Without seeing any output from your SASL/PLAIN bind, I suspect that saslauthd may not be working with your slapd installation.
If that's the case, double check the permissions on your saslauthd mux, and specify a saslauthd_path parameter within your sasl slapd.conf config if necessary.
On 10/03/11 15:42 -0700, Zach Schimke wrote:
Okay, I get nothing from saslauthd. The relevent logging slapd gives me: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: epoll: listen=9 active_threads=0 tvp=NULL daemon: epoll: listen=10 active_threads=0 tvp=NULL do_bind
dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>
<<< dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>, <cn=zach schimke - test,ou=people,o=mars> do_bind: version=3 dn="cn=zach schimke - test,ou=people,o=mars" method=128 ==> hdb_bind: dn: cn=zach schimke - test,ou=people,o=mars bdb_dn2entry("cn=zach schimke - test,ou=people,o=mars") => access_allowed: auth access to "cn=Zach Schimke - TEST,ou=people,o=mars" "userPassword" requested => dn: [1] o=new => dn: [2] ou=rooms,o=mars => dn: [3] ou=acl,o=mars => dn: [4] ou=groups,o=mars => dn: [5] ou=people,o=mars => acl_get: [5] matched => acl_get: [5] attr userPassword access_allowed: no res from state (userPassword) => acl_mask: access to entry "cn=Zach Schimke - TEST,ou=people,o=mars", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: ou=admins,ou=people,o=mars <= check a_dn_pat: cn=mars admin,ou=role,ou=people,o=mars <= check a_dn_pat: * <= acl_mask: [3] applying read(=rscxd) (stop) <= acl_mask: [3] mask: read(=rscxd) => access_allowed: auth access granted by read(=rscxd) send_ldap_result: conn=4 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 daemon: activity on 1 descriptor daemon: activity on: 15r
So, I do not see anything looking at SASL. Is there something special I need to put in slapd.access to make the pass-through bit work? It seems to be an ACL problem at this point (but regular password binds work properly with other users).
Zach Schimke Mars Space Flight Facility
On 3/4/2011 2:09 PM, Dan White wrote:
On 04/03/11 13:59 -0700, Zach Schimke wrote:
I'm using openldap-2.3.32, loglevel = -1 (log grows at 2MB/minute), and neither of those tests work. I've even tried with and without the @REALM.
Can you run your slapd in debug mode (-d -1), and your saslauthd in debug mode (-d)?
Try performing your SASL PLAIN bind, and then your non-sasl pass-through bind, and let us have a look at any relevant output you're seeing from either daemon. It might help to have a look at both to compare.