On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the issue has not yet resolved.
You should run your server in debug mode to determine what's going awry.
*Error:* /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U sasluser7 -b 'o=xyz' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
access to attrs="userpassword" by self write by anonymous auth by dn="uid=sasluser7,ou=System,o=xyz" read access to dn.base="o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read by users read access to dn.subtree="ou=Subscribers,o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read access to * by self write by dn="uid=sasluser7,ou=System,o=xyz" read
I hope it is fine.
I have 'by anonymous auth' on the following:
access to dn.base="ou=people,dc=example,dc=net" access to attrs=userPassword access to attrs=authzTo access to attrs=objectClass access to attrs=entry,uidNumber
You could determine if that's sufficient for you piecemeal wise but, again, use debug output to figure it out. For example:
slapd -d -1 -h ldap:/// -u openldap -g openldap
See the manpage for slapd for details.
Moreover, we can say that the user is created: /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -W -D 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=xyz' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=sasluser7,ou=System,o=xyz> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sasluser7, System, xyz dn: uid=sasluser7,ou=System,o=xyz uid: sasluser7 ou: System description: Special account for SASL Testing userPassword:: c2FzbVHzZXI3
Be aware that the above is a simple uuencoding of your password. It should now be considered publicly known.
objectClass: account objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that be an issue point? /u01/app/openldap/product/2.4.26/etc/openldap>sasldblistusers -bash: sasldblistusers: command not found
Any of the cyrus sasl* commands are most likely doing the wrong thing, which default to using the sasldb auxprop store (which uses /etc/sasldb2) rather that slapd or ldapdb. I would not use them at this point as they're bound to confuse the matter.