Hi,
I'm trying to setup sasl proxy authentication on a test database, but
something not obvious for me is leading my test to SASL(-13):
authentication failure: client response doesn't match what we generated
- test setup : OpenLDAP 2.3.37 ( built with sasl2 ) + Cyrus
SASL 2.1.22 ( with plain, digest-md5 and ldapdb auxprop support ).
- relevant part of slapd.conf used :
...
authz-policy to
authz-regexp uid=([^,]+),cn=external,cn=auth
ldap:///o=test??sub?(cn=$1)
authz-regexp uid=([^,]+),cn=digest-md5,cn=auth
ldap:///o=test??sub?(cn=$1)
authz-regexp uid=([^,]+),cn=plain,cn=auth
ldap:///o=test??sub?(cn=$1)
password-hash {CLEARTEXT}
database bdb
suffix "o=test"
access to dn.subtree="o=test" attrs=userPassword
by group.base="cn=admins,o=test" =wrscx
by self =wrcx
by * =x
access to dn.subtree="o=test" attrs=authzFrom,authzTo
by group.base="cn=admins,o=test" =wrscx
by * =x
access to dn.subtree="o=test"
by group.base="cn=admins,o=test" =wrscx
by * =rscx
...
- some entries :
dn: cn=proxy,o=test
objectClass: top
objectClass: organizationalPerson
objectClass: simpleSecurityObject
cn: proxy
sn: proxy
userPassword: proxy
authzTo: dn.regex: cn=[^,]+,ou=peoples,o=test
dn: cn=testman,ou=peoples,o=test
objectClass: top
objectClass: inetOrgPerson
objectClass: person
cn: testman
sn: testman
userPassword: testman
Sasl authentication seems to work using digest-md5 mech :
shell$ ldapwhoami -U proxy -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password: [proxy]
SASL username: proxy
SASL SSF: 128
SASL installing layers
dn:cn=proxy,o=test
Result: Success (0)
shell$ ldapwhoami -U testman -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password: [testman]
SASL username: testman
SASL SSF: 128
SASL installing layers
dn:cn=testman,ou=peoples,o=test
Result: Success (0)
but when trying to test proxying, I get :
shell$ ldapwhoami -U proxy -Y DIGEST-MD5 -X u:testman
SASL/DIGEST-MD5 authentication started
Please enter your password: [testman]
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: client
response doesn't match what we generated
I get the same result using plain mech :
shell$ ldapwhoami -U proxy -Y PLAIN -X u:testman
SASL/PLAIN authentication started
Please enter your password: [testman]
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): authentication failure: Password
verification failed
What can cause these authentication failures ?
--
Pierre-Francois Laurand