On Thu, Dec 13, 2012 at 11:46:57AM -0600, Dan White wrote:
Look at your sasl slapd.conf if it exists (e.g. /usr/lib/sasl2/slapd.conf, or /etc/sasl/slapd.conf).
If you have a mech_list listed within that file, then either comment it out, or add EXTERNAL to it.
That fixes it. The goal is to let the slapd pseudo-user reconnect to slapd so that SASL LDAPDB plugin works. It does connect but LDAPDB does not work. here is the config:
sasl2/slapd.conf: pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: EXTERNAL DIGEST-MD5 PLAIN LOGIN ldapdb_uri: ldapi:/// ldapdb_id: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net ldapdb_mech: EXTERNAL log_level: 7
in openldap/dlapd.conf: authz-regexp "uidNumber=401,cn=peercred,cn=external,cn=auth" "cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net" authz-regexp uid=([^,]*),cn=external,cn=auth "ldap:///dc=example,dc=net??sub?(uid=$1)
in /etc/passwd: slapd:*:401:1000:openldap-server slapd user:/nonexistent:/sbin/nologin
In LDAP DIT: dn: cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net objectClass: organizationalRole cn: ldap.example.net ou: pseudo-users authzTo: {0}dn:*
This works: # su -m slapd -c 'ldapwhoami -Y EXTERNAL -H ldapi:///' SASL/EXTERNAL authentication started SASL username: gidNumber=1000+uidNumber=401,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:cn=ldap.example.net,ou=pseudo-users,dc=example,dc=net
This also works: # su -m slapd -c 'ldapwhoami -X u:someone -Y EXTERNAL -H ldapi:///' SASL/EXTERNAL authentication started SASL username: u:someone SASL SSF: 0 dn:uid=someone,dc=example,dc=net
However this does not work: # su -m someone -c 'ldapwhoami -U uid=someone,dc=example,dc=net \ -Y PLAIN -H ldaps://ldap.example.com'
logs say: conn=2455 op=0 BIND dn="uid=someone,dc=example,dc=net" method=163 SASL [conn=2455] Failure: Password verification failed conn=2455 op=0 RESULT tag=97 err=49 text=SASL(-13): user not found: Password verification failed conn=2455 op=1 UNBIND
I must be missing how the LDAPDB plugin works. Any hint?