Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

On 17/02/11 18:51 +0900, Hiroyuki Sato wrote:
However authentication still failed.

I'm not sure why slap_sasl_authorized compare input? password.

-- from debug message
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
become password1?

That's pretty strange. Which version of openldap are you running?

Does this command make any difference?:

ldapsearch -h -Y digest-md5  -U ldap_user@mydomain.com \
  -X u:ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'

1, new configuration

 database	bdb
 suffix		"dc=mydomain,dc=com"
 rootdn		"cn=Manager,dc=mydomain,dc=com"
 sasl-auxprops sql

 ldapsearch -h -Y digest-md5  -U ldap_user@mydomain.com
-b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
 SASL/DIGEST-MD5 authentication started
 Please enter your password:
 ldap_sasl_interactive_bind_s: Insufficient access (50)

2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop
mech_list: DIGEST-MD5
log_level: 7
auxprop_plugin: sql
sql_verbose: yes
sql_engine: mysql
sql_hostnames: host.addre.ss
sql_user: username
sql_passwd: password
sql_database: database
# no realm
sql_select: select password from sasl_test where username = '%u'

2, log

conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=303
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1000]: authcid="ldap_user@mydomain.com"
slap_sasl_getdn: conn 1000 id=ldap_user@mydomain.com [len=22]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0
slap_sasl_getdn: u:id converted to
dnNormalize: <uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth)=0
<<< dnNormalize: <uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1]
==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth'
string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
[rw] authid: "uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth" ->
slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0)
<= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
<<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
<==slap_sasl2dn: Converted SASL name to
slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com
SASL Canonicalize [conn=1000]:
SASL Canonicalize [conn=1000]: authzid="ldap_user@mydomain.com"
SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com"
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
become password1?
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48)
SASL [conn=1000] Failure: not authorized
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization
failure: not authorized"
send_ldap_response: msgid=2 tag=97 err=50

In version 2.4.23, the authorization should succeed at (in

/* Check if a bind can SASL authorize to another identity.
* The DNs should not have the dn: prefix

int slap_sasl_authorized( Operation *op,
   struct berval *authcDN, struct berval *authzDN )

   /* User binding as anonymous */
   if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
       rc = LDAP_SUCCESS;
       goto DONE;

   /* User is anonymous */
   if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) {
       goto DONE;

      "==>slap_sasl_authorized: can %s become %s?\n",
       authcDN->bv_len ? authcDN->bv_val : "(null)",
       authzDN->bv_len ? authzDN->bv_val : "(null)",  0 );

   /* If person is authorizing to self, succeed */
   if ( dn_match( authcDN, authzDN ) ) {
       rc = LDAP_SUCCESS;
       goto DONE;

So I'm not sure why you would be seeing anything other than:

==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com
become uid=ldap_user,ou=users,dc=mydomain,dc=com?

But it's probably related to why your authentication is failing.

I've gotten this to work before with sasldb and digest-md5:


Could you post your slapd config? or at least your ACLs?

Dan White