11:26 a.m.
Hi all!
I have performed some tests with the comp match module (yes it runs if
you work around ITS 6556 ;-)).
The result is that the comp match module only works with very simple
X509 certs that use old algorithms!
For example if you use X509 certificates with long serial numbers the
snacc generated asn.1 parser (contained in file certificate.c) fails
decoding the serial number.
Another drawback: The attributes in Name components subject and issuer
(cn, c, o, ou) have to be PrintableStrings; if for example there is an
UTF8String present in the issuer the asn.1 parser fails decoding the
issuer.
All modern algorithms (sha256WithRSA, sha512WithRSA) are not recognized
by the parser; if your X509 certificate is signed with sha256WithRSA the
asn.1 parser fails decoding the AlgorithmIdentifier.
In modern times these drawbacks aren't acceptable. Another appropriate
asn.1 module for the X509 certificate structure has to be compiled with
the openldap esnacc compiler. I would have done this but the openldap
esnacc fails parsing its own modules!!!
See something like this:
openldap@ocsp-openldap24:~/Certificate>
~/openldap-snacc-2.3.6/compiler/esnacc -E BER_COMP -E GSER -t -d -f -I
/home/openldap/openldap-snacc-2.3.6/asn1specs -I . Certificate.asn1
/home/openldap/openldap-snacc-2.3.6/asn1specs/asn1module.asn1(91) :
parse error at symbol ""OID""
Parsing errors---cannot proceed
The code in the asn.1 module:
88 ModuleId ::= SEQUENCE
89 {
90 name MyString,
91 oid OBJECT IDENTIFIER OPTIONAL --snacc cTypeName:"OID"
isPtr:"TRUE"
92 }
93
Does anybody know how the esnacc error can be avoided?
Regards,
Hartmut
5:11 a.m.
Lehnert, Hartmut wrote:
Hi all!
I have performed some tests with the comp match module (yes it runs if you
work around ITS 6556 ;-)).
Does anybody know how the esnacc error can be avoided?
The people who wrote the component matching code left the Project long ago,
and no one has stepped in to take over its maintenance since. At this point
you probably know more about the component matching code than anyone else on
this list. The only thing I remember from looking at it is that the indexing
support they wrote for back-bdb/hdb didn't take any thread safety into account
and I had to rip it all out because otherwise it would simply crash.
If you can make this code do anything useful please followup to the ITS with
any further patches.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
10:52 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I'm using openldap 2.4.19 to set up an ldap server with sasl, but I
get some problems.
I followed the instruction in
http://www.openldap.org/doc/admin24/sasl.html to do the installation.
1. I install cyrus-sasl-2.1.22 successfully, and use the Cyrus SASL
sample_client and sample_server to test my SASL installation before
attempting to make use of it with OpenLDAP Software.
2. Then I install openldap with commands:
#export CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include
-I/usr/local/sasl2/include"
#export
LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib -L/usr/local/sasl2/lib
-L/usr/local/sasl2/lib/sasl2"
# export
LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib"
#./configure --prefix=/usr/local/openldap
--sysconfdir=/etc/openldap --enable-passwd --enable-wrappers
--disable-ipv6 --enable-spasswd --enable-crypt --enable-modules
--enable-accesslog=yes
#make depend
#make
#make test
#make install
#cp
/usr/local/openldap/var/openldap-data/DB_CONFIG.example
/usr/local/openldap/var/openldap-data/DB_CONFIG
there is no error while install.
3. Then I configure the slapd.conf to be like this:
include
/usr/local/openldap/schema/core.schema
include
/usr/local/openldap/schema/cosine.schema
include
/usr/local/openldap/schema/inetorgperson.schema
include
/usr/local/openldap/schema/openldap.schema
include
/usr/local/openldap/schema/nis.schema
pidfile
/usr/local/openldap/slapd.1.pid
argsfile
/usr/local/openldap/slapd.1.args
authz-policy to
sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
database bdb
suffix "dc=example,dc=com"
rootdn
"uid=111,cn=digest-md5,cn=auth"
4. Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login ntlm cram-md5
digest-md5
5. Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p 389', but fails with reason: user not found: no secret in database.
The log of slapd is:
slap_listener_activate(7):
>> slap_listener(ldap:///)
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1276849696
ber_get_next
conn=1 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=1 tag=97 err=14
ber_flush2: 233 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1276849697
ber_get_next
conn=1 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=1] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=liji1,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='^uid=([^,]+),.*'
string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'}
slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)
>> dnNormalize:
<uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<==slap_sasl2dn: Converted SASL name to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
send_ldap_result: conn=1 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 70 bytes to sd 12
<== slap_sasl_bind: rc=49
connection_get(12): got connid=1
connection_read(12): checking for input on id=1
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_close: conn=1 sd=12
What am I doing wrong?
Thanks
liji
2:05 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
3. Then I configure the slapd.conf to be like this:
authz-policy to
sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
database bdb
suffix "dc=example,dc=com"
rootdn "uid=111,cn=digest-md5,cn=auth"
4. Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login ntlm cram-md5 digest-md5
5. Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p
389', but fails with reason: user not found: no secret in database.
The log of slapd is:
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to
a DN
slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb. Is
it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of
syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your
/usr/lib/sasl2/slapd.conf:
log_level: 7
--
Dan White
11:27 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi White,
1. I expect user credentials of liji1 to be retrieved from sasldb, I create user liji1
with command: saslpasswd2 -c liji1, and follow administrator guide, The DIGEST-MD5
mechanism produces authentication IDs of the form:
uid=<username>,cn=<realm>,cn=digest-md5,cn=auth
so I think ldap would use uid=liji1,cn=digest-md5,cn=auth to retrieve from sasldb.
2. I have added auth.debug and log_level: 7, and rerun the test, got some logs as below:
Syslog:
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 fd=12 ACCEPT from IP=127.0.0.1:59928
(IP=0.0.0.0:389)
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH attr=supportedSASLMechanisms
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1
text=
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 BIND dn="" method=163
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 RESULT tag=97 err=14 text=SASL(0):
successful result: security flags do not match required
Jun 22 10:17:17 bjims31 ldapwhoami: DIGEST-MD5 client step 2
Jun 22 10:17:20 bjims31 ldapwhoami: DIGEST-MD5 client step 2
Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 BIND dn="" method=163
Jun 22 10:17:20 bjims31 slapd[19846]: SASL [conn=0] Failure: no secret in database
Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 RESULT tag=97 err=49 text=SASL(-13):
user not found: no secret in database
Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 fd=12 closed (connection lost)
Slapd log :
slap_listener_activate(7):
>> slap_listener(ldap:///)
connection_get(12): got
connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1277173037
ber_get_next
conn=0 op=0 do_search
ber_scanf fmt ({miiiib) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> send_search_entry: conn 0 dn=""
ber_flush2: 82 bytes to sd 12
<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1277173037
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 269 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1277173040
ber_get_next
conn=0 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=liji1,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='^uid=([^,]+),.*'
string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'}
slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)
>> dnNormalize:
<uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<<< dnNormalize:
<uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<==slap_sasl2dn: Converted SASL name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=0] Failure: no secret in database
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=97 err=49
ber_flush2: 70 bytes to sd 12
<== slap_sasl_bind: rc=49
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_close: conn=0 sd=12
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Tuesday, June 22, 2010 1:06 AM
To: LI Ji D
Cc: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
3. Then I configure the slapd.conf to be like this:
> authz-policy to
> sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
> database bdb
> suffix "dc=example,dc=com"
> rootdn "uid=111,cn=digest-md5,cn=auth"
>
> 4. Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
>
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: plain login ntlm cram-md5 digest-md5
>
> 5. Then I start slapd with command 'slapd -d 1', and run
>ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p
>389', but fails with reason: user not found: no secret in database.
> The log of slapd is:
>
>slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>
>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
>
><<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
>
>==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to
>a DN
slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb. Is
it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of
syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your
/usr/lib/sasl2/slapd.conf:
log_level: 7
--
Dan White
6:28 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I tried again with following steps:
1. saslpasswd2 -c admin
2. configure slapd.conf:
sasl-regexp uid=(.*),cn=rdnt03,cn=DIGEST-MD5,cn=auth
uid=$1,ou=People,o=Ever
database bdb
suffix "ou=people,o=Ever"
rootdn "uid=admin,ou=People,o=Ever"
3. I use the following LDIF file
dn: o=Ever
o: Ever
description: Organization Root
objectClass: top
objectClass: organization
dn: ou=Staff, o=Ever
ou: Staff
description: These are privileged users that can interact with
Organization products
objectClass: top
objectClass: organizationalUnit
dn: ou=People, o=Ever
ou: People
objectClass: top
objectClass: organizationalUnit
dn: uid=admin, ou=Staff, o=Ever
uid: admin
cn: LDAP Adminstrator
sn: admin
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
objectClass: Top
objectClass: Person
objectClass: Organizationalperson
objectClass: Inetorgperson
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
displayName: admin
mail: admin(a)eversystems.com.br
uid: admin
cn: Administrator
sn: admin
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in
database
6.slapd log is :
slap_listener_activate(7):
>> slap_listener(ldap:///)
connection_get(12): got
connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1277198750
ber_get_next
conn=0 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=1 tag=97 err=14
ber_flush2: 233 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1277198752
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=admin,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'uid=admin,ou=People,o=Ever'}
slap_parseURI: parsing uid=admin,ou=People,o=Ever
ldap_url_parse_ext(uid=admin,ou=People,o=Ever)
>> dnNormalize: <uid=admin,ou=People,o=Ever>
<<< dnNormalize: <uid=admin,ou=people,o=ever>
<==slap_sasl2dn: Converted SASL name to uid=admin,ou=people,o=ever
slap_sasl_getdn: dn:id converted to uid=admin,ou=people,o=ever
=> bdb_search
bdb_dn2entry("uid=admin,ou=people,o=ever")
=> bdb_dn2id("ou=people,o=ever")
<= bdb_dn2id: got id=0x1
=> bdb_dn2id("uid=admin,ou=people,o=ever")
<= bdb_dn2id: got id=0x2
entry_decode: "uid=admin,ou=People,o=Ever"
<= entry_decode(uid=admin,ou=People,o=Ever)
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type
undefined
send_ldap_result: conn=0 op=1 p=3
SASL [conn=0] Failure: no secret in database
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=97 err=49
ber_flush2: 70 bytes to sd 12
<== slap_sasl_bind: rc=49
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_close: conn=0 sd=12
why would this happen?
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Tuesday, June 22, 2010 1:06 AM
To: LI Ji D
Cc: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 21/06/10 09:52 +0800, LI Ji D wrote:
3. Then I configure the slapd.conf to be like this:
authz-policy to
sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
database bdb
suffix "dc=example,dc=com"
rootdn "uid=111,cn=digest-md5,cn=auth"
4. Then I use 'saslpasswd2 -c liji1' to add a user and create
/usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login ntlm cram-md5 digest-md5
5. Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p
389', but fails with reason: user not found: no secret in
database.
The log of slapd is:
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth
to
a DN
slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=1] Failure: no secret in database
It's not clear which user credentials are being retrieved from sasldb.
Is
it uid=liji1,cn=digest-md5,cn=auth or liji1?
You could increase your cyrus debugging to get more information out of
syslog: Add an:
auth.debug...
to your syslog configuration, and add this to your
/usr/lib/sasl2/slapd.conf:
log_level: 7
--
Dan White
4:32 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
I tried again with following steps:
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is
the password hash has a length of 32bit,
SASL requires plain text password in order to create a challange, a
challange based on a 32bit string is different from a challange based
on a plain text password string.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
6:17 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for
settings) to tell the client how to authenticate. In this case, it tells the client to use
DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against the
information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and returns the
results to the client.
So SLAPD just compares the password received form client and the one stored in sasldb2,
how could it relate to the one stored in ldap like "userPassword:
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
-----Original Message-----
From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com(a)openldap.org
[mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of
Dieter Kluenter
Sent: Wednesday, June 23, 2010 3:33 AM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
I tried again with following steps:
dn: uid=admin,ou=People,o=Ever
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
[...]
4. slapadd -c -l Ever.ldif -f slapd.conf -v -d 256
5. ./ldapsearch -U admin -Y DIGEST-MD5
[...]
You have the attribute value for userPassword hashed with SHA, that is
the password hash has a length of 32bit,
SASL requires plain text password in order to create a challange, a
challange based on a 32bit string is different from a challange based
on a plain text password string.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
2:07 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for
settings) to tell the client how to authenticate. In this case, it tells the client to use
DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against the
information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and returns the
results to the client.
So SLAPD just compares the password received form client and the one stored in sasldb2,
how could it relate to the one stored in ldap like "userPassword:
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
Sorry, my bad. I forgot that you use sasldb as an external
authentication source. My remarks where based on an internal sasl
authentication. Try to raise the debug level in sasl/slapd.conf,
something like 'loglevel: 7'. If you use syslog, allow sasl to log to
auth.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
5:35 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the password attribute
stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external
source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb
suffix "ou=people,dc=example,dc=com"
rootdn "cn=admin,ou=people,dc=example,dc=com"
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
3. I use saslpasswd2 to create use and password.
Can you help to check this?
-----Original Message-----
From: openldap-technical-bounces+ji.d.li=alcatel-lucent.com(a)openldap.org
[mailto:openldap-technical-bounces+ji.d.li=alcatel-lucent.com@openldap.org] On Behalf Of
Dieter Kluenter
Sent: Thursday, June 24, 2010 1:07 AM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
This is my comprehension:
1. The client is connecting to SLAPD requesting an SASL bind.
2. SLAPD uses the SASL subsystem (which checks the /usr/lib/sasl/slapd.conf file for
settings) to tell the client how to authenticate. In this case, it tells the client to use
DIGEST-MD5.
3. The client sends the authentication information to SLAPD.
4. SLAPD performs the translation specified in authz-regexp.
5. SLAPD then checks the client's response (using the SASL subsystem) against the
information in /etc/sasldb2.
6. When the client authentication succeeds, OpenLDAP runs the search and returns the
results to the client.
So SLAPD just compares the password received form client and the one stored in sasldb2,
how could it relate to the one stored in ldap like "userPassword:
{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ= " ?
Sorry, my bad. I forgot that you use sasldb as an external
authentication source. My remarks where based on an internal sasl
authentication. Try to raise the debug level in sasl/slapd.conf,
something like 'loglevel: 7'. If you use syslog, allow sasl to log to
auth.
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
6:12 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using
the password attribute stored in user in openldap to do the sasl. I
expect openldap to use sasldb as an external source to do the
authentication.
1. My slapd.conf is below: include
/usr/local/openldap/schema/core.schema include
/usr/local/openldap/schema/cosine.schema include
/usr/local/openldap/schema/inetorgperson.schema include
/usr/local/openldap/schema/openldap.schema include
/usr/local/openldap/schema/nis.schema pidfile
/usr/local/openldap/slapd.1.pid argsfile
/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy
mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn
"cn=admin,ou=people,dc=example,dc=com"
2. and also I create slapd.conf in
/usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method:
auxprop auxprop_plugin: sasldb mech_list: digest-md5
3. I use saslpasswd2 to create use and password.
Can you help to check this?
Two questions:
1. has slapd been compiled with spasswd? The default setting is no.
2. has the identity that runs slapd read access to sasldb? On most
systems slapd runs as user ldap and sasldb is owned by root.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
6:19 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
1. How to compile slapd with spasswd. I think I haven't done that
2. I run slapd as root. So it should not be problem.
-----Original Message-----
From: openldap-technical-bounces(a)openldap.org
[mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter
Sent: Thursday, August 05, 2010 5:12 PM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using
the password attribute stored in user in openldap to do the sasl. I
expect openldap to use sasldb as an external source to do the
authentication.
1. My slapd.conf is below: include
/usr/local/openldap/schema/core.schema include
/usr/local/openldap/schema/cosine.schema include
/usr/local/openldap/schema/inetorgperson.schema include
/usr/local/openldap/schema/openldap.schema include
/usr/local/openldap/schema/nis.schema pidfile
/usr/local/openldap/slapd.1.pid argsfile
/usr/local/openldap/slapd.1.args password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy
mode=self
database bdb suffix "ou=people,dc=example,dc=com" rootdn
"cn=admin,ou=people,dc=example,dc=com"
2. and also I create slapd.conf in
/usr/local/sasl2/lib/sasl2/slapd.conf content is : pwcheck_method:
auxprop auxprop_plugin: sasldb mech_list: digest-md5
3. I use saslpasswd2 to create use and password.
Can you help to check this?
Two questions:
1. has slapd been compiled with spasswd? The default setting is no.
2. has the identity that runs slapd read access to sasldb? On most
systems slapd runs as user ldap and sasldb is owned by root.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
7:49 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
1. How to compile slapd with spasswd. I think I haven't done that
2. I run slapd as root. So it should not be problem.
Get the sources, run ./configure --help | less
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
11:08 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I checked my install steps, find that I'm using ./configure
--prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers
--disable-ipv6 --enable-spasswd --enable-crypt --enable-modules --enable-accesslog=yes.
So slapd should have been compiled with spasswd, but it's still not working.
-----Original Message-----
From: openldap-technical-bounces(a)openldap.org
[mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter
Sent: Thursday, August 05, 2010 6:50 PM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
1. How to compile slapd with spasswd. I think I haven't done that
2. I run slapd as root. So it should not be problem.
Get the sources, run ./configure --help | less
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
11:35 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the password attribute
stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external
source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb
suffix "ou=people,dc=example,dc=com"
rootdn "cn=admin,ou=people,dc=example,dc=com"
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need
to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to
instruct the sasl glue library where to search for config files. See the
man page for sasl_getconfpath_t for details.
--
Dan White
12:07 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I have link /usr/lib/sasl2 to /usr/local/sasl2/lib/sasl2/, so I think it will not be
problem.
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Friday, August 06, 2010 10:35 AM
To: LI Ji D
Cc: Dieter Kluenter; openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the password attribute
stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external
source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb
suffix "ou=people,dc=example,dc=com"
rootdn "cn=admin,ou=people,dc=example,dc=com"
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need
to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to
instruct the sasl glue library where to search for config files. See the
man page for sasl_getconfpath_t for details.
--
Dan White
12:09 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
to test SASL authentication, slapd's log is below:
slap_listener_activate(7):
>> slap_listener(ldap:///)
connection_get(12): got
connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1281064438
ber_get_next
conn=2 op=0 do_search
ber_scanf fmt ({miiiib) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> send_search_entry: conn 2 dn=""
ber_flush2: 72 bytes to sd 12
<= send_search_entry: conn 2 exit.
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1281064438
ber_get_next
conn=2 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=2] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 233 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1281064441
ber_get_next
conn=2 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=2] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=admin,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'}
slap_parseURI: parsing ldap:///ou=people,dc=example,dc=com??one?(cn=admin)
ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin))
put_filter: "(cn=admin)"
put_filter: simple
put_simple_filter: "cn=admin"
ber_scanf fmt ({mm}) ber:
>> dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com>
slap_sasl2dn: performing internal search (base=ou=people,dc=example,dc=com, scope=1)
=> bdb_search
bdb_dn2entry("ou=people,dc=example,dc=com")
search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=1
=> bdb_dn2idl("ou=people,dc=example,dc=com")
<= bdb_dn2idl: id=1 first=2 last=2
=> bdb_equality_candidates (objectClass)
<= bdb_equality_candidates: (objectClass) not indexed
=> bdb_equality_candidates (cn)
<= bdb_equality_candidates: (cn) not indexed
bdb_search_candidates: id=1 first=2 last=2
send_ldap_result: conn=2 op=2 p=3
<==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
=> bdb_search
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com")
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=2 op=2 p=3
SASL Authorize [conn=2]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=40
do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com"
sasl_ssf=128
send_ldap_response: msgid=3 tag=97 err=0
ber_flush2: 64 bytes to sd 12
<== slap_sasl_bind: rc=0
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ldap_pvt_sasl_generic_install
ber_get_next
ber_get_next: tag 0x30 len 72 contents:
op tag 0x63, time 1281064441
ber_get_next
conn=2 op=3 do_search
ber_scanf fmt ({miiiib) ber:
>> dnPrettyNormal: <ou=people,dc=example,dc=com>
<<< dnPrettyNormal: <ou=people,dc=example,dc=com>,
<ou=people,dc=example,dc=com>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> bdb_search
bdb_dn2entry("ou=people,dc=example,dc=com")
search_candidates: base="ou=people,dc=example,dc=com" (0x00000001) scope=2
=> bdb_dn2idl("ou=people,dc=example,dc=com")
=> bdb_presence_candidates (objectClass)
bdb_search_candidates: id=-1 first=1 last=2
=> send_search_entry: conn 2 dn="ou=people,dc=example,dc=com"
ber_flush2: 172 bytes to sd 12
<= send_search_entry: conn 2 exit.
=> send_search_entry: conn 2 dn="cn=admin,ou=people,dc=example,dc=com"
ber_flush2: 452 bytes to sd 12
<= send_search_entry: conn 2 exit.
send_ldap_result: conn=2 op=3 p=3
send_ldap_response: msgid=4 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=2
connection_read(12): checking for input on id=2
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
op tag 0x42, time 1281064441
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
conn=2 op=4 do_unbind
connection_close: conn=2 sd=12
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Friday, August 06, 2010 10:35 AM
To: LI Ji D
Cc: Dieter Kluenter; openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
On 05/08/10 16:35 +0800, LI Ji D wrote:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the password attribute
stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external
source to do the authentication.
1. My slapd.conf is below:
include /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb
suffix "ou=people,dc=example,dc=com"
rootdn "cn=admin,ou=people,dc=example,dc=com"
2. and also I create slapd.conf in /usr/local/sasl2/lib/sasl2/slapd.conf
content is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
You may have hit the same issue that Brent did. Most likely you will need
to create this file within /usr/lib/sasl2 or /etc/sasl2 instead.
Alternatively, you can set the environment variable SASL_CONF_PATH to
instruct the sasl glue library where to search for config files. See the
man page for sasl_getconfpath_t for details.
--
Dan White
4:55 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com")
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=2 op=2 p=3
SASL Authorize [conn=2]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=40
do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com"
sasl_ssf=128
send_ldap_response: msgid=3 tag=97 err=0
[...]
>include /usr/local/openldap/schema/core.schema
>include /usr/local/openldap/schema/cosine.schema
>include /usr/local/openldap/schema/inetorgperson.schema
>include /usr/local/openldap/schema/openldap.schema
>include /usr/local/openldap/schema/nis.schema
>pidfile /usr/local/openldap/slapd.1.pid
>argsfile /usr/local/openldap/slapd.1.args
>password-hash {CLEARTEXT}
>authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy
authorization, but you have not defined such in slapd.conf.
Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo
attribute types.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
5:23 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
Could you tell me how to read man slapd.conf(5)?
I tried man slapd.conf(5), man slapd.conf in command line, but no entry found.
-----Original Message-----
From: openldap-technical-bounces(a)openldap.org
[mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter
Sent: Friday, August 06, 2010 3:55 PM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com")
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=2 op=2 p=3
SASL Authorize [conn=2]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=40
do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com"
sasl_ssf=128
send_ldap_response: msgid=3 tag=97 err=0
[...]
>include /usr/local/openldap/schema/core.schema
>include /usr/local/openldap/schema/cosine.schema
>include /usr/local/openldap/schema/inetorgperson.schema
>include /usr/local/openldap/schema/openldap.schema
>include /usr/local/openldap/schema/nis.schema
>pidfile /usr/local/openldap/slapd.1.pid
>argsfile /usr/local/openldap/slapd.1.args
>password-hash {CLEARTEXT}
>authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy
authorization, but you have not defined such in slapd.conf.
Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo
attribute types.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
6:03 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I have read slapd.conf(5) on authz-policy, and I'm confusing now.
And I find that I give you the incorrect slapd.conf, now the correct one is below:
nclude /usr/local/openldap/schema/core.schema
include /usr/local/openldap/schema/cosine.schema
include /usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include /usr/local/openldap/schema/nis.schema
pidfile /usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
password-hash {CLEARTEXT}
authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
#binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
database bdb
suffix "ou=people,dc=example,dc=com"
rootdn "cn=admin,ou=people,dc=example,dc=com"
there is no proxy.
-----Original Message-----
From: openldap-technical-bounces(a)openldap.org
[mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter
Sent: Friday, August 06, 2010 3:55 PM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
I'm using /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
to test SASL authentication, slapd's log is below:
[...]
bdb_dn2entry("cn=admin,ou=people,dc=example,dc=com")
slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
send_ldap_result: conn=2 op=2 p=3
SASL Authorize [conn=2]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=40
do_bind: SASL/DIGEST-MD5 bind: dn="cn=admin,ou=people,dc=example,dc=com"
sasl_ssf=128
send_ldap_response: msgid=3 tag=97 err=0
[...]
>include /usr/local/openldap/schema/core.schema
>include /usr/local/openldap/schema/cosine.schema
>include /usr/local/openldap/schema/inetorgperson.schema
>include /usr/local/openldap/schema/openldap.schema
>include /usr/local/openldap/schema/nis.schema
>pidfile /usr/local/openldap/slapd.1.pid
>argsfile /usr/local/openldap/slapd.1.args
>password-hash {CLEARTEXT}
>authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??one?(cn=$1)
binddn="uid=proxy,ou=People,dc=example,dc=com" credentials=proxy mode=self
[...]
According to the logs and slapd.conf you are initiating a proxy
authorization, but you have not defined such in slapd.conf.
Read man slapd.conf(5) on authz-policy and the authzFrom and authzTo
attribute types.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
7:37 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the password attribute
stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external
source to do the authentication.
enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf
and enable syslog to log auth.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
3:49 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
1. I add an: auth.debug... to my syslog configuration, and add this to my
/usr/lib/sasl2/slapd.conf: log_level: 7
So slapd.conf is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
log_level: 7
and syslog.conf is :
*.debug;mail.none;;cron.none /var/log/messages
auth.debug /var/log/secure
2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
Log in /var/log/secure is:
Aug 9 14:53:54 bjims31 last message repeated 2 times
Aug 9 14:54:04 bjims31 last message repeated 3 times
Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3
And log in /var/log/messages is:
Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost)
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747
(IP=0.0.0.0:389)
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1
text=
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn="" method=163
Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0):
successful result:
Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="" method=163
Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (objectClass) not
indexed
Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (cn) not indexed
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid="admin"
authzid="admin"
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND
dn="cn=admin,ou=people,dc=example,dc=com" mech=DIGEST-MD5 sasl_ssf=128 ssf=128
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 RESULT tag=97 err=0 text=
Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SRCH
base="ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=3 SEARCH RESULT tag=101 err=0 nentries=2
text=
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=4 UNBIND
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 fd=12 closed
-----Original Message-----
From: openldap-technical-bounces(a)openldap.org
[mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter
Sent: Friday, August 06, 2010 6:37 PM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi, Klünter
Now I can use sasl to authenticate, but openldap seems using the password attribute
stored in user in openldap to do the sasl. I expect openldap to use sasldb as an external
source to do the authentication.
enable debugging of the sasl library. Set debug 7 in sasl2/slapd.conf
and enable syslog to log auth.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
5:47 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
1. I add an: auth.debug... to my syslog configuration, and add this to my
/usr/lib/sasl2/slapd.conf: log_level: 7
So slapd.conf is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
log_level: 7
and syslog.conf is :
*.debug;mail.none;;cron.none /var/log/messages
auth.debug /var/log/secure
2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
Log in /var/log/secure is:
Aug 9 14:53:54 bjims31 last message repeated 2 times
Aug 9 14:54:04 bjims31 last message repeated 3 times
Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3
And log in /var/log/messages is:
Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost)
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747
(IP=0.0.0.0:389)
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1
text=
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn="" method=163
Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0):
successful result:
Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="" method=163
Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (objectClass) not
indexed
Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (cn) not indexed
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid="admin"
authzid="admin"
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND
dn="cn=admin,ou=people,dc=example,dc=com" mech=DIGEST-MD5
sasl_ssf=128 ssf=128
This is a successful bind, what is your problem here?
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
5:56 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
My problem is that I expect slapd to authenticate with the password stored in sasldb. But
it's not, it uses the password stored in userpassword attribute of this user which is
a item of openldap.
So I want to know, how can slapd use password stored in sasldb to do the sasl
authentication.
Thanks
-----Original Message-----
From: openldap-technical-bounces(a)openldap.org
[mailto:openldap-technical-bounces@openldap.org] On Behalf Of Dieter Kluenter
Sent: Monday, August 09, 2010 4:48 PM
To: openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Hi,
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
1. I add an: auth.debug... to my syslog configuration, and add this to my
/usr/lib/sasl2/slapd.conf: log_level: 7
So slapd.conf is :
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: digest-md5
log_level: 7
and syslog.conf is :
*.debug;mail.none;;cron.none /var/log/messages
auth.debug /var/log/secure
2. then I do /usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com
Log in /var/log/secure is:
Aug 9 14:53:54 bjims31 last message repeated 2 times
Aug 9 14:54:04 bjims31 last message repeated 3 times
Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 3
And log in /var/log/messages is:
Aug 9 14:53:56 bjims31 slapd[28549]: conn=1 fd=12 closed (connection lost)
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SRCH attr=supportedSASLMechanisms
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 fd=12 ACCEPT from IP=127.0.0.1:46747
(IP=0.0.0.0:389)
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=0 SEARCH RESULT tag=101 err=0 nentries=1
text=
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 BIND dn="" method=163
Aug 9 14:54:02 bjims31 ldapsearch: DIGEST-MD5 client step 2
Aug 9 14:54:02 bjims31 slapd[28549]: conn=2 op=1 RESULT tag=97 err=14 text=SASL(0):
successful result:
Aug 9 14:54:04 bjims31 ldapsearch: DIGEST-MD5 client step 2
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND dn="" method=163
Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (objectClass) not
indexed
Aug 9 14:54:04 bjims31 slapd[28549]: <= bdb_equality_candidates: (cn) not indexed
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND authcid="admin"
authzid="admin"
Aug 9 14:54:04 bjims31 slapd[28549]: conn=2 op=2 BIND
dn="cn=admin,ou=people,dc=example,dc=com" mech=DIGEST-MD5
sasl_ssf=128 ssf=128
This is a successful bind, what is your problem here?
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
8:11 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
My problem is that I expect slapd to authenticate with the
password stored in sasldb. But it's not, it uses the password stored
in userpassword attribute of this user which is a item of openldap.
So I want to know, how can slapd use password stored in sasldb
to do the sasl authentication.
Why do you store a password in the directory if you don't make use of
it? To delegate authentication to an external frame work, you should
tell slapd to do so. Please read the admin guide, in particular
section 14.5 Pass-Through authentication.
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
6:30 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
On 09/08/10 16:56 +0800, LI Ji D wrote:
Hi,
My problem is that I expect slapd to authenticate with the password stored in sasldb. But
it's not, it uses the password stored in userpassword attribute of this user which is
a item of openldap.
So I want to know, how can slapd use password stored in sasldb to do the sasl
authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
did not provide the expected response. Regardless of whether I set it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
internal slapd plugin.
I recommend you file a bug report.
--
Dan White
6:52 p.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 16:56 +0800, LI Ji D wrote:
> Hi,
> My problem is that I expect slapd to authenticate with the password stored in
sasldb. But it's not, it uses the password stored in userpassword attribute of this
user which is a item of openldap.
> So I want to know, how can slapd use password stored in sasldb to do the sasl
authentication.
I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
did not provide the expected response. Regardless of whether I set it to
slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
internal slapd plugin.
I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in
particular with SASL configuration. If you can't get the desired behavior by
setting the SASL config file, then file a bug against Cyrus SASL.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2:32 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
On 09/08/10 14:52 -0700, Howard Chu wrote:
Dan White wrote:
> On 09/08/10 16:56 +0800, LI Ji D wrote:
>> Hi,
>> My problem is that I expect slapd to authenticate with the password stored in
sasldb. But it's not, it uses the password stored in userpassword attribute of this
user which is a item of openldap.
>> So I want to know, how can slapd use password stored in sasldb to do the sasl
authentication.
>
> I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
> did not provide the expected response. Regardless of whether I set it to
> slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
> internal slapd plugin.
>
> I recommend you file a bug report.
File the bug with the correct people. OpenLDAP doesn't do anything in
particular with SASL configuration. If you can't get the desired behavior
by setting the SASL config file, then file a bug against Cyrus SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some digging I
found the insertion of a SASL_CB_GETOPT function which replaces whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
--
Dan White
2:53 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
> Dan White wrote:
>> On 09/08/10 16:56 +0800, LI Ji D wrote:
>>> Hi,
>>> My problem is that I expect slapd to authenticate with the password stored
in sasldb. But it's not, it uses the password stored in userpassword attribute of
this user which is a item of openldap.
>>> So I want to know, how can slapd use password stored in sasldb to do the
sasl authentication.
>>
>> I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
>> did not provide the expected response. Regardless of whether I set it to
>> slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
>> internal slapd plugin.
>>
>> I recommend you file a bug report.
>
> File the bug with the correct people. OpenLDAP doesn't do anything in
> particular with SASL configuration. If you can't get the desired behavior
> by setting the SASL config file, then file a bug against Cyrus SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some digging I
found the insertion of a SASL_CB_GETOPT function which replaces whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:16 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run
/usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com. Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log
of slapd:
slap_listener_activate(7):
>> slap_listener(ldap:///)
connection_get(12): got
connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1281422959
ber_get_next
conn=0 op=0 do_search
ber_scanf fmt ({miiiib) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> send_search_entry: conn 0 dn=""
ber_flush2: 72 bytes to sd 12
<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1281422959
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=195
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 248 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 326 contents:
op tag 0x60, time 1281422960
ber_get_next
conn=0 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=admin,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'}
slap_parseURI: parsing
ldap:///ou=people,dc=example,dc=com??one?(cn=admin)
ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin))
put_filter: "(cn=admin)"
put_filter: simple
put_simple_filter: "cn=admin"
ber_scanf fmt ({mm}) ber:
>> dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com>
slap_sasl2dn: performing internal search
(base=ou=people,dc=example,dc=com, scope=1)
=> bdb_search
bdb_dn2entry("ou=people,dc=example,dc=com")
=> bdb_dn2id("ou=people,dc=example,dc=com")
<= bdb_dn2id: got id=0x1
entry_decode: "ou=people,dc=example,dc=com"
<= entry_decode(ou=people,dc=example,dc=com)
search_candidates: base="ou=people,dc=example,dc=com" (0x00000001)
scope=1
=> bdb_dn2idl("ou=people,dc=example,dc=com")
<= bdb_dn2idl: id=1 first=2 last=2
=> bdb_equality_candidates (objectClass)
<= bdb_equality_candidates: (objectClass) not indexed
=> bdb_equality_candidates (cn)
<= bdb_equality_candidates: (cn) not indexed
bdb_search_candidates: id=1 first=2 last=2
entry_decode: "cn=admin,ou=people,dc=example,dc=com"
<= entry_decode(cn=admin,ou=people,dc=example,dc=com)
=> bdb_dn2id("cn=admin,ou=people,dc=example,dc=com")
<= bdb_dn2id: got id=0x2
send_ldap_result: conn=0 op=2 p=3
<==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
Segmentation fault
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
> Dan White wrote:
>> On 09/08/10 16:56 +0800, LI Ji D wrote:
>>> Hi,
>>> My problem is that I expect slapd to authenticate with the
password
stored in sasldb. But it's not, it uses the password stored in
userpassword attribute of this user which is a item of openldap.
>>> So I want to know, how can slapd use password stored in
sasldb
to do the sasl authentication.
>>
>> I attempted to do this as well and failed. Setting auxprop_plugin to
sasldb
>> did not provide the expected response. Regardless of whether
I set
it to
>> slapd or sasldb, the server authenticates my digest-md5 sasl
bind
using the
>> internal slapd plugin.
>>
>> I recommend you file a bug report.
>
> File the bug with the correct people. OpenLDAP doesn't do anything in
> particular with SASL configuration. If you can't get the desired
behavior
> by setting the SASL config file, then file a bug against Cyrus
SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
found the insertion of a SASL_CB_GETOPT function which replaces
whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never
occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:25 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
LI Ji D wrote:
Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run
/usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com.
Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log of slapd:
<==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
Segmentation fault
Most likely your sasldb was compiled against a different version of BerkeleyDB
than slapd.
In general, using sasldb is a mistake. You cannot administer it remotely, and
it has no provisions for re-entrancy / thread-safety.
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
> On 09/08/10 14:52 -0700, Howard Chu wrote:
> > Dan White wrote:
> >> On 09/08/10 16:56 +0800, LI Ji D wrote:
> >>> Hi,
> >>> My problem is that I expect slapd to authenticate with the password
stored in sasldb. But it's not, it uses the password stored in userpassword
attribute of this user which is a item of openldap.
> >>> So I want to know, how can slapd use password stored in sasldb to do
the
sasl authentication.
> >>
> >> I attempted to do this as well and failed. Setting auxprop_plugin to sasldb
> >> did not provide the expected response. Regardless of whether I set it to
> >> slapd or sasldb, the server authenticates my digest-md5 sasl bind using the
> >> internal slapd plugin.
> >>
> >> I recommend you file a bug report.
> >
> > File the bug with the correct people. OpenLDAP doesn't do anything in
> > particular with SASL configuration. If you can't get the desired behavior
> > by setting the SASL config file, then file a bug against Cyrus SASL.
>
> It does! for auxprop_plugin, and auxprop_plugin only. After some digging I
> found the insertion of a SASL_CB_GETOPT function which replaces whatever
> auxprop_plugin value is found in the sasl config file with the
> sasl-auxprops openldap config option, or defaults to 'slapd' if no
> sasl-auxprops is defined.
>
> It's perfectly documented in the slapd.conf man page... just never occurred
> to me to look.
>
> LI,
>
> setting:
>
> sasl-auxprops sasldb
>
> within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:45 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
Hi,
I can understand the disadvantage of using sasldb, I just want to test
SASL with sasldb.
Is there anyway I can solve this issue? I can't find out which version
of db that sasldb is using.
Thanks for your response, It helps me a lot.
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 2:26 PM
To: LI Ji D
Cc: Dan White; Dieter Kluenter; openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
LI Ji D wrote:
Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd,
run
/usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com.
Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the
log of
slapd:
<==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to
cn=admin,ou=people,dc=example,dc=com
Segmentation fault
Most likely your sasldb was compiled against a different version of
BerkeleyDB
than slapd.
In general, using sasldb is a mistake. You cannot administer it
remotely, and
it has no provisions for re-entrancy / thread-safety.
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
> On 09/08/10 14:52 -0700, Howard Chu wrote:
> > Dan White wrote:
> >> On 09/08/10 16:56 +0800, LI Ji D wrote:
> >>> Hi,
> >>> My problem is that I expect slapd to authenticate with the
password
stored in sasldb. But it's not, it uses the password stored in
userpassword
attribute of this user which is a item of openldap.
> >>> So I want to know, how can slapd use password stored in sasldb to
do the
sasl authentication.
> >>
> >> I attempted to do this as well and failed. Setting auxprop_plugin
to
sasldb
> >> did not provide the expected response. Regardless of whether I set
it
to
> >> slapd or sasldb, the server authenticates my digest-md5 sasl bind
using the
> >> internal slapd plugin.
> >>
> >> I recommend you file a bug report.
> >
> > File the bug with the correct people. OpenLDAP doesn't do anything
in
> > particular with SASL configuration. If you can't get the desired
behavior
> > by setting the SASL config file, then file a bug against Cyrus
SASL.
>
> It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
> found the insertion of a SASL_CB_GETOPT function which replaces
whatever
> auxprop_plugin value is found in the sasl config file with the
> sasl-auxprops openldap config option, or defaults to 'slapd' if no
> sasl-auxprops is defined.
>
> It's perfectly documented in the slapd.conf man page... just never
occurred
> to me to look.
>
> LI,
>
> setting:
>
> sasl-auxprops sasldb
>
> within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:37 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
"LI Ji D" <Ji.d.Li(a)alcatel-lucent.com> writes:
Hi,
I can understand the disadvantage of using sasldb, I just want to test
SASL with sasldb.
Is there anyway I can solve this issue? I can't find out which version
of db that sasldb is using.
[...]
ldd /usr/lib/sasl2/libsasldb.so
-Dieter
--
Dieter Klünter | Systemberatung
sip: 7770535(a)sipgate.de
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
10:36 a.m.
New subject: PROBLEM: can't use SASL to authentication openldap client
On 10/08/10 14:45 +0800, LI Ji D wrote:
Hi,
I can understand the disadvantage of using sasldb, I just want to test
SASL with sasldb. Is there anyway I can solve this issue? I can't find
out which version of db that sasldb is using. Thanks for your response,
It helps me a lot.
If you have a Debian system, the following should get you a testing
environment:
http://web.olp.net/dwhite/openldap/sasldb-notes.txt
--
Dan White
3901
days inactive
3954
days old
openldap-technical@openldap.org
33 comments
5 participants
participants (5)
-
Dan White -
Dieter Kluenter -
Howard Chu -
Lehnert, Hartmut -
LI Ji D