Hi, I tried again with following steps: 1. saslpasswd2 -c admin
2. configure slapd.conf: sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever database bdb suffix "ou=people,o=Ever" rootdn "uid=admin,ou=People,o=Ever"
3. I use the following LDIF file dn: o=Ever o: Ever description: Organization Root objectClass: top objectClass: organization
dn: ou=Staff, o=Ever ou: Staff description: These are privileged users that can interact with Organization products objectClass: top objectClass: organizationalUnit
dn: ou=People, o=Ever ou: People objectClass: top objectClass: organizationalUnit
dn: uid=admin, ou=Staff, o=Ever uid: admin cn: LDAP Adminstrator sn: admin userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= objectClass: Top objectClass: Person objectClass: Organizationalperson objectClass: Inetorgperson
dn: uid=admin,ou=People,o=Ever objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= displayName: admin mail: admin@eversystems.com.br uid: admin cn: Administrator sn: admin
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5 Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
6.slapd log is : slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1277198750 ber_get_next conn=0 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=1 tag=97 err=14 ber_flush2: 233 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 296 contents: op tag 0x60, time 1277198752 ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=admin,ou=People,o=Ever'} slap_parseURI: parsing uid=admin,ou=People,o=Ever ldap_url_parse_ext(uid=admin,ou=People,o=Ever)
dnNormalize: <uid=admin,ou=People,o=Ever>
<<< dnNormalize: <uid=admin,ou=people,o=ever> <==slap_sasl2dn: Converted SASL name to uid=admin,ou=people,o=ever slap_sasl_getdn: dn:id converted to uid=admin,ou=people,o=ever => bdb_search bdb_dn2entry("uid=admin,ou=people,o=ever") => bdb_dn2id("ou=people,o=ever") <= bdb_dn2id: got id=0x1 => bdb_dn2id("uid=admin,ou=people,o=ever") <= bdb_dn2id: got id=0x2 entry_decode: "uid=admin,ou=People,o=Ever" <= entry_decode(uid=admin,ou=People,o=Ever) slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=0 op=1 p=3 SASL [conn=0] Failure: no secret in database send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 70 bytes to sd 12 <== slap_sasl_bind: rc=49 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next on fd 12 failed errno=0 (Success) connection_close: conn=0 sd=12
why would this happen?
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Tuesday, June 22, 2010 1:06 AM To: LI Ji D Cc: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
- Then I configure the slapd.conf to be like this:
authz-policy to sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
database bdb suffix "dc=example,dc=com" rootdn "uid=111,cn=digest-md5,cn=auth"
- Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5
- Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p
389', but fails with reason: user not found: no secret in database. The log of slapd is:
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth
to
a DN
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf:
log_level: 7