Hi all! I have performed some tests with the comp match module (yes it runs if you work around ITS 6556 ;-)).
The result is that the comp match module only works with very simple X509 certs that use old algorithms!
For example if you use X509 certificates with long serial numbers the snacc generated asn.1 parser (contained in file certificate.c) fails decoding the serial number.
Another drawback: The attributes in Name components subject and issuer (cn, c, o, ou) have to be PrintableStrings; if for example there is an UTF8String present in the issuer the asn.1 parser fails decoding the issuer.
All modern algorithms (sha256WithRSA, sha512WithRSA) are not recognized by the parser; if your X509 certificate is signed with sha256WithRSA the asn.1 parser fails decoding the AlgorithmIdentifier.
In modern times these drawbacks aren't acceptable. Another appropriate asn.1 module for the X509 certificate structure has to be compiled with the openldap esnacc compiler. I would have done this but the openldap esnacc fails parsing its own modules!!!
See something like this:
openldap@ocsp-openldap24:~/Certificate> ~/openldap-snacc-2.3.6/compiler/esnacc -E BER_COMP -E GSER -t -d -f -I /home/openldap/openldap-snacc-2.3.6/asn1specs -I . Certificate.asn1
/home/openldap/openldap-snacc-2.3.6/asn1specs/asn1module.asn1(91) : parse error at symbol ""OID""
Parsing errors---cannot proceed
The code in the asn.1 module:
88 ModuleId ::= SEQUENCE
89 {
90 name MyString,
91 oid OBJECT IDENTIFIER OPTIONAL --snacc cTypeName:"OID" isPtr:"TRUE"
92 }
93
Does anybody know how the esnacc error can be avoided?
Regards,
Hartmut
Lehnert, Hartmut wrote:
Hi all! I have performed some tests with the comp match module (yes it runs if you work around ITS 6556 ;-)).
Does anybody know how the esnacc error can be avoided?
The people who wrote the component matching code left the Project long ago, and no one has stepped in to take over its maintenance since. At this point you probably know more about the component matching code than anyone else on this list. The only thing I remember from looking at it is that the indexing support they wrote for back-bdb/hdb didn't take any thread safety into account and I had to rip it all out because otherwise it would simply crash.
If you can make this code do anything useful please followup to the ITS with any further patches.
Hi,
I'm using openldap 2.4.19 to set up an ldap server with sasl, but I get some problems.
I followed the instruction in http://www.openldap.org/doc/admin24/sasl.html to do the installation.
1. I install cyrus-sasl-2.1.22 successfully, and use the Cyrus SASL sample_client and sample_server to test my SASL installation before attempting to make use of it with OpenLDAP Software.
2. Then I install openldap with commands:
#export CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include -I/usr/local/sasl2/include"
#export LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib -L/usr/local/sasl2/lib -L/usr/local/sasl2/lib/sasl2"
# export LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib"
#./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes
#make depend
#make
#make test
#make install
#cp /usr/local/openldap/var/openldap-data/DB_CONFIG.example /usr/local/openldap/var/openldap-data/DB_CONFIG
there is no error while install.
3. Then I configure the slapd.conf to be like this:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
authz-policy to
sasl-regexp "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
database bdb
suffix "dc=example,dc=com"
rootdn "uid=111,cn=digest-md5,cn=auth"
4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login ntlm cram-md5 digest-md5
5. Then I start slapd with command 'slapd -d 1', and run ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is:
slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1276849696
ber_get_next
conn=1 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=1 tag=97 err=14
ber_flush2: 233 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1276849697
ber_get_next
conn=1 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=liji1,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='^uid=([^,]+),.*' string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'}
slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)
dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<==slap_sasl2dn: Converted SASL name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
send_ldap_result: conn=1 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 70 bytes to sd 12
<== slap_sasl_bind: rc=49
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_close: conn=1 sd=12
What am I doing wrong?
Thanks
liji
On 21/06/10 09:52 +0800, LI Ji D wrote:
- Then I configure the slapd.conf to be like this:
authz-policy to sasl-regexp "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth" database bdb suffix "dc=example,dc=com" rootdn "uid=111,cn=digest-md5,cn=auth"
Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5
Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is:
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf:
log_level: 7
Hi White, 1. I expect user credentials of liji1 to be retrieved from sasldb, I create user liji1 with command: saslpasswd2 -c liji1, and follow administrator guide, The DIGEST-MD5 mechanism produces authentication IDs of the form: uid=<username>,cn=<realm>,cn=digest-md5,cn=auth so I think ldap would use uid=liji1,cn=digest-md5,cn=auth to retrieve from sasldb.
2. I have added auth.debug and log_level: 7, and rerun the test, got some logs as below: Syslog: Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 fd=12 ACCEPT from IP=127.0.0.1:59928 (IP=0.0.0.0:389) Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH attr=supportedSASLMechanisms Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 BIND dn="" method=163 Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: security flags do not match required Jun 22 10:17:17 bjims31 ldapwhoami: DIGEST-MD5 client step 2 Jun 22 10:17:20 bjims31 ldapwhoami: DIGEST-MD5 client step 2 Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 BIND dn="" method=163 Jun 22 10:17:20 bjims31 slapd[19846]: SASL [conn=0] Failure: no secret in database Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 fd=12 closed (connection lost)
Slapd log : slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 70 contents: op tag 0x63, time 1277173037 ber_get_next conn=0 op=0 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => send_search_entry: conn 0 dn="" ber_flush2: 82 bytes to sd 12 <= send_search_entry: conn 0 exit. send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1277173037 ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=2 tag=97 err=14 ber_flush2: 269 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 296 contents: op tag 0x60, time 1277173040 ber_get_next conn=0 op=2 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=liji1,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='^uid=([^,]+),.*' string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'} slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)
dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth> <==slap_sasl2dn: Converted SASL name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth SASL [conn=0] Failure: no secret in database send_ldap_result: conn=0 op=2 p=3 send_ldap_response: msgid=3 tag=97 err=49 ber_flush2: 70 bytes to sd 12 <== slap_sasl_bind: rc=49 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next on fd 12 failed errno=0 (Success) connection_close: conn=0 sd=12
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Tuesday, June 22, 2010 1:06 AM To: LI Ji D Cc: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
- Then I configure the slapd.conf to be like this:
authz-policy to sasl-regexp "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth" database bdb suffix "dc=example,dc=com" rootdn "uid=111,cn=digest-md5,cn=auth"
Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5
Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389', but fails with reason: user not found: no secret in database. The log of slapd is:
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf:
log_level: 7
Hi, I tried again with following steps: 1. saslpasswd2 -c admin
2. configure slapd.conf: sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth uid=$1,ou=People,o=Ever database bdb suffix "ou=people,o=Ever" rootdn "uid=admin,ou=People,o=Ever"
3. I use the following LDIF file dn: o=Ever o: Ever description: Organization Root objectClass: top objectClass: organization
dn: ou=Staff, o=Ever ou: Staff description: These are privileged users that can interact with Organization products objectClass: top objectClass: organizationalUnit
dn: ou=People, o=Ever ou: People objectClass: top objectClass: organizationalUnit
dn: uid=admin, ou=Staff, o=Ever uid: admin cn: LDAP Adminstrator sn: admin userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= objectClass: Top objectClass: Person objectClass: Organizationalperson objectClass: Inetorgperson
dn: uid=admin,ou=People,o=Ever objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= displayName: admin mail: admin@eversystems.com.br uid: admin cn: Administrator sn: admin
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5 Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
6.slapd log is : slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1277198750 ber_get_next conn=0 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=1 tag=97 err=14 ber_flush2: 233 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 296 contents: op tag 0x60, time 1277198752 ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'uid=admin,ou=People,o=Ever'} slap_parseURI: parsing uid=admin,ou=People,o=Ever ldap_url_parse_ext(uid=admin,ou=People,o=Ever)
dnNormalize: <uid=admin,ou=People,o=Ever>
<<< dnNormalize: <uid=admin,ou=people,o=ever> <==slap_sasl2dn: Converted SASL name to uid=admin,ou=people,o=ever slap_sasl_getdn: dn:id converted to uid=admin,ou=people,o=ever => bdb_search bdb_dn2entry("uid=admin,ou=people,o=ever") => bdb_dn2id("ou=people,o=ever") <= bdb_dn2id: got id=0x1 => bdb_dn2id("uid=admin,ou=people,o=ever") <= bdb_dn2id: got id=0x2 entry_decode: "uid=admin,ou=People,o=Ever" <= entry_decode(uid=admin,ou=People,o=Ever) slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=0 op=1 p=3 SASL [conn=0] Failure: no secret in database send_ldap_result: conn=0 op=1 p=3 send_ldap_response: msgid=2 tag=97 err=49 ber_flush2: 70 bytes to sd 12 <== slap_sasl_bind: rc=49 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next on fd 12 failed errno=0 (Success) connection_close: conn=0 sd=12
why would this happen?
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Tuesday, June 22, 2010 1:06 AM To: LI Ji D Cc: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
- Then I configure the slapd.conf to be like this:
authz-policy to sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
database bdb suffix "dc=example,dc=com" rootdn "uid=111,cn=digest-md5,cn=auth"
- Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login ntlm cram-md5 digest-md5
- Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p
389', but fails with reason: user not found: no secret in database. The log of slapd is:
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth
to
a DN
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb. Is it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your /usr/lib/sasl2/slapd.conf:
log_level: 7
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi,
I tried again with following steps:
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is the password hash has a length of 32bit, SASL requires plain text password in order to create a challange, a challange based on a 32bit string is different from a challange based on a plain text password string.
-Dieter
Hi, This is my comprehension: 1. The client is connecting to SLAPD requesting an SASL bind. 2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5. 3. The client sends the authentication information to SLAPD. 4. SLAPD performs the translation specified in authz-regexp. 5. SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2. 6. When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client.
So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like "userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
-----Original Message----- From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of Dieter Kluenter Sent: Wednesday, June 23, 2010 3:33 AM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi,
I tried again with following steps:
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is the password hash has a length of 32bit, SASL requires plain text password in order to create a challange, a challange based on a 32bit string is different from a challange based on a plain text password string.
-Dieter
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, This is my comprehension:
- The client is connecting to SLAPD requesting an SASL bind.
- SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5.
- The client sends the authentication information to SLAPD.
- SLAPD performs the translation specified in authz-regexp.
- SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2.
- When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client.
So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like "userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
Sorry, my bad. I forgot that you use sasldb as an external authentication source. My remarks where based on an internal sasl authentication. Try to raise the debug level in sasl/slapd.conf, something like 'loglevel: 7'. If you use syslog, allow sasl to log to auth.
-Dieter
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication. 1. My slapd.conf is below: include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com" 2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5
3. I use saslpasswd2 to create use and password.
Can you help to check this?
-----Original Message----- From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org [mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, June 24, 2010 1:07 AM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, This is my comprehension:
- The client is connecting to SLAPD requesting an SASL bind.
- SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for settings) to tell the client how to authenticate. In this case, it tells the client to use DIGEST-MD5.
- The client sends the authentication information to SLAPD.
- SLAPD performs the translation specified in authz-regexp.
- SLAPD then checks the client's response (using the SASL subsystem) against the information in /etc/sasldb2.
- When the client authentication succeeds, OpenLDAP runs the search and returns the results to the client.
So SLAPD just compares the password received form client and the one stored in sasldb2, how could it relate to the one stored in ldap like "userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
Sorry, my bad. I forgot that you use sasldb as an external authentication source. My remarks where based on an internal sasl authentication. Try to raise the debug level in sasl/slapd.conf, something like 'loglevel: 7'. If you use syslog, allow sasl to log to auth.
-Dieter
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
- My slapd.conf is below: include
/usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com"
- and also I create slapd.conf in
/usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5
- I use saslpasswd2 to create use and password.
Can you help to check this?
Two questions: 1. has slapd been compiled with spasswd? The default setting is no. 2. has the identity that runs slapd read access to sasldb? On most systems slapd runs as user ldap and sasldb is owned by root.
-Dieter
Hi, 1. How to compile slapd with spasswd. I think I haven't done that 2. I run slapd as root. So it should not be problem.
-----Original Message----- From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, August 05, 2010 5:12 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
- My slapd.conf is below: include
/usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com"
- and also I create slapd.conf in
/usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5
- I use saslpasswd2 to create use and password.
Can you help to check this?
Two questions: 1. has slapd been compiled with spasswd? The default setting is no. 2. has the identity that runs slapd read access to sasldb? On most systems slapd runs as user ldap and sasldb is owned by root.
-Dieter
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi,
- How to compile slapd with spasswd. I think I haven't done that
- I run slapd as root. So it should not be problem.
Get the sources, run ./configure --help | less
-Dieter
Hi, I checked my install steps, find that I'm using ./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes. So slapd should have been compiled with spasswd, but it's still not working.
-----Original Message----- From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter Sent: Thursday, August 05, 2010 6:50 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi,
- How to compile slapd with spasswd. I think I haven't done that
- I run slapd as root. So it should not be problem.
Get the sources, run ./configure --help | less
-Dieter
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
- My slapd.conf is below:
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com"
- and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to instruct the sasl glue library where to search for config files. See the man page for sasl_getconfpath_t for details.
Hi, I have link /usr/lib/sasl2 to /usr/local/sasl2/lib/sasl2/, so I think it will not be problem.
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, August 06, 2010 10:35 AM To: LI Ji D Cc: Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
- My slapd.conf is below:
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com"
- and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to instruct the sasl glue library where to search for config files. See the man page for sasl_getconfpath_t for details.
Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below: slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 70 contents: op tag 0x63, time 1281064438 ber_get_next conn=2 op=0 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => send_search_entry: conn 2 dn="" ber_flush2: 72 bytes to sd 12 <= send_search_entry: conn 2 exit. send_ldap_result: conn=2 op=0 p=3 send_ldap_response: msgid=1 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1281064438 ber_get_next conn=2 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=2] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=2 tag=97 err=14 ber_flush2: 233 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 296 contents: op tag 0x60, time 1281064441 ber_get_next conn=2 op=2 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=2] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'} slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin) ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin)) put_filter: "(cn=admin)" put_filter: simple put_simple_filter: "cn=admin" ber_scanf fmt ({mm}) ber:
dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com> slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1) => bdb_search bdb_dn2entry("ou=people,dc=example,dc=com") search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1 => bdb_dn2idl("ou=people,dc=example,dc=com") <= bdb_dn2idl: id=1 first=2 last=2 => bdb_equality_candidates (objectClass) <= bdb_equality_candidates: (objectClass) not indexed => bdb_equality_candidates (cn) <= bdb_equality_candidates: (cn) not indexed bdb_search_candidates: id=1 first=2 last=2 send_ldap_result: conn=2 op=2 p=3 <==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com => bdb_search bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com") slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0 ber_flush2: 64 bytes to sd 12 <== slap_sasl_bind: rc=0 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ldap_pvt_sasl_generic_install ber_get_next ber_get_next: tag 0x30 len 72 contents: op tag 0x63, time 1281064441 ber_get_next conn=2 op=3 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <ou=people,dc=example,dc=com>
<<< dnPrettyNormal: <ou=people,dc=example,dc=com>, <ou=people,dc=example,dc=com> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => bdb_search bdb_dn2entry("ou=people,dc=example,dc=com") search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=2 => bdb_dn2idl("ou=people,dc=example,dc=com") => bdb_presence_candidates (objectClass) bdb_search_candidates: id=-1 first=1 last=2 => send_search_entry: conn 2 dn="ou=people,dc=example,dc=com" ber_flush2: 172 bytes to sd 12 <= send_search_entry: conn 2 exit. => send_search_entry: conn 2 dn="cn=admin,ou=people,dc=example,dc=com" ber_flush2: 452 bytes to sd 12 <= send_search_entry: conn 2 exit. send_ldap_result: conn=2 op=3 p=3 send_ldap_response: msgid=4 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=2 connection_read(12): checking for input on id=2 ber_get_next ber_get_next: tag 0x30 len 5 contents: op tag 0x42, time 1281064441 ber_get_next ber_get_next on fd 12 failed errno=0 (Success) conn=2 op=4 do_unbind connection_close: conn=2 sd=12
-----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Friday, August 06, 2010 10:35 AM To: LI Ji D Cc: Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
- My slapd.conf is below:
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com"
- and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to instruct the sasl glue library where to search for config files. See the man page for sasl_getconfpath_t for details.
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com") slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0
[...]
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy authorization, but you have not defined such in slapd.conf. Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo attribute types.
-Dieter
Hi, Could you tell me how to read man slapd.conf(5)? I tried man slapd.conf(5), man slapd.conf in command line, but no entry found.
-----Original Message----- From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 3:55 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com") slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0
[...]
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy authorization, but you have not defined such in slapd.conf. Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo attribute types.
-Dieter
Hi, I have read slapd.conf(5) on authz-policy, and I'm confusing now. And I find that I give you the incorrect slapd.conf, now the correct one is below: nclude /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) #binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn "cn=admin,ou=people,dc=example,dc=com" there is no proxy.
-----Original Message----- From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 3:55 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com") slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=2 op=2 p=3 SASL Authorize [conn=2]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=40 do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com" sasl_ssf=128 send_ldap_response: msgid=3 tag=97 err=0
[...]
include /usr/local/openldap/schema/core.schema include /usr/local/openldap/schema/cosine.schema include /usr/local/openldap/schema/inetorgperson.schema include /usr/local/openldap/schema/openldap.schema include /usr/local/openldap/schema/nis.schema pidfile /usr/local/openldap/slapd.1.pid argsfile /usr/local/openldap/slapd.1.args password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth ldap:///ou=people,dc=example,dc=com??one?(cn=$1) binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy authorization, but you have not defined such in slapd.conf. Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo attribute types.
-Dieter
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf and enable syslog to log auth.
-Dieter
Hi, 1. I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7 So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none /var/log/messages auth.debug /var/log/secure
2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3
And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn="" method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="" method=163 Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid="admin" authzid="admin" Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="cn=admin,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 RESULT tag=97 err=0 text= Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SRCH base="ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=2 text= Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=4 UNBIND Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 fd=12 closed
-----Original Message----- From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter Sent: Friday, August 06, 2010 6:37 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, Klünter Now I can use sasl to authenticate, but openldap seems using the password attribute stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external source to do the authentication.
enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf and enable syslog to log auth.
-Dieter
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi,
- I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7
So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none /var/log/messages auth.debug /var/log/secure
- then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3
And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn="" method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="" method=163 Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid="admin" authzid="admin" Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="cn=admin,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128
This is a successful bind, what is your problem here?
-Dieter
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.
Thanks
-----Original Message----- From: openldap-technical-bounces@openldap.org [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter Sent: Monday, August 09, 2010 4:48 PM To: openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi,
- I add an: auth.debug... to my syslog configuration, and add this to my /usr/lib/sasl2/slapd.conf: log_level: 7
So slapd.conf is : pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: digest-md5 log_level: 7 and syslog.conf is : *.debug;mail.none;;cron.none /var/log/messages auth.debug /var/log/secure
- then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
Log in /var/log/secure is: Aug 9 14:53:54 bjims31 last message repeated 2 times Aug 9 14:54:04 bjims31 last message repeated 3 times Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3
And log in /var/log/messages is: Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747 (IP=0.0.0.0:389) Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn="" method=163 Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2 Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="" method=163 Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (objectClass) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (cn) not indexed Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid="admin" authzid="admin" Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="cn=admin,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128
This is a successful bind, what is your problem here?
-Dieter
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.
Why do you store a password in the directory if you don't make use of it? To delegate authentication to an external frame work, you should tell slapd to do so. Please read the admin guide, in particular section 14.5 Pass-Through authentication.
-Dieter
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin.
I recommend you file a bug report.
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL.
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some digging I found the insertion of a SASL_CB_GETOPT function which replaces whatever auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never occurred to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi, My problem is that I expect slapd to authenticate with the password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap. So I want to know, how can slapd use password stored in sasldb to do the sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to sasldb did not provide the expected response. Regardless of whether I set it to slapd or sasldb, the server authenticates my digest-md5 sasl bind using the internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired behavior by setting the SASL config file, then file a bug against Cyrus SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some digging I found the insertion of a SASL_CB_GETOPT function which replaces whatever auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never occurred to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
Hi, I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log of slapd: slap_listener_activate(7):
slap_listener(ldap:///)
connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 70 contents: op tag 0x63, time 1281422959 ber_get_next conn=0 op=0 do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: => send_search_entry: conn 0 dn="" ber_flush2: 72 bytes to sd 12 <= send_search_entry: conn 0 exit. send_ldap_result: conn=0 op=0 p=3 send_ldap_response: msgid=1 tag=101 err=0 ber_flush2: 22 bytes to sd 12 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 32 contents: op tag 0x60, time 1281422959 ber_get_next conn=0 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 1 send_ldap_sasl: err=14 len=195 send_ldap_response: msgid=2 tag=97 err=14 ber_flush2: 248 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=0 connection_read(12): checking for input on id=0 ber_get_next ber_get_next: tag 0x30 len 326 contents: op tag 0x60, time 1281422960 ber_get_next conn=0 op=2 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber:
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=0] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'} slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin) ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin)) put_filter: "(cn=admin)" put_filter: simple put_simple_filter: "cn=admin" ber_scanf fmt ({mm}) ber:
dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com> slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1) => bdb_search bdb_dn2entry("ou=people,dc=example,dc=com") => bdb_dn2id("ou=people,dc=example,dc=com") <= bdb_dn2id: got id=0x1 entry_decode: "ou=people,dc=example,dc=com" <= entry_decode(ou=people,dc=example,dc=com) search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1 => bdb_dn2idl("ou=people,dc=example,dc=com") <= bdb_dn2idl: id=1 first=2 last=2 => bdb_equality_candidates (objectClass) <= bdb_equality_candidates: (objectClass) not indexed => bdb_equality_candidates (cn) <= bdb_equality_candidates: (cn) not indexed bdb_search_candidates: id=1 first=2 last=2 entry_decode: "cn=admin,ou=people,dc=example,dc=com" <= entry_decode(cn=admin,ou=people,dc=example,dc=com) => bdb_dn2id("cn=admin,ou=people,dc=example,dc=com") <= bdb_dn2id: got id=0x2 send_ldap_result: conn=0 op=2 p=3 <==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com Segmentation fault
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi, My problem is that I expect slapd to authenticate with the
password stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap.
So I want to know, how can slapd use password stored in sasldb
to do the sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to
sasldb
did not provide the expected response. Regardless of whether I set
it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind
using the
internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in particular with SASL configuration. If you can't get the desired
behavior
by setting the SASL config file, then file a bug against Cyrus SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
found the insertion of a SASL_CB_GETOPT function which replaces
whatever
auxprop_plugin value is found in the sasl config file with the sasl-auxprops openldap config option, or defaults to 'slapd' if no sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never
occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
LI Ji D wrote:
Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com. Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log of slapd:
<==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
Segmentation fault
Most likely your sasldb was compiled against a different version of BerkeleyDB than slapd.
In general, using sasldb is a mistake. You cannot administer it remotely, and it has no provisions for re-entrancy / thread-safety.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi,
My problem is that I expect slapd to authenticate with the password
stored in sasldb. But it's not, it uses the password stored in userpassword attribute of this user which is a item of openldap.
So I want to know, how can slapd use password stored in sasldb to do the
sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
did not provide the expected response. Regardless of whether I set it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in
particular with SASL configuration. If you can't get the desired behavior
by setting the SASL config file, then file a bug against Cyrus SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some digging I
found the insertion of a SASL_CB_GETOPT function which replaces whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi, I can understand the disadvantage of using sasldb, I just want to test SASL with sasldb. Is there anyway I can solve this issue? I can't find out which version of db that sasldb is using. Thanks for your response, It helps me a lot.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Tuesday, August 10, 2010 2:26 PM To: LI Ji D Cc: Dan White; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D wrote:
Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd,
run
/usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com.
Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the
log of slapd:
<==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to
cn=admin,ou=people,dc=example,dc=com
Segmentation fault
Most likely your sasldb was compiled against a different version of BerkeleyDB than slapd.
In general, using sasldb is a mistake. You cannot administer it remotely, and it has no provisions for re-entrancy / thread-safety.
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Tuesday, August 10, 2010 1:53 PM To: Dan White Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi,
My problem is that I expect slapd to authenticate with the
password
stored in sasldb. But it's not, it uses the password stored in
userpassword
attribute of this user which is a item of openldap.
So I want to know, how can slapd use password stored in sasldb to
do the
sasl authentication.
I attempted to do this as well and failed. Setting auxprop_plugin
to sasldb
did not provide the expected response. Regardless of whether I set
it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind
using the
internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything
in
particular with SASL configuration. If you can't get the desired
behavior
by setting the SASL config file, then file a bug against Cyrus
SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
found the insertion of a SASL_CB_GETOPT function which replaces
whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never
occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
"LI Ji D" Ji.d.Li@alcatel-lucent.com writes:
Hi, I can understand the disadvantage of using sasldb, I just want to test SASL with sasldb. Is there anyway I can solve this issue? I can't find out which version of db that sasldb is using.
[...]
ldd /usr/lib/sasl2/libsasldb.so
-Dieter
On 10/08/10 14:45 +0800, LI Ji D wrote:
Hi, I can understand the disadvantage of using sasldb, I just want to test SASL with sasldb. Is there anyway I can solve this issue? I can't find out which version of db that sasldb is using. Thanks for your response, It helps me a lot.
If you have a Debian system, the following should get you a testing environment:
http://web.olp.net/dwhite/openldap/sasldb-notes.txt
openldap-technical@openldap.org
-
Dan White -
Dieter Kluenter -
Howard Chu -
Lehnert, Hartmut -
LI Ji D