Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log of slapd:
slap_listener_activate(7):
>>> slap_listener(ldap:///)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1281422959
ber_get_next
conn=0 op=0 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> send_search_entry: conn 0 dn=""
ber_flush2: 72 bytes to sd 12
<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1281422959
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=195
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 248 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 326 contents:
op tag 0x60, time 1281422960
ber_get_next
conn=0 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'}
slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin)
ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin))
put_filter: "(cn=admin)"
put_filter: simple
put_simple_filter: "cn=admin"
ber_scanf fmt ({mm}) ber:
>>> dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com>
slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1)
=> bdb_search
bdb_dn2entry("ou=people,dc=example,dc=com")
=> bdb_dn2id("ou=people,dc=example,dc=com")
<= bdb_dn2id: got id=0x1
entry_decode: "ou=people,dc=example,dc=com"
<= entry_decode(ou=people,dc=example,dc=com)
search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1
=> bdb_dn2idl("ou=people,dc=example,dc=com")
<= bdb_dn2idl: id=1 first=2 last=2
=> bdb_equality_candidates (objectClass)
<= bdb_equality_candidates: (objectClass) not indexed
=> bdb_equality_candidates (cn)
<= bdb_equality_candidates: (cn) not indexed
bdb_search_candidates: id=1 first=2 last=2
entry_decode: "cn=admin,ou=people,dc=example,dc=com"
<= entry_decode(cn=admin,ou=people,dc=example,dc=com)
=> bdb_dn2id("cn=admin,ou=people,dc=example,dc=com")
<= bdb_dn2id: got id=0x2
send_ldap_result: conn=0 op=2 p=3
<==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
Segmentation fault
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
> On 09/08/10 14:52 -0700, Howard Chu wrote:
>> Dan White wrote:
>>> On 09/08/10 16:56 +0800, LI Ji D wrote:
>>>> Hi,
>>>> My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap.
>>>> So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.
>>>
>>> I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
>>> did not provide the expected response. Regardless of whether I set it to
>>> slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
>>> internal slapd plugin.
>>>
>>> I recommend you file a bug report.
>>
>> File the bug with the correct people. OpenLDAP doesn't do anything in
>> particular with SASL configuration. If you can't get the desired behavior
>> by setting the SASL config file, then file a bug against Cyrus SASL.
>
> It does! for auxprop_plugin, and auxprop_plugin only. After some digging I
> found the insertion of a SASL_CB_GETOPT function which replaces whatever
> auxprop_plugin value is found in the sasl config file with the
> sasl-auxprops openldap config option, or defaults to 'slapd' if no
> sasl-auxprops is defined.
>
> It's perfectly documented in the slapd.conf man page... just never occurred
> to me to look.
>
> LI,
>
> setting:
>
> sasl-auxprops sasldb
>
> within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/