Hi,
I'm trying to setup sasl proxy authentication on a test database, but something not obvious for me is leading my test to SASL(-13): authentication failure: client response doesn't match what we generated
- test setup : OpenLDAP 2.3.37 ( built with sasl2 ) + Cyrus SASL 2.1.22 ( with plain, digest-md5 and ldapdb auxprop support ).
- relevant part of slapd.conf used : ... authz-policy to
authz-regexp uid=([^,]+),cn=external,cn=auth ldap:///o=test??sub?(cn=$1) authz-regexp uid=([^,]+),cn=digest-md5,cn=auth ldap:///o=test??sub?(cn=$1) authz-regexp uid=([^,]+),cn=plain,cn=auth ldap:///o=test??sub?(cn=$1)
password-hash {CLEARTEXT}
database bdb suffix "o=test" access to dn.subtree="o=test" attrs=userPassword by group.base="cn=admins,o=test" =wrscx by self =wrcx by * =x access to dn.subtree="o=test" attrs=authzFrom,authzTo by group.base="cn=admins,o=test" =wrscx by * =x access to dn.subtree="o=test" by group.base="cn=admins,o=test" =wrscx by * =rscx ...
- some entries : dn: cn=proxy,o=test objectClass: top objectClass: organizationalPerson objectClass: simpleSecurityObject cn: proxy sn: proxy userPassword: proxy authzTo: dn.regex: cn=[^,]+,ou=peoples,o=test
dn: cn=testman,ou=peoples,o=test objectClass: top objectClass: inetOrgPerson objectClass: person cn: testman sn: testman userPassword: testman
Sasl authentication seems to work using digest-md5 mech :
shell$ ldapwhoami -U proxy -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: [proxy] SASL username: proxy SASL SSF: 128 SASL installing layers dn:cn=proxy,o=test Result: Success (0)
shell$ ldapwhoami -U testman -Y DIGEST-MD5 SASL/DIGEST-MD5 authentication started Please enter your password: [testman] SASL username: testman SASL SSF: 128 SASL installing layers dn:cn=testman,ou=peoples,o=test Result: Success (0)
but when trying to test proxying, I get :
shell$ ldapwhoami -U proxy -Y DIGEST-MD5 -X u:testman SASL/DIGEST-MD5 authentication started Please enter your password: [testman] ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: client response doesn't match what we generated
I get the same result using plain mech :
shell$ ldapwhoami -U proxy -Y PLAIN -X u:testman SASL/PLAIN authentication started Please enter your password: [testman] ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): authentication failure: Password verification failed
What can cause these authentication failures ?