Hi White, 1. I expect user credentials of liji1 to be retrieved from sasldb, I create user liji1 with command: saslpasswd2 -c liji1, and follow administrator guide, The DIGEST-MD5 mechanism produces authentication IDs of the form: uid=<username>,cn=<realm>,cn=digest-md5,cn=auth so I think ldap would use uid=liji1,cn=digest-md5,cn=auth to retrieve from sasldb.
2. I have added auth.debug and log_level: 7, and rerun the test, got some logs as below: Syslog: Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 fd=12 ACCEPT from IP=127.0.0.1:59928 (IP=0.0.0.0:389) Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH attr=supportedSASLMechanisms Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 BIND dn="" method=163 Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: security flags do not match required Jun 22 10:17:17 bjims31 ldapwhoami: DIGEST-MD5 client step 2 Jun 22 10:17:20 bjims31 ldapwhoami: DIGEST-MD5 client step 2 Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 BIND dn="" method=163 Jun 22 10:17:20 bjims31 slapd[19846]: SASL [conn=0] Failure: no secret in database Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 fd=12 closed (connection lost)
Slapd log : slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 70 contents: op tag 0x63, time 1277173037 ber_get_next conn=0 op=0 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => send_search_entry: conn 0 dn="" ber_flush2: 82 bytes to sd 12 <= send_search_entry: conn 0 exit. send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1277173037 ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=2 tag=97 err=14 ber_flush2: 269 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 296 contents: op tag 0x60, time 1277173040 ber_get_next conn=0 op=2 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=liji1,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='^uid=([^,]+),.*' string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'} slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)
dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth> <==slap_sasl2dn: Converted SASL name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth SASL [conn=0] Failure: no secret in database send_ldap_result: conn=0 op=2 p=3 send_ldap_response: msgid=3 tag=97 err=49 ber_flush2: 70 bytes to sd 12 <== slap_sasl_bind: rc=49 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next on fd 12 failed errno=0 (Success) connection_close: conn=0 sd=12
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Tuesday, June 22, 2010 1:06 AM To: LI Ji D Cc: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
- Then I configure the slapd.conf to be like this:
authz-policy to sasl-regexp "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth" database bdb suffix "dc=example,dc=com" rootdn "uid=111,cn=digest-md5,cn=auth"
Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5
Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is:
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf:
log_level: 7