Re: cmusaslsecretPLAIN attribute

3 Jul 2007


      Dieter Kluenter wrote:
...
From your remarks on CA and certificate a assume that you want to use
TLS, while your ldapwhoami seems to indicate that you want to make use
of PLAIN mechanism, which is disabled by default, unless you
provide a secure transport method, that is either TLS or local socket.
Unless you provide more information on the parameters used, no advice
can be given.
-Dieter
Correct, I want to be using SASL/PLAIN over TLS. The following works:
$ ldapwhoami -x -W -D 'uid=burianj,ou=people,dc=cqcb'
Enter LDAP Password:
dn:uid=burianj,ou=People,dc=cqcb
Result: Success (0)
The same command without '-x -W', or ldapwhoami with no args, does not work:
$ ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb'
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: Password 
verification failed
All three eventually lookup the same DN, according to the logs:
slapd[5028]: => acl_mask: access to entry 
"uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested
Config files and sample logs follow.
John
/etc/openldap/slapd.conf:
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
TLSCipherSuite HIGH
TLSCACertificateFile /etc/openldap/cacerts/cqcb-ca.pem
TLSCertificateFile /etc/pki/tls/certs/cqcb-cert.pem
TLSCertificateKeyFile /etc/pki/tls/certs/cqcb-key.pem
TLSVerifyClient never
security ssf=128
password-hash {SSHA}
sasl-secprops none  # an attempt to allow PLAIN auth
access to attrs=userPassword
  by self write
  by dn="uid=root,ou=People,dc=cqcb" write
  by * auth
access to *
  by * read
authz-regexp uid=([^,]*),cn=plain,cn=auth uid=$1,ou=People,dc=cqcb
database        bdb
suffix          "dc=cqcb"
rootdn          "cn=admin,dc=cqcb"
rootpw {SSHA}xxxx
directory       /var/lib/ldap
/etc/openldap/ldap.conf:
BASE dc=cqcb
URI ldaps://Hodgkin.ccri.net
TLS_CACERT /etc/openldap/cacerts/cqcb-ca.pem
Log of successful lookup:
Jul  3 12:31:39 Hodgkin slapd[5028]: do_bind
Jul  3 12:31:39 Hodgkin slapd[5028]: >>> dnPrettyNormal: 
<uid=burianj,ou=people,dc=cqcb>
Jul  3 12:31:39 Hodgkin slapd[5028]: <<< dnPrettyNormal: 
<uid=burianj,ou=people,dc=cqcb>, <uid=burianj,ou=people,dc=cqcb>
Jul  3 12:31:39 Hodgkin slapd[5028]: do_bind: version=3 
dn="uid=burianj,ou=people,dc=cqcb" method=128
Jul  3 12:31:39 Hodgkin slapd[5028]: conn=4 op=0 BIND 
dn="uid=burianj,ou=people,dc=cqcb" method=128
Jul  3 12:31:39 Hodgkin slapd[5028]: ==> bdb_bind: dn: 
uid=burianj,ou=people,dc=cqcb
Jul  3 12:31:39 Hodgkin slapd[5028]: 
bdb_dn2entry("uid=burianj,ou=people,dc=cqcb")
Jul  3 12:31:39 Hodgkin slapd[5028]: => access_allowed: auth access to 
"uid=burianj,ou=People,dc=cqcb" "userPassword" requested
Jul  3 12:31:39 Hodgkin slapd[5028]: => acl_get: [1] attr userPassword
Jul  3 12:31:39 Hodgkin slapd[5028]: access_allowed: no res from state 
(userPassword)
Jul  3 12:31:39 Hodgkin slapd[5028]: => acl_mask: access to entry 
"uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested
Jul  3 12:31:39 Hodgkin slapd[5028]: => acl_mask: to value by "", (=0)
Jul  3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: self
Jul  3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: 
uid=root,ou=people,dc=cqcb
Jul  3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: *
Jul  3 12:31:39 Hodgkin slapd[5028]: <= acl_mask: [3] applying auth(=xd) 
(stop)
Jul  3 12:31:39 Hodgkin slapd[5028]: <= acl_mask: [3] mask: auth(=xd)
Jul  3 12:31:39 Hodgkin slapd[5028]: => access_allowed: auth access 
granted by auth(=xd)
Jul  3 12:31:39 Hodgkin slapd[5028]: conn=4 op=0 BIND 
dn="uid=burianj,ou=People,dc=cqcb" mech=SIMPLE ssf=0
Jul  3 12:31:39 Hodgkin slapd[5028]: do_bind: v3 bind: 
"uid=burianj,ou=people,dc=cqcb" to "uid=burianj,ou=People,dc=cqcb"
Jul  3 12:31:39 Hodgkin slapd[5028]: send_ldap_result: conn=4 op=0 p=3
Jul  3 12:31:39 Hodgkin slapd[5028]: send_ldap_result: err=0 matched="" 
text=""
Jul  3 12:31:39 Hodgkin slapd[5028]: send_ldap_response: msgid=1 tag=97 
err=0
Log of failed lookup:
Jul  3 14:49:57 Hodgkin slapd[5635]: do_sasl_bind: dn () mech PLAIN
Jul  3 14:49:57 Hodgkin slapd[5635]: conn=0 op=1 BIND dn="" method=163
Jul  3 14:49:57 Hodgkin slapd[5635]: ==> sasl_bind: dn="" mech=PLAIN 
datalen=23
Jul  3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: 
authcid="burianj"
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: conn 0 id=burianj 
[len=7]
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: u:id converted to 
uid=burianj,cn=PLAIN,cn=auth
Jul  3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: 
<uid=burianj,cn=PLAIN,cn=auth>
Jul  3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: 
<uid=burianj,cn=plain,cn=auth>
Jul  3 14:49:57 Hodgkin slapd[5635]: ==>slap_sasl2dn: converting SASL 
name uid=burianj,cn=plain,cn=auth to a DN
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converting SASL 
name uid=burianj,cn=plain,cn=auth
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converted SASL 
name to uid=burianj,ou=People,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_parseURI: parsing 
uid=burianj,ou=People,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: 
<uid=burianj,ou=People,dc=cqcb>
Jul  3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: 
<uid=burianj,ou=people,dc=cqcb>
Jul  3 14:49:57 Hodgkin slapd[5635]: <==slap_sasl2dn: Converted SASL 
name to uid=burianj,ou=people,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: dn:id converted to 
uid=burianj,ou=people,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: 
slapAuthcDN="uid=burianj,ou=people,dc=cqcb"
Jul  3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Error: unable to open 
Berkeley db /etc/sasldb2: No such file or directory
Jul  3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: 
authcid="burianj"
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: conn 0 id=burianj 
[len=7]
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: u:id converted to 
uid=burianj,cn=PLAIN,cn=auth
Jul  3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: 
<uid=burianj,cn=PLAIN,cn=auth>
Jul  3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: 
<uid=burianj,cn=plain,cn=auth>
Jul  3 14:49:57 Hodgkin slapd[5635]: ==>slap_sasl2dn: converting SASL 
name uid=burianj,cn=plain,cn=auth to a DN
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converting SASL 
name uid=burianj,cn=plain,cn=auth
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converted SASL 
name to uid=burianj,ou=People,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_parseURI: parsing 
uid=burianj,ou=People,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: 
<uid=burianj,ou=People,dc=cqcb>
Jul  3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: 
<uid=burianj,ou=people,dc=cqcb>
Jul  3 14:49:57 Hodgkin slapd[5635]: <==slap_sasl2dn: Converted SASL 
name to uid=burianj,ou=people,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: dn:id converted to 
uid=burianj,ou=people,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: 
slapAuthcDN="uid=burianj,ou=people,dc=cqcb"
Jul  3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Error: unable to open 
Berkeley db /etc/sasldb2: No such file or directory
Jul  3 14:49:57 Hodgkin last message repeated 2 times
Jul  3 14:49:57 Hodgkin slapd[5635]: => bdb_search
Jul  3 14:49:57 Hodgkin slapd[5635]: 
bdb_dn2entry("uid=burianj,ou=people,dc=cqcb")
Jul  3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("dc=cqcb")
Jul  3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x00000001
Jul  3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("ou=people,dc=cqcb")
Jul  3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x00000008
Jul  3 14:49:57 Hodgkin slapd[5635]: => 
bdb_dn2id("uid=burianj,ou=people,dc=cqcb")
Jul  3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x0000000d
Jul  3 14:49:57 Hodgkin slapd[5635]: entry_decode: 
"uid=burianj,ou=People,dc=cqcb"
Jul  3 14:49:57 Hodgkin slapd[5635]: <= 
entry_decode(uid=burianj,ou=People,dc=cqcb)
Jul  3 14:49:57 Hodgkin slapd[5635]: base_candidates: base: 
"uid=burianj,ou=people,dc=cqcb" (0x0000000d)
Jul  3 14:49:57 Hodgkin slapd[5635]: => test_filter
Jul  3 14:49:57 Hodgkin slapd[5635]:     PRESENT
Jul  3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access to 
"uid=burianj,ou=People,dc=cqcb" "objectClass" requested
Jul  3 14:49:57 Hodgkin slapd[5635]: => acl_get: [2] attr objectClass
Jul  3 14:49:57 Hodgkin slapd[5635]: => acl_mask: access to entry 
"uid=burianj,ou=People,dc=cqcb", attr "objectClass" requested
Jul  3 14:49:57 Hodgkin slapd[5635]: => acl_mask: to all values by "", (=0)
Jul  3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: *
Jul  3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [1] applying 
read(=rscxd) (stop)
Jul  3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [1] mask: read(=rscxd)
Jul  3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access 
granted by read(=rscxd)
Jul  3 14:49:57 Hodgkin slapd[5635]: <= test_filter 6
Jul  3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access to 
"uid=burianj,ou=People,dc=cqcb" "userPassword" requested
Jul  3 14:49:57 Hodgkin slapd[5635]: => acl_get: [1] attr userPassword
Jul  3 14:49:57 Hodgkin slapd[5635]: => acl_mask: access to entry 
"uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested
Jul  3 14:49:57 Hodgkin slapd[5635]: => acl_mask: to all values by "", (=0)
Jul  3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: self
Jul  3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: 
uid=root,ou=people,dc=cqcb
Jul  3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: *
Jul  3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [3] applying auth(=xd) 
(stop)
Jul  3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [3] mask: auth(=xd)
Jul  3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access 
granted by auth(=xd)
Jul  3 14:49:57 Hodgkin slapd[5635]: slap_ap_lookup: 
str2ad(cmusaslsecretPLAIN): attribute type undefined
Jul  3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: conn=0 op=1 p=3
Jul  3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: err=0 matched="" 
text=""
Jul  3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Failure: Password 
verification failed
Jul  3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: conn=0 op=1 p=3
Jul  3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: err=49 matched="" 
text="SASL(-13): user not found: Password verification failed"
Jul  3 14:49:57 Hodgkin slapd[5635]: send_ldap_response: msgid=2 tag=97 
err=49

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: cmusaslsecretPLAIN attribute