On 10/02/13 09:08 -0400, btb wrote:
i've enabled the plain sasl mech, and testing with ldapwhoami works, but only if the userpassword is left as plaintext. if hashing [ssha] is used, it fails. a simple bind succeeds. what am i doing wrong?
ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w
'xxxxxxxx' SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
524b7989 ==>slap_sasl2dn: converting SASL name uid=flash,cn=plain,cn=auth to a DN 524b7989 ==> rewrite_context_apply [depth=1] string='uid=flash,cn=plain,cn=auth' 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_context_apply [depth=1] res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'} 524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" -> "uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 slap_parseURI: parsing uid=flash,ou=people,ou=accounts,dc=example,dc=com ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com) 524b7989 >>> dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> => ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0) <= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 524b7989 <<< dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> 524b7989 <==slap_sasl2dn: Converted SASL name to uid=flash,ou=people,ou=accounts,dc=example,dc=com
libsasl2, with default configuration, requires that the password be stored in cleartext, even for PLAIN.
To support {ssha} in this scenario, I recommend you configure your SASL slapd.conf file to authenticate against saslauthd, which in turn should be configured to perform ldap simple (non-sasl) authentication against slapd. Think of it as a two-level deep recursive authentication.
Create a slapd.conf SASL file (e.g. /usr/lib/sasl2/slapd.conf) with these contents:
pwcheck_method: saslauthd # Disallow shared secret mechanisms mech_list: PLAIN LOGIN GSSAPI EXTERNAL
Run saslauthd with the ldap backend. Run in debug mode to trouble shoot. If slapd is running non-root, modify the permissions to the saslauthd mux (e.g. /var/run/saslauthd/mux) to allow slapd to access it.
See:
http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/components.php http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/options.php The saslauthd manpage saslauthd/LDAP_SASLAUTHD (in the cyrus sasl source)