[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??



On 14/02/11 23:47 +0900, Hiroyuki Sato wrote:
Does anybody succeed to setup SASL(digest-md5) authentication with
mysql database and latest openldap-server??

I'm not sure, why this configuration does not work correctly.
and It seems that LDAP server compare dn and input password in ldap
authentication. (see log below)

My Environment
 OS: Ubuntu 10.10
 OpenLDAP : 2.4.24 (build myself)

1, slapd.conf

 sasl-realm mydomain.com
 sasl-auxprops sql

 sasl-regexp
   uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
   uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com

This isn't matching what's showing up in your logs. slapd is internally
canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.

2, /usr/lib/sasl2/slapd.conf

 pwcheck_method: auxprop
 mech_list: DIGEST-MD5
 log_level: 7
 auxprop_plugin: sql
 sql_verbose: yes
 sql_engine: mysql
 sql_hostnames: database.server.add.ress
 sql_user: username
 sql_passwd: password
 sql_database: db_name
 sql_select: select password from sasl_test where username = '%u@%r'

 ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5  -U
  ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
  -LLL '(objectclass=*)' Password:
 ldap_sasl_interactive_bind_s: Insufficient access (50)

5, log

   <= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0
   slap_sasl_getdn: u:id converted to
uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth


   slap_sasl_getdn: dn:id converted to
uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com

You want the 'uid' part of your rule to be a bit more restrictive, such as
uid=([^,]+) so that is doesn't end up matching a longer string
accidentally.

--
Dan White