On 14/02/11 23:47 +0900, Hiroyuki Sato wrote:
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
My Environment OS: Ubuntu 10.10 OpenLDAP : 2.4.24 (build myself)
1, slapd.conf
sasl-realm mydomain.com sasl-auxprops sql
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: database.server.add.ress sql_user: username sql_passwd: password sql_database: db_name sql_select: select password from sasl_test where username = '%u@%r'
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: ldap_sasl_interactive_bind_s: Insufficient access (50)
5, log
<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth
slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
You want the 'uid' part of your rule to be a bit more restrictive, such as uid=([^,]+) so that is doesn't end up matching a longer string accidentally.