Hi, I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log of slapd: slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 70 contents: op tag 0x63, time 1281422959 ber_get_next conn=0 op=0 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => send_search_entry: conn 0 dn="" ber_flush2: 72 bytes to sd 12 <= send_search_entry: conn 0 exit. send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1281422959 ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=195 send_ldap_response: msgid=2 tag=97 err=14 ber_flush2: 248 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 326 contents: op tag 0x60, time 1281422960 ber_get_next conn=0 op=2 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'} slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin) ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin)) put_filter: "(cn=admin)" put_filter: simple put_simple_filter: "cn=admin" ber_scanf fmt ({mm}) ber:
dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com> slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1) => bdb_search bdb_dn2entry("ou=people,dc=example,dc=com") => bdb_dn2id("ou=people,dc=example,dc=com") <= bdb_dn2id: got id=0x1 entry_decode: "ou=people,dc=example,dc=com" <= entry_decode(ou=people,dc=example,dc=com) search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1 => bdb_dn2idl("ou=people,dc=example,dc=com") <= bdb_dn2idl: id=1 first=2 last=2 => bdb_equality_candidates (objectClass) <= bdb_equality_candidates: (objectClass) not indexed => bdb_equality_candidates (cn) <= bdb_equality_candidates: (cn) not indexed bdb_search_candidates: id=1 first=2 last=2 entry_decode: "cn=admin,ou=people,dc=example,dc=com" <= entry_decode(cn=admin,ou=people,dc=example,dc=com) => bdb_dn2id("cn=admin,ou=people,dc=example,dc=com") <= bdb_dn2id: got id=0x2 send_ldap_result: conn=0 op=2 p=3 <==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com Segmentation fault
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi, My problem is that I expect slapd to authenticate with the
password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap.
So I want to know, how can slapd use password stored in sasldb
to do the sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to
sasldb
did not provide the expected response. Regardless of whether I set
it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind
using the
internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired
behavior
by setting the SASL config file, then file a bug against Cyrus SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
found the insertion of a SASL_CB_GETOPT function which replaces
whatever
auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never
occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147