Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below: slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 70 contents: op tag 0x63, time 1281064438 ber_get_next conn=2 op=0 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => send_search_entry: conn 2 dn="" ber_flush2: 72 bytes to sd 12 <= send_search_entry: conn 2 exit. send_ldap_result: conn=2 op=0 p=3 send_ldap_response: msgid=1 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1281064438 ber_get_next conn=2 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=2] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=2 tag=97 err=14 ber_flush2: 233 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 296 contents: op tag 0x60, time 1281064441 ber_get_next conn=2 op=2 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=2] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'} slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin) ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin)) put_filter: "(cn=admin)" put_filter: simple put_simple_filter: "cn=admin" ber_scanf fmt ({mm}) ber:
dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com> slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1) => bdb_search bdb_dn2entry("ou=people,dc=example,dc=com") search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1 => bdb_dn2idl("ou=people,dc=example,dc=com") <= bdb_dn2idl: id=1 first=2 last=2 => bdb_equality_candidates (objectClass) <= bdb_equality_candidates: (objectClass) not indexed => bdb_equality_candidates (cn) <= bdb_equality_candidates: (cn) not indexed bdb_search_candidates: id=1 first=2 last=2 send_ldap_result: conn=2 op=2 p=3 <==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com => bdb_search bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com") slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0 ber_flush2: 64 bytes to sd 12 <== slap_sasl_bind: rc=0 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ldap_pvt_sasl_generic_install ber_get_next ber_get_next: tag 0x30 len 72 contents: op tag 0x63, time 1281064441 ber_get_next conn=2 op=3 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=people,dc=example,dc=com>
<<< dnPrettyNormal: <ou=people,dc=example,dc=com>, <ou=people,dc=example,dc=com> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => bdb_search bdb_dn2entry("ou=people,dc=example,dc=com") search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=2 => bdb_dn2idl("ou=people,dc=example,dc=com") => bdb_presence_candidates (objectClass) bdb_search_candidates: id=-1 first=1 last=2 => send_search_entry: conn 2 dn="ou=people,dc=example,dc=com" ber_flush2: 172 bytes to sd 12 <= send_search_entry: conn 2 exit. => send_search_entry: conn 2 dn="cn=admin,ou=people,dc=example,dc=com" ber_flush2: 452 bytes to sd 12 <= send_search_entry: conn 2 exit. send_ldap_result: conn=2 op=3 p=3 send_ldap_response: msgid=4 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1281064441 ber_get_next ber_get_next on fd 12 failed errno=0 (Success) conn=2 op=4 do_unbind connection_close: conn=2 sd=12
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, August 06, 2010 10:35 AM To: LI Ji D Cc: Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
- My slapd.conf is below:
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com"
- and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to instruct the sasl glue library where to search for config files. See the man page for sasl_getconfpath_t for details.