[Q] Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

Dear members.

Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)

Thank you for your advice.

Sincerely.

-- Hiroyuki Sato.

My Environment OS: Ubuntu 10.10 OpenLDAP : 2.4.24 (build myself)

1, slapd.conf

..

sasl-realm mydomain.com sasl-auxprops sql

sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com

Note: ``sasl-auxprops sql'' does not well document. It is important config for sql authentication

2, /usr/lib/sasl2/slapd.conf

pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: database.server.add.ress sql_user: username sql_passwd: password sql_database: db_name sql_select: select password from sasl_test where username = '%u@%r'

3, dataase entry

mysql> select * from sasl_test \G *************************** 1. row *************************** username: ldapuser@mydomain.com password: ldapuser_password

4, auth

ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: ldap_sasl_interactive_bind_s: Insufficient access (50)

5, log

......

<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth> => ldap_bv2dn(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth to a DN daemon: activity on 1 descriptor ==> rewrite_context_apply [depth=1] string='uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=mydomain,dc=com,cn=digest-md5,cn=auth' string='uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com) >>> dnNormalize: <uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com> => ldap_bv2dn(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com SASL Canonicalize [conn=1003]: slapAuthcDN="uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com" daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL SASL Canonicalize [conn=1003]: authzid="ldap_user" SASL proxy authorize [conn=1003]: authcid="ldap_user@mydomain,dc=com" authzid="ldap_user@mydomain,dc=com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com become <INPUT_PASSWORD>?

^^^^^^^^^^^^^^^^^^^^

<== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1003]: proxy authorization disallowed (48) SASL [conn=1003] Failure: not authorized send_ldap_result: conn=1003 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50