[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: EXTERNAL mech missing

To: Dan White <dwhite@olp.net>
Subject: Re: EXTERNAL mech missing
From: Emmanuel Dreyfus <manu@netbsd.org>
Date: Mon, 17 Dec 2012 16:40:49 +0000
Cc: Emmanuel Dreyfus <manu@netbsd.org>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20121213174656.GD6481@dan.olp.net>
References: <20121213172622.GI22082@homeworld.netbsd.org> <20121213174656.GD6481@dan.olp.net>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Dec 13, 2012 at 11:46:57AM -0600, Dan White wrote:
> Look at your sasl slapd.conf if it exists (e.g. /usr/lib/sasl2/slapd.conf,
> or /etc/sasl/slapd.conf).
> 
> If you have a mech_list listed within that file, then either comment it
> out, or add EXTERNAL to it.

That fixes it. The goal is to let the slapd pseudo-user reconnect to 
slapd so that SASL LDAPDB plugin works. It does connect but LDAPDB 
does not work. here is the config:

sasl2/slapd.conf:
pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: EXTERNAL DIGEST-MD5 PLAIN LOGIN
ldapdb_uri: ldapi:///
ldapdb_id: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net
ldapdb_mech: EXTERNAL
log_level: 7

in openldap/dlapd.conf:
authz-regexp "uidNumber=401,cn=peercred,cn=external,cn=auth"
    "cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net"
authz-regexp uid=([^,]*),cn=external,cn=auth
    "ldap:///dc=example,dc=net??sub?(uid=$1)


in /etc/passwd:
slapd:*:401:1000:openldap-server slapd user:/nonexistent:/sbin/nologin

In LDAP DIT:
dn: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net
objectClass: organizationalRole
cn: ldap.example.net
ou: pseudo-users
authzTo: {0}dn:*

This works:
# su -m slapd -c 'ldapwhoami -Y EXTERNAL -H ldapi:///' 
SASL/EXTERNAL authentication started
SASL username: gidNumber=1000+uidNumber=401,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net

This also works:
# su -m slapd -c 'ldapwhoami -X u:someone -Y EXTERNAL -H ldapi:///'
SASL/EXTERNAL authentication started
SASL username: u:someone
SASL SSF: 0
dn:uid=someone,dc=example,dc=net



However this does not work:
# su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \
	-Y PLAIN -H ldaps://ldap.example.com'

logs say:
conn=2455 op=0 BIND dn="uid=someone,dc=example,dc=net" method=163 
SASL [conn=2455] Failure: Password verification failed 
conn=2455 op=0 RESULT tag=97 err=49 text=SASL(-13): user not found: Password verification failed 
conn=2455 op=1 UNBIND 

I must be missing how the LDAPDB plugin works. Any hint?

-- 
Emmanuel Dreyfus
manu@netbsd.org

Follow-Ups:
- Re: EXTERNAL mech missing
  - From: Dan White <dwhite@olp.net>

References:
- EXTERNAL mech missing
  - From: Emmanuel Dreyfus <manu@netbsd.org>
- Re: EXTERNAL mech missing
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: openldap shared address book + outlook 2010.
Next by Date: Re: Bulk update
Index(es):
- Chronological
- Thread