On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23.
I create a sasldb syncuser user, in my slapd.d configuration I add:
OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr "
I give the right of reading has the utisilsateur ldap on sasldb.
PB during a ldapsearch:
# ldapsearch -Y DIGEST-MD5-U syncuser
ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional information: SASL ( 13 ): use(wear out) not found: no secret in database
Slapd in debug mode(fashion) sends back(dismisses) to me:
slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5
slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing> datalen=277
slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2
slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser"
slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8]
slapd[2608]: slap_sasl_getdn: u:id converted to uid=syncuser,cn=DIGEST-MD5,cn=auth
slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth>
slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth>
slapd[2608]: ==>slap_sasl2dn: converting SASL name uid=syncuser,cn=digest-md5,cn=auth to a DN
slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" -> "cn=syncuser,dc=xxx,dc=fr"
slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr
slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr>
slapd[2608]: <==slap_sasl2dn: Converted SASL name to cn=syncuser,dc=xxx,dc=fr
slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr
slapd[2608]: SASL Canonicalize [conn=1002]: slapAuthcDN="cn=syncuser,dc=xxx,dc=fr"
slapd[2608]: => hdb_search
slapd[2608]: daemon: activity on 1 descriptor
slapd[2608]: daemon: activity on:
slapd[2608]:
slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero
slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero
slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr")
slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr")
slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry" requested
slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr
slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr
slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr
slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1
slapd[2608]: => acl_get: [12] attr entry
slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry" requested
slapd[2608]: => acl_mask: to all values by "", (=0)
slapd[2608]: <= check a_dn_pat: *
slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop)
slapd[2608]: <= acl_mask: [2] mask: read(=rscxd)
slapd[2608]: => slap_access_allowed: disclose access granted by read(=rscxd)
slapd[2608]: => access_allowed: disclose access granted by read(=rscxd)
slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text=""
slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser"
slapd[2608]: SASL [conn=1002] Failure: no secret in database
slapd[2608]: send_ldap_result: conn=1002 op=1 p=3
slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: no secret in database"
slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49
slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database
slapd[2608]: <== slap_sasl_bind: rc=49
slapd[2608]: daemon: activity on 1 descriptor
slapd[2608]: daemon: activity on:
slapd[2608]: 31r
Thank you for your suggestions.
B Chataigne