Hello,
Thks for replying.
Now, i am proceeding with following steps but still getting an error:
Steps: 1> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
2> cat /etc/openladp/slapd.conf password-hash {CLEARTEXT} sasl-auxprops slapd authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
*Note:* ACL are given properly.
3> Then i'm trying to add user: cat add_sasl_accnt21.ldif dn: uid=sasluser21,ou=System,o=xyz uid: sasluser21 ou: System description: Special account for SASL Testing userPassword: sasluser21 objectClass: account objectClass: simpleSecurityObject
ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif
5> Now, when i do ldapsearch: ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b 'uid=sasluser12,ou=System,o=xyz'
SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
In log file i got some clue: that its trying to use modify dn.
Have a look plz: slapd[14125]: >>> dnPrettyNormal: <> slapd[14125]: <<< dnPrettyNormal: <>, <> slapd[14125]: conn=1228 op=1 BIND dn="" method=163 slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5 slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2 slapd[14125]: slap_sasl_getdn: u:id converted to uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=digest-md5,cn=auth> slapd[14125]: ==>slap_sasl2dn: converting SASL name uid=uid\3Dsasluser21,cn=digest-md5,cn=auth to a DN slapd[14125]: ==> rewrite_context_apply [depth=1] string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' slapd[14125]: ==> rewrite_rule_apply rule='uid=([^,]*),cn=DIGEST-MD5,cn=auth' string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' [1 pass(es)] slapd[14125]: ==> rewrite_context_apply [depth=1] res={0,'uid=uid\3Dsasluser21,ou=System,o=xyz'} slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=System,o=xyz slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=System,o=xyz> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=system,o=xyz> slapd[14125]: <==slap_sasl2dn: Converted SASL name to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: slap_sasl_getdn: dn:id converted to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: => bdb_search slapd[14125]: bdb_dn2entry("uid=uid\3Dsasluser21,ou=system,o=xyz") slapd[14125]: => bdb_dn2id("uid=uid\3Dsasluser21,ou=system,o=xyz") slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz" "entry" requested slapd[14125]: => dn: [2] o=xyz slapd[14125]: => dn: [3] ou=subscribers,o=xyz slapd[14125]: => acl_get: [4] attr entry slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry" requested slapd[14125]: => acl_mask: to all values by "", (=0) slapd[14125]: <= check a_dn_pat: self slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop) slapd[14125]: => slap_access_allowed: disclose access denied by =0 slapd[14125]: => access_allowed: no more rules slapd[14125]: send_ldap_result: conn=1228 op=1 p=3 slapd[14125]: SASL [conn=1228] Failure: no secret in database slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
In LDAP it storing perfectly fine: ldapsearch -x -D cn=Manager,o=xyz -W -b 'uid=sasluser21,ou=System,o=xyz' # sasluser21, System, xyz dn: uid=sasluser21,ou=System,o=xyz uid: sasluser21 ou: System description: Special account for SASL Testing userPassword:: c2FzbHVzZXIyMQ== objectClass: account objectClass: simpleSecurityObject
Now, Kindly suggest as proceeding in this direction too .... gave me an error :( :(
Thanks and Regards, Gaurav Gugnani
On Tue, Feb 7, 2012 at 8:37 PM, Dan White dwhite@olp.net wrote:
On 02/07/12 11:01 +0530, Gaurav Gugnani wrote:
Hello All,
Thks to all for helping me out. i hope now the destination is not too far as i achieved the SASL but it is storing using sasldb. However, i want it to store information in ldap direcotry.
I've installed the corresponding package: cyrus-sasl-ldap-2.1.22-5.el5_**4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb ------------------------------**------------------------
1> saslpasswd2 -c sasluser14 2> sasldblistusers2
I can't stress enough that these commands are going to confuse you when using slapd. There really are only a few advanced uses for using these commands in your desired environment.
3> service ldap stop
4> vi etc/openldap/slapd.conf sasl-auxprops sasldb
This is the wrong thing to do. You should remove this option if you wish to have slapd use userPassword to authenticate your users. By specifying sasldb here, you're instructing slapd, by way of libsasl2, to authenticate your users against /etc/sasldb2.
Also,
sasl-auxprops ldapdb
would also be the wrong thing to do. In addition to 'sasldb' and 'ldapdb', slapd implements it's own auxprop plugin called 'slapd' which is the default, and which Does the Right Thing (TM). However, be aware that 'slapd' will not show up in the output of pluginviewer (or at least I'm not aware of a way to make it do so).
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**authuid=$1,ou=System,o=xyz - Give proper ACL to sasluser14
5> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: sasldb
Again this is the wrong thing to do. In recent versions of slapd this value is overridden by 'sasl-auxprops'.
#auxprop_plugin: slapd
You should uncomment this, if using older versions of slapd. Few newer versions of slapd, 'sasl-auxprops' defaults to slapd.
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
CRAM-MD5 and DIGEST-MD5 are fine here. If you really want to use PLAIN and LOGIN, specify a relaxed 'sasl-secprops' within your slapd configuration.
sasldb_path: /etc/sasldb2
Unnecessary.
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif # TEST Account for SASL: dn: uid=sasluser14,ou=System,o=xyz uid: sasluser14 ou: System description: Special account for SASL Testing userPassword: sasluser14 objectClass: account objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b 'uid=sasluser7,ou=system,o=**xyz'
But now the problem is - it is storing the users in sasldb. and we want to use ldap directory. Can any one please suggest - What changes i need to make to achieve it?
See above.
On 02/07/12 16:43 +0530, Gaurav Gugnani wrote:
Hello All,
i was working on this problem and figured out that ldapdb plugin auxprop is missing.
/u01/app/openldap/product/2.4.**26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL ... Installed auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 4 supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled. http://lists.andrew.cmu.edu/**pipermail/cyrus-sasl/2008-** September/001552.htmlhttp://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
ldapdb should only be used from outside of slapd. For instance, if you were running a mail server that you wish to authenticate against slapd, then ldapdb would be appropriate.
-- Dan White