[Date Prev][Date Next] [Chronological] [Thread] [Top]

Resolved: SASL search-based username mapping succeeds, but auth fails!?



I document the resolution here in the hope it may save others from similar embarrassment.

Short form:

The ldapsearch error termination message:

  user not found: unable to canonify user and get auxprops

meant, at least in this case, that the SASL password database (/etc/ldap/sasl2/sasldb2) did not contain the userid specified by option "-U".

This message is distinct from the message issued on a password error for a userid that is present in the database:

  authentication failure: client response doesn't match what
    we generated (tried bogus)

TLDR:

My perplexity was caused by two reasonable (to me at least) misconceptions that falsely reinforced each other:

1. "unable to canonify user" meant a problem more complex than simply "user not found" in the SASL database itself.

2. Execution of a SASL AuthzRegexp LDAP lookup proved that the SASL user password had been successfully checked (i.e., that a -U userid SASL password is checked PRIOR to AuthzRegexp processing).

The root cause blunder: omitting the saslpasswd2 option "-f /etc/ldap/sasl2/sasldb2" when creating the SASL userid. This created the ID in /etc/sasldb2 instead. Verifying existence of the ID with sasldblistusers2 (also forgetting option "-f", of course) confirmed that the ID in question was present ... in the wrong place.

I apologize to the list for the mistaken post.

Bill Clay