[Q] Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
Dear members.
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
Thank you for your advice.
Sincerely.
-- Hiroyuki Sato.
My Environment OS: Ubuntu 10.10 OpenLDAP : 2.4.24 (build myself)
1, slapd.conf
..
sasl-realm mydomain.com sasl-auxprops sql
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
Note: ``sasl-auxprops sql'' does not well document. It is important config for sql authentication
2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: database.server.add.ress sql_user: username sql_passwd: password sql_database: db_name sql_select: select password from sasl_test where username = '%u@%r'
3, dataase entry
mysql> select * from sasl_test \G *************************** 1. row *************************** username: ldapuser@mydomain.com password: ldapuser_password
4, auth
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: ldap_sasl_interactive_bind_s: Insufficient access (50)
5, log
......
<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth> => ldap_bv2dn(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth to a DN daemon: activity on 1 descriptor ==> rewrite_context_apply [depth=1] string='uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=mydomain,dc=com,cn=digest-md5,cn=auth' string='uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user,cn=mydomain,dc=com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com) >>> dnNormalize: <uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com> => ldap_bv2dn(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com SASL Canonicalize [conn=1003]: slapAuthcDN="uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com" daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL SASL Canonicalize [conn=1003]: authzid="ldap_user" SASL proxy authorize [conn=1003]: authcid="ldap_user@mydomain,dc=com" authzid="ldap_user@mydomain,dc=com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com become <INPUT_PASSWORD>?
^^^^^^^^^^^^^^^^^^^^
<== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1003]: proxy authorization disallowed (48) SASL [conn=1003] Failure: not authorized send_ldap_result: conn=1003 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50
On 14/02/11 23:47 +0900, Hiroyuki Sato wrote:
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
My Environment OS: Ubuntu 10.10 OpenLDAP : 2.4.24 (build myself)
1, slapd.conf
sasl-realm mydomain.com sasl-auxprops sql
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: database.server.add.ress sql_user: username sql_passwd: password sql_database: db_name sql_select: select password from sasl_test where username = '%u@%r'
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: ldap_sasl_interactive_bind_s: Insufficient access (50)
5, log
<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth
slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
You want the 'uid' part of your rule to be a bit more restrictive, such as uid=([^,]+) so that is doesn't end up matching a longer string accidentally.
Thank you Dan.
I simplified test environment. (see below)
* Problem summary Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
To: Dan
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true?? I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
You want the 'uid' part of your rule to be a bit more restrictive, such as uid=([^,]+) so that is doesn't end up matching a longer string accidentally.
I changed uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
case1
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
result
>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=290 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=DIGEST-MD5,cn=auth>
note: realm does not set.
case2
config
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
result
>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=290 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0
note: realm does not set.
case3
config sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
result >>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=282 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth>
note: realm set to 'cn=mydomain.com'.
case4
config # sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
>>> dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=290 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=ldap_user,cn=DIGEST-MD5,cn=auth> => ldap_bv2dn(uid=ldap_user,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=mydomain.cn=com,cn=digest-md5,cn=auth' string='uid=ldap_user,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,cn=digest-md5,cn=auth'} [rw] authid: "uid=ldap_user,cn=digest-md5,cn=auth" -> "uid=ldap_user,cn=digest-md5,cn=auth" slap_parseURI: parsing uid=ldap_user,cn=digest-md5,cn=auth ldap_url_parse_ext(uid=ldap_user,cn=digest-md5,cn=auth) >>> dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth> => ldap_bv2dn(uid=ldap_user,cn=digest-md5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=digest-md5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,cn=digest-md5,cn=auth slap_sasl_getdn: dn:id converted to uid=ldap_user,cn=digest-md5,cn=auth SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,cn=digest-md5,cn=auth" SASL Canonicalize [conn=1000]: authzid="ldap_user"
-- Hiroyuki Sato
0, Environment
OS: ubuntu 10.10 OpenLDAP: 2.4.24
1, slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq loglevel -1
#################################################### # # SASL config # ####################################################
sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
sasl-auxprops sql
2, ldif
dn: dc=mydomain,dc=com objectClass: dcObject objectClass: organization o: mydomain dc: mydomain
dn: ou=users,dc=mydomain,dc=com objectClass: organizationalUnit ou: users
dn: ou=groups,dc=mydomain,dc=com objectClass: organizationalUnit ou: groups
dn: uid=ldap_user,ou=users,dc=mydomain,dc=com uid: ldap_user cn: ldap_user objectClass: account objectClass: posixAccount objectClass: top loginShell: /bin/bash uidNumber: 1001 gidNumber: 1001 gecos: ldap_user homeDirectory: /home/ldap_user userPassword:: KioqKioqKio=
3, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: host.addre.ss sql_user: username sql_passwd: password sql_database: database sql_select: select password from sasl_test where username = '%u@%r'
4, mysql
Create Table: CREATE TABLE `sasl_test` ( `username` varchar(255) NOT NULL, `password` varchar(255) NOT NULL ) ENGINE=MyISAM DEFAULT CHARSET=utf8
mysql> select * from sasl_test \G *************************** 1. row *************************** username: ldap_user@mydomain.com password: password1
5, client requeest
ldapsearch -R mydomain.com -h 192.168.10.36 -Y digest-md5 -U ldap_user -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50)
6, complete log
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy daemon: epoll: listen=8 active_threads=0 tvp=NULL
slap_listener(ldap:///)
daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: listen=7, new connection on 12 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: added 12r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 fd=12 ACCEPT from IP=192.168.10.53:53531 (IP=0.0.0.0:389) connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: 30 18 02 01 01 60 13 02 0....`.. ldap_read: want=18, got=18 0000: 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 54 2d 4d ........DIGEST-M 0010: 44 35 D5 ber_get_next: tag 0x30 len 24 contents: ber_dump: buf=0xa1e2798 ptr=0xa1e2798 end=0xa1e27b0 len=24 0000: 02 01 01 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 ...`..........DI 0010: 47 45 53 54 2d 4d 44 35 GEST-MD5 op tag 0x60, time 1297854079 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0xa1e2798 ptr=0xa1e279b end=0xa1e27b0 len=21 0000: 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 `..........DIGES 0010: 54 2d 4d 44 35 T-MD5 ber_scanf fmt ({m) ber: ber_dump: buf=0xa1e2798 ptr=0xa1e27a2 end=0xa1e27b0 len=14 0000: 00 0c 04 0a 44 49 47 45 53 54 2d 4d 44 35 ....DIGEST-MD5 ber_scanf fmt (}}) ber: ber_dump: buf=0xa1e2798 ptr=0xa1e27b0 end=0xa1e27b0 len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=0 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0 SASL [conn=1000] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=176 send_ldap_response: msgid=1 tag=97 err=14 ber_flush2: 223 bytes to sd 12 0000: 30 81 dc 02 01 01 61 81 d6 0a 01 0e 04 00 04 1c 0.....a......... 0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success 0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b0 6e ful result: ...n 0030: 6f 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b once="hKPuEoyimK 0040: 2f 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d /dlBIVj/T5YxTI6m 0050: 2f 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 /NTuwqcwDs6eq/mW 0060: 49 3d 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d I=",realm="mydom 0070: 61 69 6e 2e 63 6f 6d 22 2c 71 6f 70 3d 22 61 75 ain.com",qop="au 0080: 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 th,auth-int,auth 0090: 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 -conf",cipher="r 00a0: 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 c4-40,rc4-56,rc4 00b0: 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 36 2c 63 ",maxbuf=65536,c 00c0: 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 61 6c 67 harset=utf-8,alg 00d0: 6f 72 69 74 68 6d 3d 6d 64 35 2d 73 65 73 73 orithm=md5-sess ldap_write: want=223, written=223 0000: 30 81 dc 02 01 01 61 81 d6 0a 01 0e 04 00 04 1c 0.....a......... 0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success 0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b0 6e ful result: ...n 0030: 6f 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b once="hKPuEoyimK 0040: 2f 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d /dlBIVj/T5YxTI6m 0050: 2f 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 /NTuwqcwDs6eq/mW 0060: 49 3d 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d I=",realm="mydom 0070: 61 69 6e 2e 63 6f 6d 22 2c 71 6f 70 3d 22 61 75 ain.com",qop="au 0080: 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 th,auth-int,auth 0090: 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 -conf",cipher="r 00a0: 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 c4-40,rc4-56,rc4 00b0: 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 36 2c 63 ",maxbuf=65536,c 00c0: 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 61 6c 67 harset=utf-8,alg 00d0: 6f 72 69 74 68 6d 3d 6d 64 35 2d 73 65 73 73 orithm=md5-sess conn=1000 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: <== slap_sasl_bind: rc=14 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: 30 82 01 3a 02 01 02 60 0..:...` ldap_read: want=310, got=310 0000: 82 01 33 02 01 03 04 00 a3 82 01 2a 04 0a 44 49 ..3........*..DI 0010: 47 45 53 54 2d 4d 44 35 04 82 01 1a 75 73 65 72 GEST-MD5....user 0020: 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 22 name="ldap_user" 0030: 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d 61 69 6e ,realm="mydomain 0040: 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d 22 68 4b 50 .com",nonce="hKP 0050: 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 56 6a 2f 54 uEoyimK/dlBIVj/T 0060: 35 59 78 54 49 36 6d 2f 4e 54 75 77 71 63 77 44 5YxTI6m/NTuwqcwD 0070: 73 36 65 71 2f 6d 57 49 3d 22 2c 63 6e 6f 6e 63 s6eq/mWI=",cnonc 0080: 65 3d 22 30 71 62 32 35 50 4b 31 4c 30 65 33 68 e="0qb25PK1L0e3h 0090: 78 79 37 35 34 41 35 44 5a 70 32 52 56 72 69 57 xy754A5DZp2RVriW 00a0: 4d 52 46 41 46 72 6c 67 32 65 56 73 74 41 3d 22 MRFAFrlg2eVstA=" 00b0: 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 ,nc=00000001,qop 00c0: 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 =auth-conf,ciphe 00d0: 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 36 37 r=rc4,maxbuf=167 00e0: 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 72 69 77215,digest-uri 00f0: 3d 22 6c 64 61 70 2f 70 78 65 30 31 2e 61 72 63 ="ldap/pxe01.arc 0100: 68 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 73 hsystem.com",res 0110: 70 6f 6e 73 65 3d 30 35 65 63 64 32 66 32 31 37 ponse=05ecd2f217 0120: 35 38 34 30 35 61 30 64 34 34 62 37 65 38 37 35 58405a0d44b7e875 0130: 66 63 35 39 32 63 fc592c ber_get_next: tag 0x30 len 314 contents: ber_dump: buf=0xa1e4780 ptr=0xa1e4780 end=0xa1e48ba len=314 0000: 02 01 02 60 82 01 33 02 01 03 04 00 a3 82 01 2a ...`..3........* 0010: 04 0a 44 49 47 45 53 54 2d 4d 44 35 04 82 01 1a ..DIGEST-MD5.... 0020: 75 73 65 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 username="ldap_u 0030: 73 65 72 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f ser",realm="mydo 0040: 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d main.com",nonce= 0050: 22 68 4b 50 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 "hKPuEoyimK/dlBI 0060: 56 6a 2f 54 35 59 78 54 49 36 6d 2f 4e 54 75 77 Vj/T5YxTI6m/NTuw 0070: 71 63 77 44 73 36 65 71 2f 6d 57 49 3d 22 2c 63 qcwDs6eq/mWI=",c 0080: 6e 6f 6e 63 65 3d 22 30 71 62 32 35 50 4b 31 4c nonce="0qb25PK1L 0090: 30 65 33 68 78 79 37 35 34 41 35 44 5a 70 32 52 0e3hxy754A5DZp2R 00a0: 56 72 69 57 4d 52 46 41 46 72 6c 67 32 65 56 73 VriWMRFAFrlg2eVs 00b0: 74 41 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 tA=",nc=00000001 00c0: 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 ,qop=auth-conf,c 00d0: 69 70 68 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 ipher=rc4,maxbuf 00e0: 3d 31 36 37 37 37 32 31 35 2c 64 69 67 65 73 74 =16777215,digest 00f0: 2d 75 72 69 3d 22 6c 64 61 70 2f 70 78 65 30 31 -uri="ldap/pxe01 0100: 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 .archsystem.com" 0110: 2c 72 65 73 70 6f 6e 73 65 3d 30 35 65 63 64 32 ,response=05ecd2 0120: 66 32 31 37 35 38 34 30 35 61 30 64 34 34 62 37 f21758405a0d44b7 0130: 65 38 37 35 66 63 35 39 32 63 e875fc592c op tag 0x60, time 1297854089 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=1 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e4783 end=0xa1e48ba len=311 0000: 60 82 01 33 02 01 03 04 00 a3 82 01 2a 04 0a 44 `..3........*..D 0010: 49 47 45 53 54 2d 4d 44 35 04 82 01 1a 75 73 65 IGEST-MD5....use 0020: 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 rname="ldap_user 0030: 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d 61 69 ",realm="mydomai 0040: 6e 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d 22 68 4b n.com",nonce="hK 0050: 50 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 56 6a 2f PuEoyimK/dlBIVj/ 0060: 54 35 59 78 54 49 36 6d 2f 4e 54 75 77 71 63 77 T5YxTI6m/NTuwqcw 0070: 44 73 36 65 71 2f 6d 57 49 3d 22 2c 63 6e 6f 6e Ds6eq/mWI=",cnon 0080: 63 65 3d 22 30 71 62 32 35 50 4b 31 4c 30 65 33 ce="0qb25PK1L0e3 0090: 68 78 79 37 35 34 41 35 44 5a 70 32 52 56 72 69 hxy754A5DZp2RVri 00a0: 57 4d 52 46 41 46 72 6c 67 32 65 56 73 74 41 3d WMRFAFrlg2eVstA= 00b0: 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f ",nc=00000001,qo 00c0: 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 p=auth-conf,ciph 00d0: 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 36 er=rc4,maxbuf=16 00e0: 37 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 72 777215,digest-ur 00f0: 69 3d 22 6c 64 61 70 2f 70 78 65 30 31 2e 61 72 i="ldap/pxe01.ar 0100: 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 chsystem.com",re 0110: 73 70 6f 6e 73 65 3d 30 35 65 63 64 32 66 32 31 sponse=05ecd2f21 0120: 37 35 38 34 30 35 61 30 64 34 34 62 37 65 38 37 758405a0d44b7e87 0130: 35 66 63 35 39 32 63 5fc592c ber_scanf fmt ({m) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e478c end=0xa1e48ba len=302 0000: 00 82 01 2a 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...*..DIGEST-MD5 0010: 04 82 01 1a 75 73 65 72 6e 61 6d 65 3d 22 6c 64 ....username="ld 0020: 61 70 5f 75 73 65 72 22 2c 72 65 61 6c 6d 3d 22 ap_user",realm=" 0030: 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f mydomain.com",no 0040: 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b 2f nce="hKPuEoyimK/ 0050: 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d 2f dlBIVj/T5YxTI6m/ 0060: 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 49 NTuwqcwDs6eq/mWI 0070: 3d 22 2c 63 6e 6f 6e 63 65 3d 22 30 71 62 32 35 =",cnonce="0qb25 0080: 50 4b 31 4c 30 65 33 68 78 79 37 35 34 41 35 44 PK1L0e3hxy754A5D 0090: 5a 70 32 52 56 72 69 57 4d 52 46 41 46 72 6c 67 Zp2RVriWMRFAFrlg 00a0: 32 65 56 73 74 41 3d 22 2c 6e 63 3d 30 30 30 30 2eVstA=",nc=0000 00b0: 30 30 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 0001,qop=auth-co 00c0: 6e 66 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 nf,cipher=rc4,ma 00d0: 78 62 75 66 3d 31 36 37 37 37 32 31 35 2c 64 69 xbuf=16777215,di 00e0: 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 gest-uri="ldap/p 00f0: 78 65 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e xe01.archsystem. 0100: 63 6f 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 30 35 com",response=05 0110: 65 63 64 32 66 32 31 37 35 38 34 30 35 61 30 64 ecd2f21758405a0d 0120: 34 34 62 37 65 38 37 35 66 63 35 39 32 63 44b7e875fc592c ber_scanf fmt (m) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e479c end=0xa1e48ba len=286 0000: 00 82 01 1a 75 73 65 72 6e 61 6d 65 3d 22 6c 64 ....username="ld 0010: 61 70 5f 75 73 65 72 22 2c 72 65 61 6c 6d 3d 22 ap_user",realm=" 0020: 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f mydomain.com",no 0030: 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b 2f nce="hKPuEoyimK/ 0040: 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d 2f dlBIVj/T5YxTI6m/ 0050: 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 49 NTuwqcwDs6eq/mWI 0060: 3d 22 2c 63 6e 6f 6e 63 65 3d 22 30 71 62 32 35 =",cnonce="0qb25 0070: 50 4b 31 4c 30 65 33 68 78 79 37 35 34 41 35 44 PK1L0e3hxy754A5D 0080: 5a 70 32 52 56 72 69 57 4d 52 46 41 46 72 6c 67 Zp2RVriWMRFAFrlg 0090: 32 65 56 73 74 41 3d 22 2c 6e 63 3d 30 30 30 30 2eVstA=",nc=0000 00a0: 30 30 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 0001,qop=auth-co 00b0: 6e 66 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 nf,cipher=rc4,ma 00c0: 78 62 75 66 3d 31 36 37 37 37 32 31 35 2c 64 69 xbuf=16777215,di 00d0: 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 gest-uri="ldap/p 00e0: 78 65 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e xe01.archsystem. 00f0: 63 6f 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 30 35 com",response=05 0100: 65 63 64 32 66 32 31 37 35 38 34 30 35 61 30 64 ecd2f21758405a0d 0110: 34 34 62 37 65 38 37 35 66 63 35 39 32 63 44b7e875fc592c ber_scanf fmt (}}) ber: ber_dump: buf=0xa1e4780 ptr=0xa1e48ba end=0xa1e48ba len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=282 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user" slap_sasl_getdn: conn 1000 id=ldap_user [len=9] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth' string='uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com" SASL Canonicalize [conn=1000]: authzid="ldap_user" SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com" authzid="ldap_user@mydomain.com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48) SASL [conn=1000] Failure: not authorized send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50 ber_flush2: 62 bytes to sd 12 0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized ldap_write: want=62, written=62 0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized conn=1000 op=1 RESULT tag=97 err=50 text=SASL(-14): authorization failure: not authorized <== slap_sasl_bind: rc=50 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success) connection_read(12): input error=-2 id=1000, closing. connection_closing: readying conn=1000 sd=12 for close connection_close: conn=1000 sd=12 daemon: removing 12 conn=1000 fd=12 closed (connection lost) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL
2011/2/15 Dan White dwhite@olp.net:
On 14/02/11 23:47 +0900, Hiroyuki Sato wrote:
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
My Environment OS: Ubuntu 10.10 OpenLDAP : 2.4.24 (build myself)
1, slapd.conf
sasl-realm mydomain.com sasl-auxprops sql
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
2, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: database.server.add.ress sql_user: username sql_passwd: password sql_database: db_name sql_select: select password from sasl_test where username = '%u@%r'
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: ldap_sasl_interactive_bind_s: Insufficient access (50)
5, log
<= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth
slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
You want the 'uid' part of your rule to be a bit more restrictive, such as uid=([^,]+) so that is doesn't end up matching a longer string accidentally.
I changed slap
-- Dan White
On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
Thank you Dan.
I simplified test environment. (see below)
- Problem summary
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
To: Dan
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true?? I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
In your original post, you specified this command:
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)'
Did you specify '-R mydomain.com' in all the other examples?
I'm getting a little confused with which realm value we're talking about.
See the sasl_server_new(3) man page for a discussion of what sasl-host (serverFQDN) and sasl-realm (user_realm) will do if set in your slapd config. I don't know what effect, if any, setting either value will have when using the digest-md5 mechanism.
In fact, in might simply things to drop the sasl realm (-R) altogether and capture the domain in the authentication identity (-U ldapuser@mydomain.com), if your environment supports it.
case1
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
Another way to approach this (without using realms):
sasl-regexp uid=([^@]+)@([^.]+).([^,]+),cn=.*,cn=auth uid=$1,ou=users,dc=$2,dc=$3
(and yes, I just broke my own rule about .*)
Hi Dan.
Thank you for your information.
First of all, It is not important to use realm if ldap server could identify ldap_user@copnay_a.com and ldap_user@company_b.net
And your idea looks good. I'll check later.
and I'll report later.
1, My goal is to build ldap server like the following.
* Store multiple companies information in one ldap server. * Secure authentication (SASL/Kerberos, or SASL/Digest-MD5) * High availability SASL database. sasldb is just file, I would like to share user info with multiple machines.
2, My Plan
* LDAP DIT
ou=users,ou=company_a.com,dc=mydomain,dc=com # user DIT in company a
ou=users,ou=company_b.net,dc=mydomain,dc=com # user DIT in company B
* Secure Auth
Plan1) SASL(Digest-MD5 Authentication) user info : Store MySQL database
identify company_a user and company_b user with realm.
Plan2) SASL(GSSAPI Authentication) not test yet.
Thank you in your advice.
-- Hiroyuki Sato
2011/2/17 Dan White dwhite@olp.net:
On 16/02/11 20:32 +0900, Hiroyuki Sato wrote:
Thank you Dan.
I simplified test environment. (see below)
- Problem summary
Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly. and It seems that LDAP server compare dn and input password in ldap authentication. (see log below)
To: Dan
sasl-regexp uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
This isn't matching what's showing up in your logs. slapd is internally canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true?? I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
In your original post, you specified this command:
ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com' -LLL '(objectclass=*)'
Did you specify '-R mydomain.com' in all the other examples?
I'm getting a little confused with which realm value we're talking about.
See the sasl_server_new(3) man page for a discussion of what sasl-host (serverFQDN) and sasl-realm (user_realm) will do if set in your slapd config. I don't know what effect, if any, setting either value will have when using the digest-md5 mechanism.
In fact, in might simply things to drop the sasl realm (-R) altogether and capture the domain in the authentication identity (-U ldapuser@mydomain.com), if your environment supports it.
case1
# sasl-realm mydomain.com sasl-regexp uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
Another way to approach this (without using realms):
sasl-regexp uid=([^@]+)@([^.]+).([^,]+),cn=.*,cn=auth uid=$1,ou=users,dc=$2,dc=$3
(and yes, I just broke my own rule about .*)
-- Dan White
Hi Dan
I simplified ldap configuration as far as I can .
This is no realm configuration (Dan's idea.)
However authentication still failed.
I'm not sure why slap_sasl_authorized compare input? password.
-- from debug message ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1?
-- Hiroyuki Sato
1, new configuration
database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" sasl-regexp uid=([^@]+)([^,]+),cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com sasl-auxprops sql
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50)
2, /usr/lib/sasl2/slapd.conf pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: host.addre.ss sql_user: username sql_passwd: password sql_database: database # # no realm # sql_select: select password from sasl_test where username = '%u'
2, log
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy daemon: epoll: listen=8 active_threads=0 tvp=NULL
slap_listener(ldap:///)
daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: listen=7, new connection on 12 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: added 12r (active) listener=(nil) daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 fd=12 ACCEPT from IP=192.168.10.53:54174 (IP=0.0.0.0:389) connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: 30 18 02 01 01 60 13 02 0....`.. ldap_read: want=18, got=18 0000: 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 54 2d 4d ........DIGEST-M 0010: 44 35 D5 ber_get_next: tag 0x30 len 24 contents: ber_dump: buf=0x8380468 ptr=0x8380468 end=0x8380480 len=24 0000: 02 01 01 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 ...`..........DI 0010: 47 45 53 54 2d 4d 44 35 GEST-MD5 op tag 0x60, time 1297935958 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x8380468 ptr=0x838046b end=0x8380480 len=21 0000: 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 `..........DIGES 0010: 54 2d 4d 44 35 T-MD5 ber_scanf fmt ({m) ber: ber_dump: buf=0x8380468 ptr=0x8380472 end=0x8380480 len=14 0000: 00 0c 04 0a 44 49 47 45 53 54 2d 4d 44 35 ....DIGEST-MD5 ber_scanf fmt (}}) ber: ber_dump: buf=0x8380468 ptr=0x8380480 end=0x8380480 len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=0 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0 SASL [conn=1000] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=184 send_ldap_response: msgid=1 tag=97 err=14 ber_flush2: 231 bytes to sd 12 0000: 30 81 e4 02 01 01 61 81 de 0a 01 0e 04 00 04 1c 0.....a......... 0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success 0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b8 6e ful result: ...n 0030: 6f 6e 63 65 3d 22 79 7a 57 61 52 41 51 46 34 38 once="yzWaRAQF48 0040: 70 39 4e 2f 4d 58 46 6b 39 38 6a 6f 4c 54 5a 4e p9N/MXFk98joLTZN 0050: 68 52 2f 6c 4e 38 79 33 51 44 4b 59 63 55 32 4e hR/lN8y3QDKYcU2N 0060: 4d 3d 22 2c 72 65 61 6c 6d 3d 22 70 78 65 30 31 M=",realm="pxe01 0070: 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 .archsystem.com" 0080: 2c 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 2d ,qop="auth,auth- 0090: 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c 63 int,auth-conf",c 00a0: 69 70 68 65 72 3d 22 72 63 34 2d 34 30 2c 72 63 ipher="rc4-40,rc 00b0: 34 2d 35 36 2c 72 63 34 22 2c 6d 61 78 62 75 66 4-56,rc4",maxbuf 00c0: 3d 36 35 35 33 36 2c 63 68 61 72 73 65 74 3d 75 =65536,charset=u 00d0: 74 66 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d tf-8,algorithm=m 00e0: 64 35 2d 73 65 73 73 d5-sess ldap_write: want=231, written=231 0000: 30 81 e4 02 01 01 61 81 de 0a 01 0e 04 00 04 1c 0.....a......... 0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success 0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b8 6e ful result: ...n 0030: 6f 6e 63 65 3d 22 79 7a 57 61 52 41 51 46 34 38 once="yzWaRAQF48 0040: 70 39 4e 2f 4d 58 46 6b 39 38 6a 6f 4c 54 5a 4e p9N/MXFk98joLTZN 0050: 68 52 2f 6c 4e 38 79 33 51 44 4b 59 63 55 32 4e hR/lN8y3QDKYcU2N 0060: 4d 3d 22 2c 72 65 61 6c 6d 3d 22 70 78 65 30 31 M=",realm="pxe01 0070: 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 .archsystem.com" 0080: 2c 71 6f 70 3d 22 61 75 74 68 2c 61 75 74 68 2d ,qop="auth,auth- 0090: 69 6e 74 2c 61 75 74 68 2d 63 6f 6e 66 22 2c 63 int,auth-conf",c 00a0: 69 70 68 65 72 3d 22 72 63 34 2d 34 30 2c 72 63 ipher="rc4-40,rc 00b0: 34 2d 35 36 2c 72 63 34 22 2c 6d 61 78 62 75 66 4-56,rc4",maxbuf 00c0: 3d 36 35 35 33 36 2c 63 68 61 72 73 65 74 3d 75 =65536,charset=u 00d0: 74 66 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d tf-8,algorithm=m 00e0: 64 35 2d 73 65 73 73 d5-sess conn=1000 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: <== slap_sasl_bind: rc=14 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: 30 82 01 4f 02 01 02 60 0..O...` ldap_read: want=331, got=331 0000: 82 01 48 02 01 03 04 00 a3 82 01 3f 04 0a 44 49 ..H........?..DI 0010: 47 45 53 54 2d 4d 44 35 04 82 01 2f 75 73 65 72 GEST-MD5.../user 0020: 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 40 name="ldap_user@ 0030: 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 72 65 mydomain.com",re 0040: 61 6c 6d 3d 22 70 78 65 30 31 2e 61 72 63 68 73 alm="pxe01.archs 0050: 79 73 74 65 6d 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 ystem.com",nonce 0060: 3d 22 79 7a 57 61 52 41 51 46 34 38 70 39 4e 2f ="yzWaRAQF48p9N/ 0070: 4d 58 46 6b 39 38 6a 6f 4c 54 5a 4e 68 52 2f 6c MXFk98joLTZNhR/l 0080: 4e 38 79 33 51 44 4b 59 63 55 32 4e 4d 3d 22 2c N8y3QDKYcU2NM=", 0090: 63 6e 6f 6e 63 65 3d 22 6c 30 43 32 64 75 35 62 cnonce="l0C2du5b 00a0: 46 6c 4b 34 67 68 4e 4e 72 41 4a 47 43 75 6d 72 FlK4ghNNrAJGCumr 00b0: 45 51 2f 56 75 4b 61 5a 39 6b 65 5a 6a 5a 54 6b EQ/VuKaZ9keZjZTk 00c0: 67 6a 6f 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 gjo=",nc=0000000 00d0: 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 1,qop=auth-conf, 00e0: 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 78 62 75 cipher=rc4,maxbu 00f0: 66 3d 31 36 37 37 37 32 31 35 2c 64 69 67 65 73 f=16777215,diges 0100: 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 78 65 30 t-uri="ldap/pxe0 0110: 31 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 6d 1.archsystem.com 0120: 22 2c 72 65 73 70 6f 6e 73 65 3d 36 66 36 36 32 ",response=6f662 0130: 65 37 32 31 36 37 37 66 39 36 31 33 66 62 30 62 e721677f9613fb0b 0140: 30 62 33 63 39 36 35 64 39 64 30 0b3c965d9d0 ber_get_next: tag 0x30 len 335 contents: ber_dump: buf=0x8382440 ptr=0x8382440 end=0x838258f len=335 0000: 02 01 02 60 82 01 48 02 01 03 04 00 a3 82 01 3f ...`..H........? 0010: 04 0a 44 49 47 45 53 54 2d 4d 44 35 04 82 01 2f ..DIGEST-MD5.../ 0020: 75 73 65 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 username="ldap_u 0030: 73 65 72 40 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d ser@mydomain.com 0040: 22 2c 72 65 61 6c 6d 3d 22 70 78 65 30 31 2e 61 ",realm="pxe01.a 0050: 72 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 6e rchsystem.com",n 0060: 6f 6e 63 65 3d 22 79 7a 57 61 52 41 51 46 34 38 once="yzWaRAQF48 0070: 70 39 4e 2f 4d 58 46 6b 39 38 6a 6f 4c 54 5a 4e p9N/MXFk98joLTZN 0080: 68 52 2f 6c 4e 38 79 33 51 44 4b 59 63 55 32 4e hR/lN8y3QDKYcU2N 0090: 4d 3d 22 2c 63 6e 6f 6e 63 65 3d 22 6c 30 43 32 M=",cnonce="l0C2 00a0: 64 75 35 62 46 6c 4b 34 67 68 4e 4e 72 41 4a 47 du5bFlK4ghNNrAJG 00b0: 43 75 6d 72 45 51 2f 56 75 4b 61 5a 39 6b 65 5a CumrEQ/VuKaZ9keZ 00c0: 6a 5a 54 6b 67 6a 6f 3d 22 2c 6e 63 3d 30 30 30 jZTkgjo=",nc=000 00d0: 30 30 30 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 00001,qop=auth-c 00e0: 6f 6e 66 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d onf,cipher=rc4,m 00f0: 61 78 62 75 66 3d 31 36 37 37 37 32 31 35 2c 64 axbuf=16777215,d 0100: 69 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f igest-uri="ldap/ 0110: 70 78 65 30 31 2e 61 72 63 68 73 79 73 74 65 6d pxe01.archsystem 0120: 2e 63 6f 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 36 .com",response=6 0130: 66 36 36 32 65 37 32 31 36 37 37 66 39 36 31 33 f662e721677f9613 0140: 66 62 30 62 30 62 33 63 39 36 35 64 39 64 30 fb0b0b3c965d9d0 op tag 0x60, time 1297935961 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL conn=1000 op=1 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x8382440 ptr=0x8382443 end=0x838258f len=332 0000: 60 82 01 48 02 01 03 04 00 a3 82 01 3f 04 0a 44 `..H........?..D 0010: 49 47 45 53 54 2d 4d 44 35 04 82 01 2f 75 73 65 IGEST-MD5.../use 0020: 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 rname="ldap_user 0030: 40 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 72 @mydomain.com",r 0040: 65 61 6c 6d 3d 22 70 78 65 30 31 2e 61 72 63 68 ealm="pxe01.arch 0050: 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 6e 6f 6e 63 system.com",nonc 0060: 65 3d 22 79 7a 57 61 52 41 51 46 34 38 70 39 4e e="yzWaRAQF48p9N 0070: 2f 4d 58 46 6b 39 38 6a 6f 4c 54 5a 4e 68 52 2f /MXFk98joLTZNhR/ 0080: 6c 4e 38 79 33 51 44 4b 59 63 55 32 4e 4d 3d 22 lN8y3QDKYcU2NM=" 0090: 2c 63 6e 6f 6e 63 65 3d 22 6c 30 43 32 64 75 35 ,cnonce="l0C2du5 00a0: 62 46 6c 4b 34 67 68 4e 4e 72 41 4a 47 43 75 6d bFlK4ghNNrAJGCum 00b0: 72 45 51 2f 56 75 4b 61 5a 39 6b 65 5a 6a 5a 54 rEQ/VuKaZ9keZjZT 00c0: 6b 67 6a 6f 3d 22 2c 6e 63 3d 30 30 30 30 30 30 kgjo=",nc=000000 00d0: 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 01,qop=auth-conf 00e0: 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 78 62 ,cipher=rc4,maxb 00f0: 75 66 3d 31 36 37 37 37 32 31 35 2c 64 69 67 65 uf=16777215,dige 0100: 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 78 65 st-uri="ldap/pxe 0110: 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 01.archsystem.co 0120: 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 36 66 36 36 m",response=6f66 0130: 32 65 37 32 31 36 37 37 66 39 36 31 33 66 62 30 2e721677f9613fb0 0140: 62 30 62 33 63 39 36 35 64 39 64 30 b0b3c965d9d0 ber_scanf fmt ({m) ber: ber_dump: buf=0x8382440 ptr=0x838244c end=0x838258f len=323 0000: 00 82 01 3f 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...?..DIGEST-MD5 0010: 04 82 01 2f 75 73 65 72 6e 61 6d 65 3d 22 6c 64 .../username="ld 0020: 61 70 5f 75 73 65 72 40 6d 79 64 6f 6d 61 69 6e ap_user@mydomain 0030: 2e 63 6f 6d 22 2c 72 65 61 6c 6d 3d 22 70 78 65 .com",realm="pxe 0040: 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 01.archsystem.co 0050: 6d 22 2c 6e 6f 6e 63 65 3d 22 79 7a 57 61 52 41 m",nonce="yzWaRA 0060: 51 46 34 38 70 39 4e 2f 4d 58 46 6b 39 38 6a 6f QF48p9N/MXFk98jo 0070: 4c 54 5a 4e 68 52 2f 6c 4e 38 79 33 51 44 4b 59 LTZNhR/lN8y3QDKY 0080: 63 55 32 4e 4d 3d 22 2c 63 6e 6f 6e 63 65 3d 22 cU2NM=",cnonce=" 0090: 6c 30 43 32 64 75 35 62 46 6c 4b 34 67 68 4e 4e l0C2du5bFlK4ghNN 00a0: 72 41 4a 47 43 75 6d 72 45 51 2f 56 75 4b 61 5a rAJGCumrEQ/VuKaZ 00b0: 39 6b 65 5a 6a 5a 54 6b 67 6a 6f 3d 22 2c 6e 63 9keZjZTkgjo=",nc 00c0: 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 3d 61 75 =00000001,qop=au 00d0: 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 72 3d 72 th-conf,cipher=r 00e0: 63 34 2c 6d 61 78 62 75 66 3d 31 36 37 37 37 32 c4,maxbuf=167772 00f0: 31 35 2c 64 69 67 65 73 74 2d 75 72 69 3d 22 6c 15,digest-uri="l 0100: 64 61 70 2f 70 78 65 30 31 2e 61 72 63 68 73 79 dap/pxe01.archsy 0110: 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 73 70 6f 6e stem.com",respon 0120: 73 65 3d 36 66 36 36 32 65 37 32 31 36 37 37 66 se=6f662e721677f 0130: 39 36 31 33 66 62 30 62 30 62 33 63 39 36 35 64 9613fb0b0b3c965d 0140: 39 64 30 9d0 ber_scanf fmt (m) ber: ber_dump: buf=0x8382440 ptr=0x838245c end=0x838258f len=307 0000: 00 82 01 2f 75 73 65 72 6e 61 6d 65 3d 22 6c 64 .../username="ld 0010: 61 70 5f 75 73 65 72 40 6d 79 64 6f 6d 61 69 6e ap_user@mydomain 0020: 2e 63 6f 6d 22 2c 72 65 61 6c 6d 3d 22 70 78 65 .com",realm="pxe 0030: 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 01.archsystem.co 0040: 6d 22 2c 6e 6f 6e 63 65 3d 22 79 7a 57 61 52 41 m",nonce="yzWaRA 0050: 51 46 34 38 70 39 4e 2f 4d 58 46 6b 39 38 6a 6f QF48p9N/MXFk98jo 0060: 4c 54 5a 4e 68 52 2f 6c 4e 38 79 33 51 44 4b 59 LTZNhR/lN8y3QDKY 0070: 63 55 32 4e 4d 3d 22 2c 63 6e 6f 6e 63 65 3d 22 cU2NM=",cnonce=" 0080: 6c 30 43 32 64 75 35 62 46 6c 4b 34 67 68 4e 4e l0C2du5bFlK4ghNN 0090: 72 41 4a 47 43 75 6d 72 45 51 2f 56 75 4b 61 5a rAJGCumrEQ/VuKaZ 00a0: 39 6b 65 5a 6a 5a 54 6b 67 6a 6f 3d 22 2c 6e 63 9keZjZTkgjo=",nc 00b0: 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 3d 61 75 =00000001,qop=au 00c0: 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 72 3d 72 th-conf,cipher=r 00d0: 63 34 2c 6d 61 78 62 75 66 3d 31 36 37 37 37 32 c4,maxbuf=167772 00e0: 31 35 2c 64 69 67 65 73 74 2d 75 72 69 3d 22 6c 15,digest-uri="l 00f0: 64 61 70 2f 70 78 65 30 31 2e 61 72 63 68 73 79 dap/pxe01.archsy 0100: 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 73 70 6f 6e stem.com",respon 0110: 73 65 3d 36 66 36 36 32 65 37 32 31 36 37 37 66 se=6f662e721677f 0120: 39 36 31 33 66 62 30 62 30 62 33 63 39 36 35 64 9613fb0b0b3c965d 0130: 39 64 30 9d0 ber_scanf fmt (}}) ber: ber_dump: buf=0x8382440 ptr=0x838258f end=0x838258f len=0
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=303 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user@mydomain.com" slap_sasl_getdn: conn 1000 id=ldap_user@mydomain.com [len=22] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth' string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com" SASL Canonicalize [conn=1000]: authzid="ldap_user@mydomain.com" SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com" authzid="ldap_user@mydomain.com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48) SASL [conn=1000] Failure: not authorized send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50 ber_flush2: 62 bytes to sd 12 0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized ldap_write: want=62, written=62 0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized conn=1000 op=1 RESULT tag=97 err=50 text=SASL(-14): authorization failure: not authorized <== slap_sasl_bind: rc=50 daemon: activity on 1 descriptor daemon: activity on: 12r daemon: read active on 12 daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL connection_get(12) connection_get(12): got connid=1000 connection_read(12): checking for input on id=1000 ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success) connection_read(12): input error=-2 id=1000, closing. connection_closing: readying conn=1000 sd=12 for close connection_close: conn=1000 sd=12 daemon: removing 12 conn=1000 fd=12 closed (connection lost) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=NULL daemon: epoll: listen=8 active_threads=0 tvp=NULL
On 17/02/11 18:51 +0900, Hiroyuki Sato wrote:
However authentication still failed.
I'm not sure why slap_sasl_authorized compare input? password.
-- from debug message ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1?
That's pretty strange. Which version of openldap are you running?
Does this command make any difference?:
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com \ -X u:ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
1, new configuration
database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" sasl-regexp uid=([^@]+)([^,]+),cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com sasl-auxprops sql
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50)
2, /usr/lib/sasl2/slapd.conf pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: host.addre.ss sql_user: username sql_passwd: password sql_database: database # # no realm # sql_select: select password from sasl_test where username = '%u'
2, log
conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=303 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user@mydomain.com" slap_sasl_getdn: conn 1000 id=ldap_user@mydomain.com [len=22] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth' string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com" SASL Canonicalize [conn=1000]: authzid="ldap_user@mydomain.com" SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com" authzid="ldap_user@mydomain.com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48) SASL [conn=1000] Failure: not authorized send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50
In version 2.4.23, the authorization should succeed at (in servers/slapd/saslauthz.c):
/* Check if a bind can SASL authorize to another identity. * The DNs should not have the dn: prefix */
int slap_sasl_authorized( Operation *op, struct berval *authcDN, struct berval *authzDN ) { int rc = LDAP_INAPPROPRIATE_AUTH;
/* User binding as anonymous */ if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) { rc = LDAP_SUCCESS; goto DONE; }
/* User is anonymous */ if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) { goto DONE; }
Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_authorized: can %s become %s?\n", authcDN->bv_len ? authcDN->bv_val : "(null)", authzDN->bv_len ? authzDN->bv_val : "(null)", 0 );
/* If person is authorizing to self, succeed */ if ( dn_match( authcDN, authzDN ) ) { rc = LDAP_SUCCESS; goto DONE; } ... }
So I'm not sure why you would be seeing anything other than:
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become uid=ldap_user,ou=users,dc=mydomain,dc=com?
But it's probably related to why your authentication is failing.
I've gotten this to work before with sasldb and digest-md5:
http://web.olp.net/dwhite/openldap/sasldb-notes.txt
Could you post your slapd config? or at least your ACLs?
Hi Dan
Thank you for your information. I aslo succeed to auth digest-md5 with sasldb
-- Hiroyuki Sato
Here is my test environment
OpenLDAP
1, Environment
OS: ubuntu 10.10 OpenLDAP: 2.4.24 build from source for gdb debug. original ubuntu slapd does not work correctly too.
2, slapd.conf
This is complete slapd.conf (no ACL)
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" rootpw secret directory /usr/local/var/openldap-data index objectClass eq loglevel -1 sasl-regexp uid=([^@]+)([^,]+),cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com
sasl-auxprops sql
3, gdb trace
This is trace
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' Password: password1
(gdb) attach 10590 (gdb) b slap_sasl_authorized (gdb) continue
Breakpoint 1, slap_sasl_authorized (op=0x9658e28, authcDN=0xb710ae98, authzDN=0xb710ae90) at ../../../servers/slapd/saslauthz.c:2041 2041 if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) {
(gdb) print * op $1 = {o_hdr = 0x9658f00, o_tag = 96, o_time = 1298003868, o_tincr = 0, o_bd = 0x81db680, o_req_dn = {bv_len = 0, bv_val = 0xb6809010 ""}, o_req_ndn = {bv_len = 0, bv_val = 0xb6809020 ""}, o_request = {oq_add = { rs_modlist = 0xa3, rs_e = 0x12f}, oq_bind = {rb_method = 163, rb_cred = { bv_len = 303, bv_val = 0x9659460 "username="ldap_user@mydomain.com",realm="pxe01.archsystem.com",nonce="9FBkp4LRSgftC5+z7Kh6CofOvvuSvNgpgU756AIC2rI=",cnonce="nqR7oxRAZWWufPf9ZIqj0WPL99kcFatcZSfAGrOTbVM=",nc=00000001,qop=auth-conf,ciph"...}, rb_edn = {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len = 10, bv_val = 0x9659452 "DIGEST-MD5"}}, oq_compare = {rs_ava = 0xa3}, oq_modify = {rs_mods = {rs_modlist = 0xa3, rs_no_opattrs = 47 '/'}, rs_increment = 157652064}, oq_modrdn = {rs_mods = {rs_modlist = 0xa3, rs_no_opattrs = 47 '/'}, rs_deleteoldrdn = 157652064, rs_newrdn = { bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0, bv_val = 0xa <Address 0xa out of bounds>}, rs_newSup = 0x9659452, rs_nnewSup = 0x0}, oq_search = {rs_scope = 163, rs_deref = 303, rs_slimit = 157652064, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly = 0, rs_attrs = 0xa, rs_filter = 0x9659452, rs_filterstr = {bv_len = 0, bv_val = 0x0}}, oq_abandon = {rs_msgid = 163}, oq_cancel = { rs_msgid = 163}, oq_extended = {rs_reqoid = {bv_len = 163, bv_val = 0x12f <Address 0x12f out of bounds>}, rs_flags = 157652064, rs_reqdata = 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = { bv_len = 163, bv_val = 0x12f <Address 0x12f out of bounds>}, rs_flags = 157652064, rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 0x0}, rs_new = {bv_len = 10, bv_val = 0x9659452 "DIGEST-MD5"}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000', o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 times>, o_controls = 0x9659028, o_authz = {sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = { bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 0}, o_ber = 0x96590b0, o_res_ber = 0x0, o_callback = 0x9658698, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0, o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}} (gdb) print authcDN $2 = (struct berval *) 0xb710ae98 (gdb) print * authcDN $3 = {bv_len = 41, bv_val = 0x965a0ec "uid=ldap_user,ou=users,dc=mydomain,dc=com"} (gdb) print * authzDN $4 = {bv_len = 1936941424, bv_val = 0x965a0c4 "password1"}
(gdb) n 2047 if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) { (gdb) n 2051 Debug( LDAP_DEBUG_TRACE, (gdb) n 2057 if ( dn_match( authcDN, authzDN ) ) { (gdb) n 2063 if( op->o_conn->c_authz_backend && (gdb) n 2064 be_isroot_dn( op->o_conn->c_authz_backend, authcDN )) (gdb) n 2063 if( op->o_conn->c_authz_backend && (gdb) n 2071 if( authz_policy & SASL_AUTHZ_TO ) { (gdb) n 2080 if( authz_policy & SASL_AUTHZ_FROM ) { (gdb) n 2092 Debug( LDAP_DEBUG_TRACE, (gdb) n 2083 if( rc == LDAP_SUCCESS ) { (gdb) n 2092 Debug( LDAP_DEBUG_TRACE, (gdb) n 2096 } (gdb) print rc $5 = 48
2011/2/18 Dan White dwhite@olp.net:
On 17/02/11 18:51 +0900, Hiroyuki Sato wrote:
However authentication still failed.
I'm not sure why slap_sasl_authorized compare input? password.
-- from debug message ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1?
That's pretty strange. Which version of openldap are you running?
Does this command make any difference?:
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com \ -X u:ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
1, new configuration
database bdb suffix "dc=mydomain,dc=com" rootdn "cn=Manager,dc=mydomain,dc=com" sasl-regexp uid=([^@]+)([^,]+),cn=digest-md5,cn=auth uid=$1,ou=users,dc=mydomain,dc=com sasl-auxprops sql
ldapsearch -h 192.168.10.36 -Y digest-md5 -U ldap_user@mydomain.com -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50)
2, /usr/lib/sasl2/slapd.conf pwcheck_method: auxprop mech_list: DIGEST-MD5 log_level: 7 auxprop_plugin: sql sql_verbose: yes sql_engine: mysql sql_hostnames: host.addre.ss sql_user: username sql_passwd: password sql_database: database # # no realm # sql_select: select password from sasl_test where username = '%u'
2, log
conn=1000 op=1 BIND dn="" method=163 do_bind: dn () SASL mech DIGEST-MD5 ==> sasl_bind: dn="" mech=<continuing> datalen=303 SASL [conn=1000] Debug: DIGEST-MD5 server step 2 SASL Canonicalize [conn=1000]: authcid="ldap_user@mydomain.com" slap_sasl_getdn: conn 1000 id=ldap_user@mydomain.com [len=22] => ldap_dn2bv(16) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth,0) <= ldap_bv2dn(uid=ldap_user@mydomain.com,cn=DIGEST-MD5,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth)=0 <<< dnNormalize: <uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^@]+)([^,]+),cn=digest-md5,cn=auth' string='uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'} [rw] authid: "uid=ldap_user@mydomain.com,cn=digest-md5,cn=auth" -> "uid=ldap_user,ou=users,dc=mydomain,dc=com" slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0) <= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0 <<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com> <==slap_sasl2dn: Converted SASL name to uid=ldap_user,ou=users,dc=mydomain,dc=com slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com SASL Canonicalize [conn=1000]: slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com" SASL Canonicalize [conn=1000]: authzid="ldap_user@mydomain.com" SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com" authzid="ldap_user@mydomain.com" ==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become password1? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48) SASL [conn=1000] Failure: not authorized send_ldap_result: conn=1000 op=1 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=2 tag=97 err=50
In version 2.4.23, the authorization should succeed at (in servers/slapd/saslauthz.c):
/* Check if a bind can SASL authorize to another identity.
- The DNs should not have the dn: prefix
*/
int slap_sasl_authorized( Operation *op, struct berval *authcDN, struct berval *authzDN ) { int rc = LDAP_INAPPROPRIATE_AUTH;
/* User binding as anonymous */ if ( !authzDN || !authzDN->bv_len || !authzDN->bv_val ) { rc = LDAP_SUCCESS; goto DONE; }
/* User is anonymous */ if ( !authcDN || !authcDN->bv_len || !authcDN->bv_val ) { goto DONE; }
Debug( LDAP_DEBUG_TRACE, "==>slap_sasl_authorized: can %s become %s?\n", authcDN->bv_len ? authcDN->bv_val : "(null)", authzDN->bv_len ? authzDN->bv_val : "(null)", 0 );
/* If person is authorizing to self, succeed */ if ( dn_match( authcDN, authzDN ) ) { rc = LDAP_SUCCESS; goto DONE; } ... }
So I'm not sure why you would be seeing anything other than:
==>slap_sasl_authorized: can uid=ldap_user,ou=users,dc=mydomain,dc=com become uid=ldap_user,ou=users,dc=mydomain,dc=com?
But it's probably related to why your authentication is failing.
I've gotten this to work before with sasldb and digest-md5:
http://web.olp.net/dwhite/openldap/sasldb-notes.txt
Could you post your slapd config? or at least your ACLs?
-- Dan White
openldap-technical@openldap.org
-
Dan White -
Hiroyuki Sato