i've enabled the plain sasl mech, and testing with ldapwhoami works, but only if the userpassword is left as plaintext. if hashing [ssha] is used, it fails. a simple bind succeeds. what am i doing wrong?
ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w
'xxxxxxxx' SASL/PLAIN authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed
524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 slap_listener_activate(7): 524b7989 daemon: epoll: listen=7 busy 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 >>> slap_listener(ldap:///) 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 daemon: listen=7, new connection on 16 524b7989 daemon: added 16r (active) listener=(nil) 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 conn=1014 fd=16 ACCEPT from IP=192.168.1.81:35171 (IP=0.0.0.0:389) 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 16r524b7989 524b7989 daemon: read active on 16 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 connection_get(16) 524b7989 connection_get(16): got connid=1014 524b7989 connection_read(16): checking for input on id=1014 ber_get_next ldap_read: want=8, got=8 0000: 30 22 02 01 01 60 1d 02 0"...`..
ldap_read: want=28, got=28 0000: 01 03 04 00 a3 16 04 05 50 4c 41 49 4e 04 0d 00 ........PLAIN... 0010: 66 6c 61 73 68 00 74 69 67 67 65 72 flash.xxxxxxx ber_get_next: tag 0x30 len 34 contents: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103750 end=0x7f1580103772 len=34 0000: 02 01 01 60 1d 02 01 03 04 00 a3 16 04 05 50 4c ...`..........PL 0010: 41 49 4e 04 0d 00 66 6c 61 73 68 00 74 69 67 67 AIN...flash.xxxx 0020: 65 72 xxxxxx
524b7989 op tag 0x60, time 1380678025 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable 524b7989 conn=1014 op=0 do_bind 524b7989 daemon: activity on 1 descriptor ber_scanf fmt ({imt) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103753 end=0x7f1580103772 len=31 0000: 60 1d 02 01 03 04 00 a3 16 04 05 50 4c 41 49 4e `..........PLAIN 0010: 04 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72 ...flash.xxxxxxxx ber_scanf fmt ({m) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f158010375a end=0x7f1580103772 len=24 0000: 00 16 04 05 50 4c 41 49 4e 04 0d 00 66 6c 61 73 ....PLAIN...flas 0010: 68 00 74 69 67 67 65 72 h.xxxxxxxxx
ber_scanf fmt (m) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103763 end=0x7f1580103772 len=15 0000: 00 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72 ...flash.xxxxxxx ber_scanf fmt (}}) ber: ber_dump: buf=0x7f1580103750 ptr=0x7f1580103772 end=0x7f1580103772 len=0
524b7989 >>> dnPrettyNormal: <> 524b7989 <<< dnPrettyNormal: <>, <> 524b7989 conn=1014 op=0 BIND dn="" method=163 524b7989 do_bind: dn () SASL mech PLAIN 524b7989 ==> sasl_bind: dn="" mech=PLAIN datalen=13 524b7989 SASL Canonicalize [conn=1014]: authcid="flash" 524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5] => ldap_dn2bv(16) <= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0 524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth 524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0) <= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0 524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth> 524b7989 ==>slap_sasl2dn: converting SASL name uid=flash,cn=plain,cn=auth to a DN 524b7989 ==> rewrite_context_apply [depth=1] string='uid=flash,cn=plain,cn=auth' 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_context_apply [depth=1] res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'} 524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" -> "uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 slap_parseURI: parsing uid=flash,ou=people,ou=accounts,dc=example,dc=com ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com) 524b7989 >>> dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> => ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0) <= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 524b7989 <<< dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> 524b7989 <==slap_sasl2dn: Converted SASL name to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 slap_sasl_getdn: dn:id converted to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 SASL Canonicalize [conn=1014]: slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 SASL Canonicalize [conn=1014]: authcid="flash" 524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5] => ldap_dn2bv(16) <= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0 524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth 524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0) <= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0 524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth> 524b7989 ==>slap_sasl2dn: converting SASL name uid=flash,cn=plain,cn=auth to a DN 524b7989 ==> rewrite_context_apply [depth=1] string='uid=flash,cn=plain,cn=auth' 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth' string='uid=flash,cn=plain,cn=auth' [1 pass(es)] 524b7989 ==> rewrite_context_apply [depth=1] res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'} 524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" -> "uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 slap_parseURI: parsing uid=flash,ou=people,ou=accounts,dc=example,dc=com ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com) 524b7989 >>> dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> => ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0) <= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0 524b7989 <<< dnNormalize: <uid=flash,ou=people,ou=accounts,dc=example,dc=com> 524b7989 <==slap_sasl2dn: Converted SASL name to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 slap_sasl_getdn: dn:id converted to uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 SASL Canonicalize [conn=1014]: slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com" 524b7989 => mdb_search 524b7989 mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=com") 524b7989 => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=com") 524b7989 <= mdb_dn2id: got id=0x2c 524b7989 => mdb_entry_decode: 524b7989 <= mdb_entry_decode 524b7989 => access_allowed: auth access to "uid=flash,ou=people,ou=accounts,dc=example,dc=com" "entry" requested 524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 => acl_get: [2] matched 524b7989 => acl_get: [2] attr entry 524b7989 => acl_mask: access to entry "uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "entry" requested 524b7989 => acl_mask: to all values by "", (=0) 524b7989 <= check a_dn_pat: self 524b7989 <= check a_dn_pat: users 524b7989 <= check a_dn_pat: anonymous 524b7989 <= acl_mask: [3] applying auth(=xd) (stop) 524b7989 <= acl_mask: [3] mask: auth(=xd) 524b7989 => slap_access_allowed: auth access granted by auth(=xd) 524b7989 => access_allowed: auth access granted by auth(=xd) 524b7989 base_candidates: base: "uid=flash,ou=people,ou=accounts,dc=example,dc=com" (0x0000002c) 524b7989 => test_filter 524b7989 daemon: activity on:524b7989 PRESENT 524b7989 => access_allowed: auth access to "uid=flash,ou=people,ou=accounts,dc=example,dc=com" "objectClass" requested 524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com 524b7989 => acl_get: [2] matched 524b7989 => acl_get: [2] attr objectClass 524b7989 => acl_mask: access to entry "uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "objectClass" requested 524b7989 => acl_mask: to all values by "", (=0) 524b7989 <= check a_dn_pat: self 524b7989 <= check a_dn_pat: users 524b7989 <= check a_dn_pat: anonymous 524b7989 <= acl_mask: [3] applying auth(=xd) (stop) 524b7989 <= acl_mask: [3] mask: auth(=xd) 524b7989 => slap_access_allowed: auth access granted by auth(=xd) 524b7989 => access_allowed: auth access granted by auth(=xd) 524b7989 <= test_filter 6 524b7989 => access_allowed: auth access to "uid=flash,ou=people,ou=accounts,dc=example,dc=com" "userPassword" requested 524b7989 => acl_get: [1] attr userPassword 524b7989 => acl_mask: access to entry "uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "userPassword" requested 524b7989 => acl_mask: to all values by "", (=0) 524b7989 <= check a_dn_pat: anonymous 524b7989 <= acl_mask: [1] applying auth(=xd) (stop) 524b7989 <= acl_mask: [1] mask: auth(=xd) 524b7989 => slap_access_allowed: auth access granted by auth(=xd) 524b7989 => access_allowed: auth access granted by auth(=xd) 524b7989 slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined 524b7989 send_ldap_result: conn=1014 op=0 p=3 524b7989 send_ldap_result: err=0 matched="" text="" 524b7989 SASL [conn=1014] Failure: Password verification failed 524b7989 send_ldap_result: conn=1014 op=0 p=3 524b7989 send_ldap_result: err=49 matched="" text="SASL(-13): user not found: Password verification failed" 524b7989 send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 69 bytes to sd 16 0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41 0C...a>..1...7SA 0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13): user no 0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found: Passwor 0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d verification f 0040: 61 69 6c 65 64 ailed
ldap_write: want=69, written=69 0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41 0C...a>..1...7SA 0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13): user no 0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found: Passwor 0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d verification f 0040: 61 69 6c 65 64 ailed
524b7989 conn=1014 op=0 RESULT tag=97 err=49 text=SASL(-13): user not found: Password verification failed 524b7989 <== slap_sasl_bind: rc=49 524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 16r524b7989 524b7989 daemon: read active on 16 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 connection_get(16) 524b7989 connection_get(16): got connid=1014 524b7989 connection_read(16): checking for input on id=1014 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 02 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x7f1584117620 ptr=0x7f1584117620 end=0x7f1584117625 len=5 0000: 02 01 02 42 00 ...B.
524b7989 op tag 0x42, time 1380678025 ber_get_next ldap_read: want=8, got=0
524b7989 ber_get_next on fd 16 failed errno=0 (Success) 524b7989 connection_read(16): input error=-2 id=1014, closing. 524b7989 connection_closing: readying conn=1014 sd=16 for close 524b7989 daemon: activity on 1 descriptor 524b7989 daemon: activity on:524b7989 524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL 524b7989 connection_close: deferring conn=1014 sd=16 524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL 524b7989 conn=1014 op=1 do_unbind 524b7989 conn=1014 op=1 UNBIND 524b7989 connection_resched: attempting closing conn=1014 sd=16 524b7989 connection_close: conn=1014 sd=16 524b7989 daemon: removing 16 524b7989 conn=1014 fd=16 closed