Thank you Dan.
I simplified test environment. (see below)
* Problem summary Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
To: Dan
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true?? I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
You want the 'uid' part of your rule to be a bit more restrictive, such as uid=([^,]+) so that is doesn't end up matching a longer string accidentally.
I changed uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
case1
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
result
>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=290 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=DIGEST-MD5,cn=auth>
note: realm does not set.
case2
config
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
result
>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=290 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0
note: realm does not set.
case3
config sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
result >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=282 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth>
note: realm set to 'cn=mydomain.com'.
case4
config # sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=290 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=DIGEST-MD5,cn=auth> => ldap_bv2dn(uid=ldap_user,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=mydomain.cn=com,cn=digest-md5,cn=auth' string='uid=ldap_user,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,cn=digest-md5,cn=auth'} [rw] authid: "uid=ldap_user,cn=digest-md5,cn=auth" -> "uid=ldap_user,cn=digest-md5,cn=auth" slap_parseURI: parsing uid=ldap_user,cn=digest-md5,cn=auth ldap_url_parse_ext(uid=ldap_user,cn=digest-md5,cn=auth) >>> dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth> => ldap_bv2dn(uid=ldap_user,cn=digest-md5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=digest-md5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,cn=digest-md5,cn=auth slap_sasl_getdn: dn:id converted to uid=ldap_user,cn=digest-md5,cn=auth SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,cn=digest-md5,cn=auth" SASL Canonicalize [conn=1000]: authzid="ldap_user"
-- Hiroyuki Sato
0, Environment
OS: ubuntu 10.10 OpenLDAP: 2.4.24
1, slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq loglevel -1
#################################################### # # SASL config # ####################################################
sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
sasl-auxprops sql
2, ldif
dn: dc=mydomain,dc=com objectClass: dcObject objectClass: organization o: mydomain dc: mydomain
dn: ou=users,dc=mydomain,dc=com objectClass: organizationalUnit ou: users
dn: ou=groups,dc=mydomain,dc=com objectClass: organizationalUnit ou: groups
dn: uid=ldap_user,ou=users,dc=mydomain,dc=com uid: ldap_user cn: ldap_user objectClass: account objectClass: posixAccount objectClass: top loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 gecos: ldap_user homeDirectory: /home/ldap_user userPassword:: KioqKioqKio=
3, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: host.addre.ss sql_user: username sql_passwd: password sql_database: database sql_select: select password from sasl_test where username = '%u@%r'
4, mysql
Create Table: CREATE TABLE `sasl_test` ( `username` varchar(255) NOT NULL, `password` varchar(255) NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=utf8
mysql> select * from sasl_test \G *************************** 1. row *************************** username: ldap_user@mydomain.com password: password1
5, client requeest
ldapsearch -R mydomain.com -h 192.168.10.36 -Y digest-md5 -U ldap_user -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50)
6, complete log
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy daemon: epoll: listen=8 active_threads=0 tvp=NULL
slap_listener(ldap:///)
daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: listen=7, new connection on 12 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: added 12r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 fd=12 ACCEPT from IP=192.168.10.53:53531 (IP=0.0.0.0:389) connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: 30 18 02 01 01 60 13 02 0....`.. ldap_read: want=18, got=18 0000: 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 54 2d 4d ........DIGEST-M 0010: 44 35 D5 ber_get_next: tag 0x30 len 24 contents: ber_dump: buf=0xa1e2798 ptr=0xa1e2798 end=0xa1e27b0 len=24 0000: 02 01 01 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 ...`..........DI 0010: 47 45 53 54 2d 4d 44 35 GEST-MD5 op tag 0x60, time 1297854079 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0xa1e2798 ptr=0xa1e279b end=0xa1e27b0 len=21 0000: 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 `..........DIGES 0010: 54 2d 4d 44 35 T-MD5 ber_scanf fmt ({m) ber: ber_dump: buf=0xa1e2798 ptr=0xa1e27a2 end=0xa1e27b0 len=14 0000: 00 0c 04 0a 44 49 47 45 53 54 2d 4d 44 35 ....DIGEST-MD5 ber_scanf fmt (}}) ber: ber_dump: buf=0xa1e2798 ptr=0xa1e27b0 end=0xa1e27b0 len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=0 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0 SASL [conn=1000] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=176 send_ldap_response: msgid=1 tag=97 err=14 ber_flush2: 223 bytes to sd 12 0000: 30 81 dc 02 01 01 61 81 d6 0a 01 0e 04 00 04 1c 0.....a......... 0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success 0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b0 6e ful result: ...n 0030: 6f 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b once="hKPuEoyimK 0040: 2f 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d /dlBIVj/T5YxTI6m 0050: 2f 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 /NTuwqcwDs6eq/mW 0060: 49 3d 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d I=",realm="mydom 0070: 61 69 6e 2e 63 6f 6d 22 2c 71 6f 70 3d 22 61 75 ain.com",qop="au 0080: 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 th,auth-int,auth 0090: 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 -conf",cipher="r 00a0: 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 c4-40,rc4-56,rc4 00b0: 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 36 2c 63 ",maxbuf=65536,c 00c0: 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 61 6c 67 harset=utf-8,alg 00d0: 6f 72 69 74 68 6d 3d 6d 64 35 2d 73 65 73 73 orithm=md5-sess ldap_write: want=223, written=223 0000: 30 81 dc 02 01 01 61 81 d6 0a 01 0e 04 00 04 1c 0.....a......... 0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success 0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b0 6e ful result: ...n 0030: 6f 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b once="hKPuEoyimK 0040: 2f 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d /dlBIVj/T5YxTI6m 0050: 2f 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 /NTuwqcwDs6eq/mW 0060: 49 3d 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d I=",realm="mydom 0070: 61 69 6e 2e 63 6f 6d 22 2c 71 6f 70 3d 22 61 75 ain.com",qop="au 0080: 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 th,auth-int,auth 0090: 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 -conf",cipher="r 00a0: 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 c4-40,rc4-56,rc4 00b0: 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 36 2c 63 ",maxbuf=65536,c 00c0: 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 61 6c 67 harset=utf-8,alg 00d0: 6f 72 69 74 68 6d 3d 6d 64 35 2d 73 65 73 73 orithm=md5-sess conn=1000 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: <== slap_sasl_bind: rc=14 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: 30 82 01 3a 02 01 02 60 0..:...` ldap_read: want=310, got=310 0000: 82 01 33 02 01 03 04 00 a3 82 01 2a 04 0a 44 49 ..3........*..DI 0010: 47 45 53 54 2d 4d 44 35 04 82 01 1a 75 73 65 72 GEST-MD5....user 0020: 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 22 name="ldap_user" 0030: 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d 61 69 6e ,realm="mydomain 0040: 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d 22 68 4b 50 .com",nonce="hKP 0050: 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 56 6a 2f 54 uEoyimK/dlBIVj/T 0060: 35 59 78 54 49 36 6d 2f 4e 54 75 77 71 63 77 44 5YxTI6m/NTuwqcwD 0070: 73 36 65 71 2f 6d 57 49 3d 22 2c 63 6e 6f 6e 63 s6eq/mWI=",cnonc 0080: 65 3d 22 30 71 62 32 35 50 4b 31 4c 30 65 33 68 e="0qb25PK1L0e3h 0090: 78 79 37 35 34 41 35 44 5a 70 32 52 56 72 69 57 xy754A5DZp2RVriW 00a0: 4d 52 46 41 46 72 6c 67 32 65 56 73 74 41 3d 22 MRFAFrlg2eVstA=" 00b0: 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 ,nc=00000001,qop 00c0: 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 =auth-conf,ciphe 00d0: 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 36 37 r=rc4,maxbuf=167 00e0: 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 72 69 77215,digest-uri 00f0: 3d 22 6c 64 61 70 2f 70 78 65 30 31 2e 61 72 63 ="ldap/pxe01.arc 0100: 68 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 73 hsystem.com",res 0110: 70 6f 6e 73 65 3d 30 35 65 63 64 32 66 32 31 37 ponse=05ecd2f217 0120: 35 38 34 30 35 61 30 64 34 34 62 37 65 38 37 35 58405a0d44b7e875 0130: 66 63 35 39 32 63 fc592c ber_get_next: tag 0x30 len 314 contents: ber_dump: buf=0xa1e4780 ptr=0xa1e4780 end=0xa1e48ba len=314 0000: 02 01 02 60 82 01 33 02 01 03 04 00 a3 82 01 2a ...`..3........* 0010: 04 0a 44 49 47 45 53 54 2d 4d 44 35 04 82 01 1a ..DIGEST-MD5.... 0020: 75 73 65 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 username="ldap_u 0030: 73 65 72 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f ser",realm="mydo 0040: 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d main.com",nonce= 0050: 22 68 4b 50 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 "hKPuEoyimK/dlBI 0060: 56 6a 2f 54 35 59 78 54 49 36 6d 2f 4e 54 75 77 Vj/T5YxTI6m/NTuw 0070: 71 63 77 44 73 36 65 71 2f 6d 57 49 3d 22 2c 63 qcwDs6eq/mWI=",c 0080: 6e 6f 6e 63 65 3d 22 30 71 62 32 35 50 4b 31 4c nonce="0qb25PK1L 0090: 30 65 33 68 78 79 37 35 34 41 35 44 5a 70 32 52 0e3hxy754A5DZp2R 00a0: 56 72 69 57 4d 52 46 41 46 72 6c 67 32 65 56 73 VriWMRFAFrlg2eVs 00b0: 74 41 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 tA=",nc=00000001 00c0: 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 ,qop=auth-conf,c 00d0: 69 70 68 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 ipher=rc4,maxbuf 00e0: 3d 31 36 37 37 37 32 31 35 2c 64 69 67 65 73 74 =16777215,digest 00f0: 2d 75 72 69 3d 22 6c 64 61 70 2f 70 78 65 30 31 -uri="ldap/pxe01 0100: 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 .archsystem.com" 0110: 2c 72 65 73 70 6f 6e 73 65 3d 30 35 65 63 64 32 ,response=05ecd2 0120: 66 32 31 37 35 38 34 30 35 61 30 64 34 34 62 37 f21758405a0d44b7 0130: 65 38 37 35 66 63 35 39 32 63 e875fc592c op tag 0x60, time 1297854089 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=1 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e4783 end=0xa1e48ba len=311 0000: 60 82 01 33 02 01 03 04 00 a3 82 01 2a 04 0a 44 `..3........*..D 0010: 49 47 45 53 54 2d 4d 44 35 04 82 01 1a 75 73 65 IGEST-MD5....use 0020: 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 rname="ldap_user 0030: 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d 61 69 ",realm="mydomai 0040: 6e 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d 22 68 4b n.com",nonce="hK 0050: 50 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 56 6a 2f PuEoyimK/dlBIVj/ 0060: 54 35 59 78 54 49 36 6d 2f 4e 54 75 77 71 63 77 T5YxTI6m/NTuwqcw 0070: 44 73 36 65 71 2f 6d 57 49 3d 22 2c 63 6e 6f 6e Ds6eq/mWI=",cnon 0080: 63 65 3d 22 30 71 62 32 35 50 4b 31 4c 30 65 33 ce="0qb25PK1L0e3 0090: 68 78 79 37 35 34 41 35 44 5a 70 32 52 56 72 69 hxy754A5DZp2RVri 00a0: 57 4d 52 46 41 46 72 6c 67 32 65 56 73 74 41 3d WMRFAFrlg2eVstA= 00b0: 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f ",nc=00000001,qo 00c0: 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 p=auth-conf,ciph 00d0: 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 36 er=rc4,maxbuf=16 00e0: 37 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 72 777215,digest-ur 00f0: 69 3d 22 6c 64 61 70 2f 70 78 65 30 31 2e 61 72 i="ldap/pxe01.ar 0100: 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 chsystem.com",re 0110: 73 70 6f 6e 73 65 3d 30 35 65 63 64 32 66 32 31 sponse=05ecd2f21 0120: 37 35 38 34 30 35 61 30 64 34 34 62 37 65 38 37 758405a0d44b7e87 0130: 35 66 63 35 39 32 63 5fc592c ber_scanf fmt ({m) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e478c end=0xa1e48ba len=302 0000: 00 82 01 2a 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...*..DIGEST-MD5 0010: 04 82 01 1a 75 73 65 72 6e 61 6d 65 3d 22 6c 64 ....username="ld 0020: 61 70 5f 75 73 65 72 22 2c 72 65 61 6c 6d 3d 22 ap_user",realm=" 0030: 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f mydomain.com",no 0040: 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b 2f nce="hKPuEoyimK/ 0050: 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d 2f dlBIVj/T5YxTI6m/ 0060: 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 49 NTuwqcwDs6eq/mWI 0070: 3d 22 2c 63 6e 6f 6e 63 65 3d 22 30 71 62 32 35 =",cnonce="0qb25 0080: 50 4b 31 4c 30 65 33 68 78 79 37 35 34 41 35 44 PK1L0e3hxy754A5D 0090: 5a 70 32 52 56 72 69 57 4d 52 46 41 46 72 6c 67 Zp2RVriWMRFAFrlg 00a0: 32 65 56 73 74 41 3d 22 2c 6e 63 3d 30 30 30 30 2eVstA=",nc=0000 00b0: 30 30 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 0001,qop=auth-co 00c0: 6e 66 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 nf,cipher=rc4,ma 00d0: 78 62 75 66 3d 31 36 37 37 37 32 31 35 2c 64 69 xbuf=16777215,di 00e0: 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 gest-uri="ldap/p 00f0: 78 65 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e xe01.archsystem. 0100: 63 6f 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 30 35 com",response=05 0110: 65 63 64 32 66 32 31 37 35 38 34 30 35 61 30 64 ecd2f21758405a0d 0120: 34 34 62 37 65 38 37 35 66 63 35 39 32 63 44b7e875fc592c ber_scanf fmt (m) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e479c end=0xa1e48ba len=286 0000: 00 82 01 1a 75 73 65 72 6e 61 6d 65 3d 22 6c 64 ....username="ld 0010: 61 70 5f 75 73 65 72 22 2c 72 65 61 6c 6d 3d 22 ap_user",realm=" 0020: 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f mydomain.com",no 0030: 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b 2f nce="hKPuEoyimK/ 0040: 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d 2f dlBIVj/T5YxTI6m/ 0050: 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 49 NTuwqcwDs6eq/mWI 0060: 3d 22 2c 63 6e 6f 6e 63 65 3d 22 30 71 62 32 35 =",cnonce="0qb25 0070: 50 4b 31 4c 30 65 33 68 78 79 37 35 34 41 35 44 PK1L0e3hxy754A5D 0080: 5a 70 32 52 56 72 69 57 4d 52 46 41 46 72 6c 67 Zp2RVriWMRFAFrlg 0090: 32 65 56 73 74 41 3d 22 2c 6e 63 3d 30 30 30 30 2eVstA=",nc=0000 00a0: 30 30 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 0001,qop=auth-co 00b0: 6e 66 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 nf,cipher=rc4,ma 00c0: 78 62 75 66 3d 31 36 37 37 37 32 31 35 2c 64 69 xbuf=16777215,di 00d0: 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 gest-uri="ldap/p 00e0: 78 65 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e xe01.archsystem. 00f0: 63 6f 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 30 35 com",response=05 0100: 65 63 64 32 66 32 31 37 35 38 34 30 35 61 30 64 ecd2f21758405a0d 0110: 34 34 62 37 65 38 37 35 66 63 35 39 32 63 44b7e875fc592c ber_scanf fmt (}}) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e48ba end=0xa1e48ba len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=282 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth' string='uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com" SASL Canonicalize [conn=1000]: authzid="ldap_user" SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com" authzid="ldap_user@mydomain.com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48) SASL [conn=1000] Failure: not authorized send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50 ber_flush2: 62 bytes to sd 12 0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized ldap_write: want=62, written=62 0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized conn=1000 op=1 RESULT tag=97 err=50 text=SASL(-14): authorization failure: not authorized <== slap_sasl_bind: rc=50 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success) connection_read(12): input error=-2 id=1000, closing. connection_closing: readying conn=1000 sd=12 for close connection_close: conn=1000 sd=12 daemon: removing 12 conn=1000 fd=12 closed (connection lost) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL
2011/2/15 Dan White dwhite@olp.net:
On 14/02/11 23:47 +0900, Hiroyuki Sato wrote:
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
My Environment OS: Ubuntu 10.10 OpenLDAP : 2.4.24 (build myself)
1, slapd.conf
sasl-realm mydomain.com sasl-auxprops sql
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: database.server.add.ress sql_user: username sql_passwd: password sql_database: db_name sql_select: select password from sasl_test where username = '%u@%r'
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: ldap_sasl_interactive_bind_s: Insufficient access (50)
5, log
<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth
slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
You want the 'uid' part of your rule to be a bit more restrictive, such as uid=([^,]+) so that is doesn't end up matching a longer string accidentally.
I changed slap
-- Dan White