On 02/08/12 16:22 +0530, Gaurav Gugnani wrote:
Hello,
Thks for replying.
Now, i am proceeding with following steps but still getting an error:
Steps: 1> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
2> cat /etc/openladp/slapd.conf password-hash {CLEARTEXT} sasl-auxprops slapd authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
*Note:* ACL are given properly.
3> Then i'm trying to add user: cat add_sasl_accnt21.ldif dn: uid=sasluser21,ou=System,o=xyz uid: sasluser21 ou: System description: Special account for SASL Testing userPassword: sasluser21 objectClass: account objectClass: simpleSecurityObject
ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif
5> Now, when i do ldapsearch: ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b 'uid=sasluser12,ou=System,o=xyz'
You should be providing just the username with the -U option. I recommend using ldapwhoami to test your authz-regexp rules:
ldapwhoami -Y digest-md5 -U sasluser21
SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
In log file i got some clue: that its trying to use modify dn.
Have a look plz: slapd[14125]: >>> dnPrettyNormal: <> slapd[14125]: <<< dnPrettyNormal: <>, <> slapd[14125]: conn=1228 op=1 BIND dn="" method=163 slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5 slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2 slapd[14125]: slap_sasl_getdn: u:id converted to uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=digest-md5,cn=auth> slapd[14125]: ==>slap_sasl2dn: converting SASL name uid=uid\3Dsasluser21,cn=digest-md5,cn=auth to a DN slapd[14125]: ==> rewrite_context_apply [depth=1] string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' slapd[14125]: ==> rewrite_rule_apply rule='uid=([^,]*),cn=DIGEST-MD5,cn=auth' string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' [1 pass(es)] slapd[14125]: ==> rewrite_context_apply [depth=1] res={0,'uid=uid\3Dsasluser21,ou=System,o=xyz'} slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=System,o=xyz slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=System,o=xyz> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=system,o=xyz> slapd[14125]: <==slap_sasl2dn: Converted SASL name to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: slap_sasl_getdn: dn:id converted to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: => bdb_search slapd[14125]: bdb_dn2entry("uid=uid\3Dsasluser21,ou=system,o=xyz") slapd[14125]: => bdb_dn2id("uid=uid\3Dsasluser21,ou=system,o=xyz")
Notice the uid=uid\3Dsasluser21... here, instead of the desired uid=sasluser21...
slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz" "entry" requested slapd[14125]: => dn: [2] o=xyz slapd[14125]: => dn: [3] ou=subscribers,o=xyz slapd[14125]: => acl_get: [4] attr entry slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry" requested slapd[14125]: => acl_mask: to all values by "", (=0) slapd[14125]: <= check a_dn_pat: self slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop) slapd[14125]: => slap_access_allowed: disclose access denied by =0
You might need a more permissive (by anonymous auth) ACL here, for dn.base="ou=System,o=xyz" and "attrs=entry".
See slapd.access(5).
slapd[14125]: => access_allowed: no more rules slapd[14125]: send_ldap_result: conn=1228 op=1 p=3 slapd[14125]: SASL [conn=1228] Failure: no secret in database slapd[14125]: send_ldap_result: conn=1228 op=1 p=3