Hi Dan
Thank you for your information. I aslo succeed to auth digest-md5 with sasldb
-- Hiroyuki Sato
Here is my test environment
OpenLDAP
1, Environment
OS: ubuntu 10.10 OpenLDAP: 2.4.24 build from source for gdb debug. original ubuntu slapd does not work correctly too.
2, slapd.conf
This is complete slapd.conf (no ACL)
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq loglevel -1 sasl-regexp uid=([^@]+)([^,]+),cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
sasl-auxprops sql
3, gdb trace
This is trace
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: password1
(gdb) attach 10590 (gdb) b slap_sasl_authorized (gdb) continue
Breakpoint 1, slap_sasl_authorized (op=0x9658e28, authcDN=0xb710ae98, authzDN=0xb710ae90) at ../../../servers/slapd/saslauthz.c:2041 2041 if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
(gdb) print * op $1 = {o_hdr = 0x9658f00, o_tag = 96, o_time = 1298003868, o_tincr = 0, o_bd = 0x81db680, o_req_dn = {bv_len = 0, bv_val = 0xb6809010 ""}, o_req_ndn = {bv_len = 0, bv_val = 0xb6809020 ""}, o_request = {oq_add = { rs_modlist = 0xa3, rs_e = 0x12f}, oq_bind = {rb_method = 163, rb_cred = { bv_len = 303, bv_val = 0x9659460 "username="ldap_user@mydomain.com",realm="pxe01.archsystem.com",nonce="9FBkp4LRSgftC5+z7Kh6CofOvvuSvNgpgU756AIC2rI=",cnonce="nqR7oxRAZWWufPf9ZIqj0WPL99kcFatcZSfAGrOTbVM=",nc=00000001,qop=auth-conf,ciph"...}, rb_edn = {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len = 10, bv_val = 0x9659452 "DIGEST-MD5"}}, oq_compare = {rs_ava = 0xa3}, oq_modify = {rs_mods = {rs_modlist = 0xa3, rs_no_opattrs = 47 '/'}, rs_increment = 157652064}, oq_modrdn = {rs_mods = {rs_modlist = 0xa3, rs_no_opattrs = 47 '/'}, rs_deleteoldrdn = 157652064, rs_newrdn = { bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0, bv_val = 0xa <Address 0xa out of bounds>}, rs_newSup = 0x9659452, rs_nnewSup = 0x0}, oq_search = {rs_scope = 163, rs_deref = 303, rs_slimit = 157652064, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly = 0, rs_attrs = 0xa, rs_filter = 0x9659452, rs_filterstr = {bv_len = 0, bv_val = 0x0}}, oq_abandon = {rs_msgid = 163}, oq_cancel = { rs_msgid = 163}, oq_extended = {rs_reqoid = {bv_len = 163, bv_val = 0x12f <Address 0x12f out of bounds>}, rs_flags = 157652064, rs_reqdata = 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = { bv_len = 163, bv_val = 0x12f <Address 0x12f out of bounds>}, rs_flags = 157652064, rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 0x0}, rs_new = {bv_len = 10, bv_val = 0x9659452 "DIGEST-MD5"}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000', o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 times>, o_controls = 0x9659028, o_authz = {sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = { bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 0}, o_ber = 0x96590b0, o_res_ber = 0x0, o_callback = 0x9658698, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0, o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}} (gdb) print authcDN $2 = (struct berval *) 0xb710ae98 (gdb) print * authcDN $3 = {bv_len = 41, bv_val = 0x965a0ec "uid=ldap_user,ou=users,dc=mydomain,dc=com"} (gdb) print * authzDN $4 = {bv_len = 1936941424, bv_val = 0x965a0c4 "password1"}
(gdb) n 2047 if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) { (gdb) n 2051 Debug( LDAP_DEBUG_TRACE, (gdb) n 2057 if ( dn_match( authcDN, authzDN ) ) { (gdb) n 2063 if( op->o_conn->c_authz_backend && (gdb) n 2064 be_isroot_dn( op->o_conn->c_authz_backend, authcDN )) (gdb) n 2063 if( op->o_conn->c_authz_backend && (gdb) n 2071 if( authz_policy & SASL_AUTHZ_TO ) { (gdb) n 2080 if( authz_policy & SASL_AUTHZ_FROM ) { (gdb) n 2092 Debug( LDAP_DEBUG_TRACE, (gdb) n 2083 if( rc == LDAP_SUCCESS ) { (gdb) n 2092 Debug( LDAP_DEBUG_TRACE, (gdb) n 2096 } (gdb) print rc $5 = 48
2011/2/18 Dan White dwhite@olp.net:
On 17/02/11 18:51 +0900, Hiroyuki Sato wrote:
However authentication still failed.
I'm not sure why slap_sasl_authorized compare input? password.
-- from debug message ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1?
That's pretty strange. Which version of openldap are you running?
Does this command make any difference?:
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com \ -X u:ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
1, new configuration
database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" sasl-regexp uid=([^@]+)([^,]+),cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com sasl-auxprops sql
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50)
2, /usr/lib/sasl2/slapd.conf pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: host.addre.ss sql_user: username sql_passwd: password sql_database: database # # no realm # sql_select: select password from sasl_test where username = '%u'
2, log
conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=303 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user@mydomain.com" slap_sasl_getdn: conn 1000 id=ldap_user@mydomain.com [len=22] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth' string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com" SASL Canonicalize [conn=1000]: authzid="ldap_user@mydomain.com" SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com" authzid="ldap_user@mydomain.com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48) SASL [conn=1000] Failure: not authorized send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50
In version 2.4.23, the authorization should succeed at (in servers/slapd/saslauthz.c):
/* Check if a bind can SASL authorize to another identity.
- The DNs should not have the dn: prefix
*/
int slap_sasl_authorized( Operation *op, struct berval *authcDN, struct berval *authzDN ) { int rc = LDAP_INAPPROPRIATE_AUTH;
/* User binding as anonymous */ if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) { rc = LDAP_SUCCESS; goto DONE; }
/* User is anonymous */ if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) { goto DONE; }
Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_authorized: can %s become %s?\n", authcDN->bv_len ? authcDN->bv_val : "(null)", authzDN->bv_len ? authzDN->bv_val : "(null)", 0 );
/* If person is authorizing to self, succeed */ if ( dn_match( authcDN, authzDN ) ) { rc = LDAP_SUCCESS; goto DONE; } ... }
So I'm not sure why you would be seeing anything other than:
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become uid=ldap_user,ou=users,dc=mydomain,dc=com?
But it's probably related to why your authentication is failing.
I've gotten this to work before with sasldb and digest-md5:
http://web.olp.net/dwhite/openldap/sasldb-notes.txt
Could you post your slapd config? or at least your ACLs?
-- Dan White