On 10/09/13 22:20 -0400, btb@bitrate.net wrote:
On Oct 8, 2013, at 09.56, Dan White dwhite@olp.net wrote:
without olcauthzregexp, a test with ldapwhoami fails, as expected:
ldapwhoami -H 'ldap://aurora.example.com/' -Y 'digest-md5' -U 'flash' -w 'xxxxxxxx'
SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
You're comparing apples to oranges here. You should be performing PLAIN authentication for a closer comparison. Of course, you'll need a clear text password in your entry for that to succeed.
but when using 'pwcheck_method: saslauthd' [and 'mech_list: plain'], a test with ldapwhoami succeeds, even without olcauthzregexp:
ldapsearch -xLLLH 'ldap://aurora.example.com/' -D 'cn=admin,dc=example,dc=com' -w 'xxxxxxxx' -b 'cn=config' -s base
dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /opt/openldap/var/run/slapd.args olcLogLevel: any olcPidFile: /opt/openldap/var/run/slapd.pid olcSaslSecProps: noanonymous
ldapwhoami -H 'ldap://aurora.example.com/' -Y 'plain' -U 'flash' -w 'xxxxxxxx'
SASL/PLAIN authentication started SASL username: flash SASL SSF: 0 dn:uid=flash,cn=plain,cn=auth
slapd internally assigns an identity after SASL authentication is successful. ldapwhoami will still succeed without an olcauthzregexp, but will simply point to the generated "pseudo" dn, rather than an actual entry in your tree (unless you have actually created a cn=auth database).
Be aware that even if you have 'pwcheck_method: saslauthd' configured, that configuration only affects PLAIN/LOGIN. Auxprop is still used for shared secret mechanisms such as DIGEST-MD5.
i may not be following - if i explicitly set 'pwcheck_method: saslauthd', yet offer a shared secret mech, that config directive will be ignored and act as though pwcheck_method: auxprop is set if the shared secret mech is used? i guess that makes sense, since such a config would be contradictory?
Shared secret mechanisms will use your configured auxprop plugin. Shared secret mechanisms will always disregard your pwcheck_method config.
Another way to get rid of those log entries is to include dummy options for them:
ldapdb_uri: ldapi:/// sql_select: SELECT %p FROM user_table WHERE username = '%u' and realm = '%r'
using these dummy options does suppress the log messages, but i'd like to learn what i'm doing wrong if only the slapd plugin is supposed to be in use to begin with.
I'm not sure that you are. I suppose a better solution is to remove the ldapdb and sql (and sasldb) shared libraries from your system, in which case they'll never be loaded in to memory.