdQC+8xn9yngk=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=ADYPsfuKqE951CWp/iKrlY/VewGUyhCfngaUiEGCIHlFJNQ8Y7A4g6dqxTYDfaN9vh dkcoRVNJeoyBWDk+7kwyffNo+/w5Y7TXp5G2s4WHrM0zyZb19jkfbeJFSJ+hw/tcs2Be 1PNVU+pmg8Ax3fLBLOe0EuN7+iJszlEqb4wak=
Dear members.
Does anybody succeed to setup SASL(digest-md5) authentication with
mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly.
and It seems that LDAP server compare dn and input password in ldap
authentication. (see log below)
Thank you for your advice.
Sincerely.
--
Hiroyuki Sato.
My Environment
OS: Ubuntu 10.10
OpenLDAP : 2.4.24 (build myself)
1, slapd.conf
..
sasl-realm mydomain.com
sasl-auxprops sql
sasl-regexp
uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
Note: ``sasl-auxprops sql'' does not well document.
It is important config for sql authentication
2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop
mech_list: DIGEST-MD5
log_level: 7
auxprop_plugin: sql
sql_verbose: yes
sql_engine: mysql
sql_hostnames: database.server.add.ress
sql_user: username
sql_passwd: password
sql_database: db_name
sql_select: select password from sasl_test where username = '%u@%r'
3, dataase entry
mysql> select * from sasl_test \G
*************************** 1. row ***************************
username: ldapuser@mydomain.com
password: ldapuser_password
4, auth
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U
ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
-LLL '(objectclass=*)'
Password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
5, log
......
<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0
slap_sasl_getdn: u:id converted to
uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth)=0
<<< dnNormalize: <uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth to a DN
daemon: activity on 1 descriptor
==> rewrite_context_apply [depth=1]
string='uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=(.*),cn=mydomain,dc=com,cn=digest-md5,cn=auth'
string='uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth' [1
pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com'}
[rw] authid:
"uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth" ->
"uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com"
slap_parseURI: parsing
uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
ldap_url_parse_ext(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com)
>>> dnNormalize:
<uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com,0)
<= ldap_bv2dn(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com)=0
<<< dnNormalize:
<uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com>
<==slap_sasl2dn: Converted SASL name to
uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
slap_sasl_getdn: dn:id converted to
uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
SASL Canonicalize [conn=1003]:
slapAuthcDN="uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com"
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
SASL Canonicalize [conn=1003]: authzid="ldap_user"
SASL proxy authorize [conn=1003]:
authcid="ldap_user@mydomain,dc=com"
authzid="ldap_user@mydomain,dc=com"
==>slap_sasl_authorized: can
uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
become <INPUT_PASSWORD>?
^^^^^^^^^^^^^^^^^^^^
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=1003]: proxy authorization disallowed (48)
SASL [conn=1003] Failure: not authorized
send_ldap_result: conn=1003 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization
failure: not authorized"
send_ldap_response: msgid=2 tag=97 err=50