Re: Got error while enabling SASL

[Gaurav Gugnani <gugnanigaurav@gmail.com>]

Hello,

Thks for replying.

Now, i am proceeding with following steps but still getting an error:

Steps:
1> cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: slapd
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

2> cat /etc/openladp/slapd.conf
password-hash  {CLEARTEXT}
sasl-auxprops slapd
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz

Note: ACL are given properly.

3> Then i'm trying to add user: cat add_sasl_accnt21.ldif
dn: uid=sasluser21,ou=System,o=xyz
uid: sasluser21
ou: System
description: Special account for SASL Testing
userPassword: sasluser21
objectClass: account
objectClass: simpleSecurityObject

ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif

5> Now, when i do ldapsearch:
ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b 'uid=sasluser12,ou=System,o=xyz'

SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database

In log file i got some clue: that its trying to use modify dn.

Have a look plz:
slapd[14125]: >>> dnPrettyNormal: <>
slapd[14125]: <<< dnPrettyNormal: <>, <>
slapd[14125]: conn=1228 op=1 BIND dn="" method=163
slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5
slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2
slapd[14125]: slap_sasl_getdn: u:id converted to uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth
slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth>
slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=digest-md5,cn=auth>
slapd[14125]: ==>slap_sasl2dn: converting SASL name uid=uid\3Dsasluser21,cn=digest-md5,cn=auth to a DN
slapd[14125]: ==> rewrite_context_apply [depth=1] string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth'
slapd[14125]: ==> rewrite_rule_apply rule='uid=([^,]*),cn=DIGEST-MD5,cn=auth' string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' [1 pass(es)]
slapd[14125]: ==> rewrite_context_apply [depth=1] res={0,'uid=uid\3Dsasluser21,ou=System,o=xyz'}
slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=System,o=xyz
slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=System,o=xyz>
slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=system,o=xyz>
slapd[14125]: <==slap_sasl2dn: Converted SASL name to uid=uid\3Dsasluser21,ou=system,o=xyz
slapd[14125]: slap_sasl_getdn: dn:id converted to uid=uid\3Dsasluser21,ou=system,o=xyz
slapd[14125]: => bdb_search
slapd[14125]: bdb_dn2entry("uid=uid\3Dsasluser21,ou=system,o=xyz")
slapd[14125]: => bdb_dn2id("uid=uid\3Dsasluser21,ou=system,o=xyz")
slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz" "entry" requested
slapd[14125]: => dn: [2] o=xyz
slapd[14125]: => dn: [3] ou=subscribers,o=xyz
slapd[14125]: => acl_get: [4] attr entry
slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry" requested
slapd[14125]: => acl_mask: to all values by "", (=0)
slapd[14125]: <= check a_dn_pat: self
slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop)
slapd[14125]: => slap_access_allowed: disclose access denied by =0
slapd[14125]: => access_allowed: no more rules
slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
slapd[14125]: SASL [conn=1228] Failure: no secret in database
slapd[14125]: send_ldap_result: conn=1228 op=1 p=3

In LDAP it storing perfectly fine:
ldapsearch -x -D cn=Manager,o=xyz -W -b 'uid=sasluser21,ou=System,o=xyz'
# sasluser21, System, xyz
dn: uid=sasluser21,ou=System,o=xyz
uid: sasluser21
ou: System
description: Special account for SASL Testing
userPassword:: c2FzbHVzZXIyMQ==
objectClass: account
objectClass: simpleSecurityObject

Now, Kindly suggest as proceeding in this direction too .... gave me an error :( :(

Thanks and Regards,
Gaurav Gugnani

On Tue, Feb 7, 2012 at 8:37 PM, Dan White <dwhite@olp.net> wrote:

On 02/07/12 11:01 +0530, Gaurav Gugnani wrote:

Hello All,

Thks to all for helping me out. i hope now the destination is not too far
as i achieved the SASL but it is storing using sasldb.
However, i want it to store information in ldap direcotry.

I've installed the corresponding package:
cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm

Steps for SASL in LDAP using sasldb
------------------------------------------------------

1> saslpasswd2 -c sasluser14
2> sasldblistusers2

I can't stress enough that these commands are going to confuse you when
using slapd. There really are only a few advanced uses for using these
commands in your desired environment.

3> service ldap stop

4> vi etc/openldap/slapd.conf
    sasl-auxprops sasldb

This is the wrong thing to do. You should remove this option if you wish to
have slapd use userPassword to authenticate your users. By specifying
sasldb here, you're instructing slapd, by way of libsasl2, to authenticate
your users against /etc/sasldb2.

Also,

sasl-auxprops ldapdb

would also be the wrong thing to do. In addition to 'sasldb' and 'ldapdb',
slapd implements it's own auxprop plugin called 'slapd' which is the
default, and which Does the Right Thing (TM). However, be aware that
'slapd' will not show up in the output of pluginviewer (or at least I'm not
aware of a way to make it do so).

    authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
    - Give proper ACL to sasluser14

5> cat /usr/lib64/sasl2/slapd.conf
# SASL Configuration
pwcheck_method: auxprop
auxprop_plugin: sasldb

Again this is the wrong thing to do. In recent versions of slapd this value
is overridden by 'sasl-auxprops'.

#auxprop_plugin: slapd

You should uncomment this, if using older versions of slapd. Few newer
versions of slapd, 'sasl-auxprops' defaults to slapd.

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

CRAM-MD5 and DIGEST-MD5 are fine here. If you really want to use PLAIN and
LOGIN, specify a relaxed 'sasl-secprops' within your slapd configuration.

sasldb_path: /etc/sasldb2

Unnecessary.

6> service ldap start

7> ps -eaf | grep -i ldap

8> vi add_sasl_accnt14.ldif
 # TEST Account for SASL:
 dn: uid=sasluser14,ou=System,o=xyz
 uid: sasluser14
 ou: System
 description: Special account for SASL Testing
 userPassword: sasluser14
 objectClass: account
 objectClass: simpleSecurityObject

9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif

10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b
'uid=sasluser7,ou=system,o=xyz'

But now the problem is - it is storing the users in sasldb. and we want to
use ldap directory.
Can any one please suggest - What changes i need to make to achieve it?

See above.

On 02/07/12 16:43 +0530, Gaurav Gugnani wrote:

Hello All,

i was working on this problem and figured out that ldapdb plugin auxprop is
missing.

/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer
Installed SASL (server side) mechanisms are:
CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL
...
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,   API version: 4
     supports store: yes

I read that to use such thing, ldapdb auxprop plugin should be enabled.
http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html

ldapdb should only be used from outside of slapd. For instance, if you were
running a mail server that you wish to authenticate against slapd, then
ldapdb would be appropriate.

--
Dan White