I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and OpenSSL:
OpenLDAP 2.3.27 Cyrus-SASL 2.1.22 OpenSSL 0.9.8b
I've created a CA on the server, used that to sign a cert, and put the appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to trust the CA). If I run 'ldapwhoami:
$ ldapwhoami SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
and in the logs (appended below) I see text about an undefined attribute type 'cmusaslsecretPLAIN'. I've looked around for that string, and all the fixes I've seen seem to want to patch Cyrus-SASL. I'd like to stick with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I need to include, that defines that attribute? I'd also like to keep my auth information in LDAP, rather than have a separate SASL password database. My understanding is that the PLAIN authentication will be secured by the underlying SASL/TLS transport, is that correct? Thanks,
John
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0) Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: * Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access granted by auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3 Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched="" text="" Jul 3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password verification failed
John Burian wrote:
I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and OpenSSL:
OpenLDAP 2.3.27 Cyrus-SASL 2.1.22 OpenSSL 0.9.8b
I've created a CA on the server, used that to sign a cert, and put the appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to trust the CA). If I run 'ldapwhoami:
$ ldapwhoami SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
and in the logs (appended below) I see text about an undefined attribute type 'cmusaslsecretPLAIN'. I've looked around for that string, and all the fixes I've seen seem to want to patch Cyrus-SASL.
What fixes are you talking about? Since this isn't a bug, it doesn't make sense to fix anything.
I'd like to stick with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I need to include, that defines that attribute? I'd also like to keep my auth information in LDAP, rather than have a separate SASL password database.
No CMU-specific schema is needed. The SASL plugins always look for a generic userPassword attribute first, then the cmusaslsecret* attributes. In practice, no SASL software uses the cmusaslsecret* attributes any more; they're a holdover from early Cyrus SASL 1.x and totally obsolete.
My understanding is that the PLAIN authentication will be secured by the underlying SASL/TLS transport, is that correct? Thanks,
SASL/PLAIN is, as the name implies, plaintext and as such the SASL layer doesn't provide any security for this mechanism. But yes, if you're using it with TLS then the TLS protections (if any) will apply.
It sounds to me like you haven't read the OpenLDAP Admin Guide yet.
John
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0) Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: * Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access granted by auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3 Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched="" text="" Jul 3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password verification failed
You might want to start by supplying some more information to ldapwhoami.
It sounds like you would like to not use SASL (at least for now), using a simple bind instead. Thus, according to 'man ldapwhoami', you want something like this:
$ ldapwhoami -x -W -D <dn> -H <ldap URL>
Where <dn> should be replaced with your DN, and <ldap URL> should be replaced with an LDAP URL.
If you are testing StartTLS, you probably also want -ZZ
Matt
On 7/3/07, John Burian john@burian.org wrote:
I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and OpenSSL:
OpenLDAP 2.3.27 Cyrus-SASL 2.1.22 OpenSSL 0.9.8b
I've created a CA on the server, used that to sign a cert, and put the appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to trust the CA). If I run 'ldapwhoami:
$ ldapwhoami SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
and in the logs (appended below) I see text about an undefined attribute type 'cmusaslsecretPLAIN'. I've looked around for that string, and all the fixes I've seen seem to want to patch Cyrus-SASL. I'd like to stick with Red Hat's stock RPMs, if possible. Is there a CMU specific schema I need to include, that defines that attribute? I'd also like to keep my auth information in LDAP, rather than have a separate SASL password database. My understanding is that the PLAIN authentication will be secured by the underlying SASL/TLS transport, is that correct? Thanks,
John
Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_get: [1] attr userPassword Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 07:50:49 Hodgkin slapd[1342]: => acl_mask: to all values by "", (=0) Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: self Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 07:50:49 Hodgkin slapd[1342]: <= check a_dn_pat: * Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 07:50:49 Hodgkin slapd[1342]: <= acl_mask: [3] mask: auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: => access_allowed: auth access granted by auth(=xd) Jul 3 07:50:49 Hodgkin slapd[1342]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: conn=5 op=1 p=3 Jul 3 07:50:49 Hodgkin slapd[1342]: send_ldap_result: err=0 matched="" text="" Jul 3 07:50:49 Hodgkin slapd[1342]: SASL [conn=5] Failure: Password verification failed
John Burian john@burian.org writes:
I'm running RedHat EL 5 with stock RPMs for OpenLDAP, Cyrus SASL and OpenSSL:
OpenLDAP 2.3.27 Cyrus-SASL 2.1.22 OpenSSL 0.9.8b
I've created a CA on the server, used that to sign a cert, and put the appropriate entries in slapd.conf (to use the cert) and in ldap.conf (to trust the CA). If I run 'ldapwhoami:
$ ldapwhoami SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
From your remarks on CA and certificate a assume that you want to use
TLS, while your ldapwhoami seems to indicate that you want to make use of PLAIN mechanism, which is disabled by default, unless you provide a secure transport method, that is either TLS or local socket. Unless you provide more information on the parameters used, no advice can be given.
-Dieter
Dieter Kluenter wrote:
From your remarks on CA and certificate a assume that you want to use TLS, while your ldapwhoami seems to indicate that you want to make use of PLAIN mechanism, which is disabled by default, unless you provide a secure transport method, that is either TLS or local socket. Unless you provide more information on the parameters used, no advice can be given.
-Dieter
Correct, I want to be using SASL/PLAIN over TLS. The following works:
$ ldapwhoami -x -W -D 'uid=burianj,ou=people,dc=cqcb' Enter LDAP Password: dn:uid=burianj,ou=People,dc=cqcb Result: Success (0)
The same command without '-x -W', or ldapwhoami with no args, does not work:
$ ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb' SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
All three eventually lookup the same DN, according to the logs:
slapd[5028]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested
Config files and sample logs follow.
John
/etc/openldap/slapd.conf:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema TLSCipherSuite HIGH TLSCACertificateFile /etc/openldap/cacerts/cqcb-ca.pem TLSCertificateFile /etc/pki/tls/certs/cqcb-cert.pem TLSCertificateKeyFile /etc/pki/tls/certs/cqcb-key.pem TLSVerifyClient never security ssf=128 password-hash {SSHA} sasl-secprops none # an attempt to allow PLAIN auth access to attrs=userPassword by self write by dn="uid=root,ou=People,dc=cqcb" write by * auth access to * by * read authz-regexp uid=([^,]*),cn=plain,cn=auth uid=$1,ou=People,dc=cqcb database bdb suffix "dc=cqcb" rootdn "cn=admin,dc=cqcb" rootpw {SSHA}xxxx directory /var/lib/ldap
/etc/openldap/ldap.conf:
BASE dc=cqcb URI ldaps://Hodgkin.ccri.net TLS_CACERT /etc/openldap/cacerts/cqcb-ca.pem
Log of successful lookup:
Jul 3 12:31:39 Hodgkin slapd[5028]: do_bind Jul 3 12:31:39 Hodgkin slapd[5028]: >>> dnPrettyNormal: <uid=burianj,ou=people,dc=cqcb> Jul 3 12:31:39 Hodgkin slapd[5028]: <<< dnPrettyNormal: <uid=burianj,ou=people,dc=cqcb>, <uid=burianj,ou=people,dc=cqcb> Jul 3 12:31:39 Hodgkin slapd[5028]: do_bind: version=3 dn="uid=burianj,ou=people,dc=cqcb" method=128 Jul 3 12:31:39 Hodgkin slapd[5028]: conn=4 op=0 BIND dn="uid=burianj,ou=people,dc=cqcb" method=128 Jul 3 12:31:39 Hodgkin slapd[5028]: ==> bdb_bind: dn: uid=burianj,ou=people,dc=cqcb Jul 3 12:31:39 Hodgkin slapd[5028]: bdb_dn2entry("uid=burianj,ou=people,dc=cqcb") Jul 3 12:31:39 Hodgkin slapd[5028]: => access_allowed: auth access to "uid=burianj,ou=People,dc=cqcb" "userPassword" requested Jul 3 12:31:39 Hodgkin slapd[5028]: => acl_get: [1] attr userPassword Jul 3 12:31:39 Hodgkin slapd[5028]: access_allowed: no res from state (userPassword) Jul 3 12:31:39 Hodgkin slapd[5028]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 12:31:39 Hodgkin slapd[5028]: => acl_mask: to value by "", (=0) Jul 3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: self Jul 3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: * Jul 3 12:31:39 Hodgkin slapd[5028]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 12:31:39 Hodgkin slapd[5028]: <= acl_mask: [3] mask: auth(=xd) Jul 3 12:31:39 Hodgkin slapd[5028]: => access_allowed: auth access granted by auth(=xd) Jul 3 12:31:39 Hodgkin slapd[5028]: conn=4 op=0 BIND dn="uid=burianj,ou=People,dc=cqcb" mech=SIMPLE ssf=0 Jul 3 12:31:39 Hodgkin slapd[5028]: do_bind: v3 bind: "uid=burianj,ou=people,dc=cqcb" to "uid=burianj,ou=People,dc=cqcb" Jul 3 12:31:39 Hodgkin slapd[5028]: send_ldap_result: conn=4 op=0 p=3 Jul 3 12:31:39 Hodgkin slapd[5028]: send_ldap_result: err=0 matched="" text="" Jul 3 12:31:39 Hodgkin slapd[5028]: send_ldap_response: msgid=1 tag=97 err=0
Log of failed lookup:
Jul 3 14:49:57 Hodgkin slapd[5635]: do_sasl_bind: dn () mech PLAIN Jul 3 14:49:57 Hodgkin slapd[5635]: conn=0 op=1 BIND dn="" method=163 Jul 3 14:49:57 Hodgkin slapd[5635]: ==> sasl_bind: dn="" mech=PLAIN datalen=23 Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: authcid="burianj" Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: conn 0 id=burianj [len=7] Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: u:id converted to uid=burianj,cn=PLAIN,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,cn=PLAIN,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,cn=plain,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: ==>slap_sasl2dn: converting SASL name uid=burianj,cn=plain,cn=auth to a DN Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converting SASL name uid=burianj,cn=plain,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converted SASL name to uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_parseURI: parsing uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,ou=People,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,ou=people,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <==slap_sasl2dn: Converted SASL name to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: dn:id converted to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=burianj,ou=people,dc=cqcb" Jul 3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: authcid="burianj" Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: conn 0 id=burianj [len=7] Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: u:id converted to uid=burianj,cn=PLAIN,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,cn=PLAIN,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,cn=plain,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: ==>slap_sasl2dn: converting SASL name uid=burianj,cn=plain,cn=auth to a DN Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converting SASL name uid=burianj,cn=plain,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converted SASL name to uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_parseURI: parsing uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,ou=People,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,ou=people,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <==slap_sasl2dn: Converted SASL name to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: dn:id converted to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=burianj,ou=people,dc=cqcb" Jul 3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory Jul 3 14:49:57 Hodgkin last message repeated 2 times Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_search Jul 3 14:49:57 Hodgkin slapd[5635]: bdb_dn2entry("uid=burianj,ou=people,dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x00000001 Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("ou=people,dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x00000008 Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("uid=burianj,ou=people,dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x0000000d Jul 3 14:49:57 Hodgkin slapd[5635]: entry_decode: "uid=burianj,ou=People,dc=cqcb" Jul 3 14:49:57 Hodgkin slapd[5635]: <= entry_decode(uid=burianj,ou=People,dc=cqcb) Jul 3 14:49:57 Hodgkin slapd[5635]: base_candidates: base: "uid=burianj,ou=people,dc=cqcb" (0x0000000d) Jul 3 14:49:57 Hodgkin slapd[5635]: => test_filter Jul 3 14:49:57 Hodgkin slapd[5635]: PRESENT Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access to "uid=burianj,ou=People,dc=cqcb" "objectClass" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_get: [2] attr objectClass Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "objectClass" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: to all values by "", (=0) Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: * Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [1] mask: read(=rscxd) Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access granted by read(=rscxd) Jul 3 14:49:57 Hodgkin slapd[5635]: <= test_filter 6 Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access to "uid=burianj,ou=People,dc=cqcb" "userPassword" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_get: [1] attr userPassword Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: to all values by "", (=0) Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: self Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: * Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [3] mask: auth(=xd) Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access granted by auth(=xd) Jul 3 14:49:57 Hodgkin slapd[5635]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: conn=0 op=1 p=3 Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: err=0 matched="" text="" Jul 3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Failure: Password verification failed Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: conn=0 op=1 p=3 Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: Password verification failed" Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_response: msgid=2 tag=97 err=49
John Burian john@burian.org writes:
Dieter Kluenter wrote:
From your remarks on CA and certificate a assume that you want to use TLS, while your ldapwhoami seems to indicate that you want to make use of PLAIN mechanism, which is disabled by default, unless you provide a secure transport method, that is either TLS or local socket. Unless you provide more information on the parameters used, no advice can be given.
Correct, I want to be using SASL/PLAIN over TLS. The following works:
$ ldapwhoami -x -W -D 'uid=burianj,ou=people,dc=cqcb' Enter LDAP Password: dn:uid=burianj,ou=People,dc=cqcb Result: Success (0)
This is *not* a SASL bind
The same command without '-x -W', or ldapwhoami with no args, does not work:
$ ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb' SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
if you want a SASL bind with PLAIN mechanism and TLS, the ldapwhoami should look something like
$ ldapwhoami -Y PLAIN -U burianj -ZZ -H ldap://localhost
-Dieter
Dieter Kluenter wrote:
John Burian john@burian.org writes:
Dieter Kluenter wrote:
From your remarks on CA and certificate a assume that you want to use TLS, while your ldapwhoami seems to indicate that you want to make use of PLAIN mechanism, which is disabled by default, unless you provide a secure transport method, that is either TLS or local socket. Unless you provide more information on the parameters used, no advice can be given.
Correct, I want to be using SASL/PLAIN over TLS. The following works:
$ ldapwhoami -x -W -D 'uid=burianj,ou=people,dc=cqcb' Enter LDAP Password: dn:uid=burianj,ou=People,dc=cqcb Result: Success (0)
This is *not* a SASL bind
I know. That line was included to illustrate that a simple bind works, using my DN and password.
The same command without '-x -W', or ldapwhoami with no args, does not work:
$ ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb' SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
if you want a SASL bind with PLAIN mechanism and TLS, the ldapwhoami should look something like
$ ldapwhoami -Y PLAIN -U burianj -ZZ -H ldap://localhost
I'm not having a problem getting TLS to work. ldapwhoami is connecting over port 636, I see correct TLS messages in the log file, and ldapwhoami reports that it is authenticating with SASL/PLAIN. For the record, if I try the above command, forcing the connection over port 389 and using StartTLS, I get the same results as just using "ldapwhoami" or "ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb'". The problem is simple authentication works, SASL/PLAIN authentication with the same DN and password fails.
John
On 7/3/07, John Burian john@burian.org wrote: [...]
if you want a SASL bind with PLAIN mechanism and TLS, the ldapwhoami should look something like
$ ldapwhoami -Y PLAIN -U burianj -ZZ -H ldap://localhost
I'm not having a problem getting TLS to work. ldapwhoami is connecting over port 636, I see correct TLS messages in the log file, and ldapwhoami reports that it is authenticating with SASL/PLAIN. For the record, if I try the above command, forcing the connection over port 389 and using StartTLS, I get the same results as just using "ldapwhoami" or "ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb'". The problem is simple authentication works, SASL/PLAIN authentication with the same DN and password fails.
I think, though, that you do want to use -U for SASL binding, instead of -D, which is typically used for simple binding.
From the log you sent earlier, it appears that the PLAIN mechanism is
being invoked, but it looks like your sasldb2 file is not being accessed:
Jul 3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory
Since /etc/sasldb2 typically has strict permissions, this might be a permissions problem... or maybe the file doesn't exist.
Matt
Buchan Milne wrote:
But, SASL authentication does not use a DN, but a username (as provided in the example Dieter gave you above). And you would need to have configured slapd to map a SASL identity to a DN for the bind to succeed.
I have an authz-regexp that maps SASL's 'uid=burianj,cn=plain,cn=auth' to 'uid=burianj,ou=people,dc=cqcb', which is the DN in my LDAP database, which appears to be working, based on my logs.
Dieter Kluenter wrote:
Did you create the password using any hashing method? Or is it plaintext?
The password is stored in LDAP as a {CRYPT}. I loaded the LDAP database using LDIF files created with the Migration Tools scripts (I don't know that those scripts are part of OpenLDAP, but they come packaged in Red Hat's OpenLDAP RPM). The users are stored as, at least, PosixAccount objects.
TechnoSophos wrote:
Since /etc/sasldb2 typically has strict permissions, this might be a permissions problem... or maybe the file doesn't exist.
The Cyrus-SASL docs make it sound like SASL, when built into OpenLDAP, will make the appropriate LDAP calls to read the configured LDAP database (in my case, BDB). Does SASL/PLAIN authentication require some outside agent to work (either a separate sasldb, or to route auth requests through saslauthd)? I'd rather keep all my user information in LDAP, as opposed to maintaining separate databases.
John
"John M. Burian" john@burian.org writes:
Buchan Milne wrote:
But, SASL authentication does not use a DN, but a username (as provided in the example Dieter gave you above). And you would need to have configured slapd to map a SASL identity to a DN for the bind to succeed.
I have an authz-regexp that maps SASL's 'uid=burianj,cn=plain,cn=auth' to 'uid=burianj,ou=people,dc=cqcb', which is the DN in my LDAP database, which appears to be working, based on my logs.
Dieter Kluenter wrote:
Did you create the password using any hashing method? Or is it plaintext?
The password is stored in LDAP as a {CRYPT}. I loaded the LDAP database using LDIF files created with the Migration Tools scripts (I don't know that those scripts are part of OpenLDAP, but they come packaged in Red Hat's OpenLDAP RPM). The users are stored as, at least, PosixAccount objects.
SASL doesn't know anything about crypt, that is, passwords have to be stored as plaintext. Because of transmitting plaintext passwords over the wire, PLAIN mechanism is disabled without any transport security.
-Dieter
John Burian john@burian.org writes:
Dieter Kluenter wrote:
John Burian john@burian.org writes:
[...]
I'm not having a problem getting TLS to work. ldapwhoami is connecting over port 636, I see correct TLS messages in the log file, and ldapwhoami reports that it is authenticating with SASL/PLAIN. For the record, if I try the above command, forcing the connection over port 389 and using StartTLS, I get the same results as just using "ldapwhoami" or "ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb'". The problem is simple authentication works, SASL/PLAIN authentication with the same DN and password fails.
Did you create the password using any hashing method? Or is it plaintext?
-Dieter
The same command without '-x -W', or ldapwhoami with no args, does not work:
$ ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb' SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
if you want a SASL bind with PLAIN mechanism and TLS, the ldapwhoami should look something like
$ ldapwhoami -Y PLAIN -U burianj -ZZ -H ldap://localhost
I'm not having a problem getting TLS to work. ldapwhoami is connecting over port 636, I see correct TLS messages in the log file, and ldapwhoami reports that it is authenticating with SASL/PLAIN. For the record, if I try the above command, forcing the connection over port 389 and using StartTLS, I get the same results as just using "ldapwhoami" or "ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb'". The problem is simple authentication works, SASL/PLAIN authentication with the same DN and password fails.
But, SASL authentication does not use a DN, but a username (as provided in the example Dieter gave you above). And you would need to have configured slapd to map a SASL identity to a DN for the bind to succeed.
So, please provide the commandline you are using with the SASL bind that is failing.
Regards, Buchan
John Burian john@burian.org writes:
Dieter Kluenter wrote:
From your remarks on CA and certificate a assume that you want to use TLS, while your ldapwhoami seems to indicate that you want to make use of PLAIN mechanism, which is disabled by default, unless you provide a secure transport method, that is either TLS or local socket. Unless you provide more information on the parameters used, no advice can be given.
-Dieter
Correct, I want to be using SASL/PLAIN over TLS. The following works:
$ ldapwhoami -x -W -D 'uid=burianj,ou=people,dc=cqcb' Enter LDAP Password: dn:uid=burianj,ou=People,dc=cqcb Result: Success (0)
[...]
Just another method to authenticate, while using TLS, is to create a proper user certificate an validiate this by
$ ldapwhoami -Y external -ZZ -H ldap://localhost
-Dieter [1]
Footnotes: [1] Yes, I have a correct certificate which is defined in ~/.ldaprc
openldap-software@openldap.org
-
Buchan Milne -
Dieter Kluenter -
Howard Chu -
John Burian -
John M. Burian
-
TechnoSophos