On 12/17/12 16:40 +0000, Emmanuel Dreyfus wrote:
On Thu, Dec 13, 2012 at 11:46:57AM -0600, Dan White wrote:
Look at your sasl slapd.conf if it exists (e.g. /usr/lib/sasl2/slapd.conf, or /etc/sasl/slapd.conf).
If you have a mech_list listed within that file, then either comment it out, or add EXTERNAL to it.
That fixes it. The goal is to let the slapd pseudo-user reconnect to slapd so that SASL LDAPDB plugin works. It does connect but LDAPDB does not work. here is the config:
sasl2/slapd.conf: pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: EXTERNAL DIGEST-MD5 PLAIN LOGIN ldapdb_uri: ldapi:/// ldapdb_id: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net ldapdb_mech: EXTERNAL log_level: 7
You should not use the ldapdb auxprop plugin within slapd's sasl config. You should be using 'slapd' instead, which is the default (it's an internal auxprop plugin distributed with OpenLDAP).
If you are running version 2.4.17 or newer, the 'auxprop_plugin' option is ignored anyway, and you must configure olcSaslAuxprops if you really wish to use a different auxprop plugin.
in openldap/dlapd.conf: authz-regexp "uidNumber=401,cn=peercred,cn=external,cn=auth" "cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net" authz-regexp uid=([^,]*),cn=external,cn=auth "ldap:///dc=example,dc=net??sub?(uid=$1)
in /etc/passwd: slapd:*:401:1000:openldap-server slapd user:/nonexistent:/sbin/nologin
In LDAP DIT: dn: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net objectClass: organizationalRole cn: ldap.example.net ou: pseudo-users authzTo: {0}dn:*
This works: # su -m slapd -c 'ldapwhoami -Y EXTERNAL -H ldapi:///' SASL/EXTERNAL authentication started SASL username: gidNumber=1000+uidNumber=401,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net
This also works: # su -m slapd -c 'ldapwhoami -X u:someone -Y EXTERNAL -H ldapi:///' SASL/EXTERNAL authentication started SASL username: u:someone SASL SSF: 0 dn:uid=someone,dc=example,dc=net
However this does not work: # su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \ -Y PLAIN -H ldaps://ldap.example.com'
logs say: conn=2455 op=0 BIND dn="uid=someone,dc=example,dc=net" method=163 SASL [conn=2455] Failure: Password verification failed conn=2455 op=0 RESULT tag=97 err=49 text=SASL(-13): user not found: Password verification failed conn=2455 op=1 UNBIND
I must be missing how the LDAPDB plugin works. Any hint?
That command doesn't make sense. '-U uid=someone,dc=example,dc=net' should be '-U someone' instead, and you should create new authz-regexp rules to map a sasl PLAIN identity of 'someone' to uid=someone,dc=example,dc=net.
You could also do:
su -m someone -c 'ldapwhoami -Y EXTERNAL -H ldapi:///'
with an appropriately written authz-regexp rule. 'someone' would need unix file permissions to access your ldapi unix socket.