John Burian wrote:
I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and OpenSSL:
OpenLDAP 2.3.27 Cyrus-SASL 2.1.22 OpenSSL 0.9.8b
I've created a CA on the server, used that to sign a cert, and put the appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to trust the CA). If I run 'ldapwhoami:
$ ldapwhoami SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
and in the logs (appended below) I see text about an undefined attribute type 'cmusaslsecretPLAIN'. I've looked around for that string, and all the fixes I've seen seem to want to patch Cyrus-SASL.
What fixes are you talking about? Since this isn't a bug, it doesn't make sense to fix anything.
I'd like to stick with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I need to include, that defines that attribute? I'd also like to keep my auth information in LDAP, rather than have a separate SASL password database.
No CMU-specific schema is needed. The SASL plugins always look for a generic userPassword attribute first, then the cmusaslsecret* attributes. In practice, no SASL software uses the cmusaslsecret* attributes any more; they're a holdover from early Cyrus SASL 1.x and totally obsolete.
My understanding is that the PLAIN authentication will be secured by the underlying SASL/TLS transport, is that correct? Thanks,
SASL/PLAIN is, as the name implies, plaintext and as such the SASL layer doesn't provide any security for this mechanism. But yes, if you're using it with TLS then the TLS protections (if any) will apply.
It sounds to me like you haven't read the OpenLDAP Admin Guide yet.
John
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0) Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: * Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access granted by auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3 Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched="" text="" Jul 3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password verification failed