On 17/02/11 18:51 +0900, Hiroyuki Sato wrote:
However authentication still failed.
I'm not sure why slap_sasl_authorized compare input? password.
-- from debug message ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1?
That's pretty strange. Which version of openldap are you running?
Does this command make any difference?:
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com \ -X u:ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
1, new configuration
database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" sasl-regexp uid=([^@]+)([^,]+),cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com sasl-auxprops sql
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50)
2, /usr/lib/sasl2/slapd.conf pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: host.addre.ss sql_user: username sql_passwd: password sql_database: database # # no realm # sql_select: select password from sasl_test where username = '%u'
2, log
conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=303 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user@mydomain.com" slap_sasl_getdn: conn 1000 id=ldap_user@mydomain.com [len=22] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth' string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com" SASL Canonicalize [conn=1000]: authzid="ldap_user@mydomain.com" SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com" authzid="ldap_user@mydomain.com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48) SASL [conn=1000] Failure: not authorized send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50
In version 2.4.23, the authorization should succeed at (in servers/slapd/saslauthz.c):
/* Check if a bind can SASL authorize to another identity. * The DNs should not have the dn: prefix */
int slap_sasl_authorized( Operation *op, struct berval *authcDN, struct berval *authzDN ) { int rc = LDAP_INAPPROPRIATE_AUTH;
/* User binding as anonymous */ if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) { rc = LDAP_SUCCESS; goto DONE; }
/* User is anonymous */ if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) { goto DONE; }
Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_authorized: can %s become %s?\n", authcDN->bv_len ? authcDN->bv_val : "(null)", authzDN->bv_len ? authzDN->bv_val : "(null)", 0 );
/* If person is authorizing to self, succeed */ if ( dn_match( authcDN, authzDN ) ) { rc = LDAP_SUCCESS; goto DONE; } ... }
So I'm not sure why you would be seeing anything other than:
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become uid=ldap_user,ou=users,dc=mydomain,dc=com?
But it's probably related to why your authentication is failing.
I've gotten this to work before with sasldb and digest-md5:
http://web.olp.net/dwhite/openldap/sasldb-notes.txt
Could you post your slapd config? or at least your ACLs?