Hi,
I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run
/usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com. Gets the response as below:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: SASL(0): successful result
that's because slapd program is stopped for some reason, here is the log
of slapd:
slap_listener_activate(7):
>> slap_listener(ldap:///)
connection_get(12): got
connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1281422959
ber_get_next
conn=0 op=0 do_search
ber_scanf fmt ({miiiib) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> send_search_entry: conn 0 dn=""
ber_flush2: 72 bytes to sd 12
<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1281422959
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=195
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 248 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 326 contents:
op tag 0x60, time 1281422960
ber_get_next
conn=0 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>> dnPrettyNormal: <>
<<< dnPrettyNormal:
<>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=admin,cn=DIGEST-MD5,cn=auth
>> dnNormalize: <uid=admin,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=admin,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=admin,cn=digest-md5,cn=auth to
a DN
==> rewrite_context_apply [depth=1]
string='uid=admin,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
string='uid=admin,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'ldap:///ou=people,dc=example,dc=com??one?(cn=admin)'}
slap_parseURI: parsing
ldap:///ou=people,dc=example,dc=com??one?(cn=admin)
ldap_url_parse_ext(ldap:///ou=people,dc=example,dc=com??one?(cn=admin))
put_filter: "(cn=admin)"
put_filter: simple
put_simple_filter: "cn=admin"
ber_scanf fmt ({mm}) ber:
>> dnNormalize: <ou=people,dc=example,dc=com>
<<< dnNormalize: <ou=people,dc=example,dc=com>
slap_sasl2dn: performing internal search
(base=ou=people,dc=example,dc=com, scope=1)
=> bdb_search
bdb_dn2entry("ou=people,dc=example,dc=com")
=> bdb_dn2id("ou=people,dc=example,dc=com")
<= bdb_dn2id: got id=0x1
entry_decode: "ou=people,dc=example,dc=com"
<= entry_decode(ou=people,dc=example,dc=com)
search_candidates: base="ou=people,dc=example,dc=com" (0x00000001)
scope=1
=> bdb_dn2idl("ou=people,dc=example,dc=com")
<= bdb_dn2idl: id=1 first=2 last=2
=> bdb_equality_candidates (objectClass)
<= bdb_equality_candidates: (objectClass) not indexed
=> bdb_equality_candidates (cn)
<= bdb_equality_candidates: (cn) not indexed
bdb_search_candidates: id=1 first=2 last=2
entry_decode: "cn=admin,ou=people,dc=example,dc=com"
<= entry_decode(cn=admin,ou=people,dc=example,dc=com)
=> bdb_dn2id("cn=admin,ou=people,dc=example,dc=com")
<= bdb_dn2id: got id=0x2
send_ldap_result: conn=0 op=2 p=3
<==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com
Segmentation fault
-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical(a)openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client
Dan White wrote:
On 09/08/10 14:52 -0700, Howard Chu wrote:
> Dan White wrote:
>> On 09/08/10 16:56 +0800, LI Ji D wrote:
>>> Hi,
>>> My problem is that I expect slapd to authenticate with the
password
stored in sasldb. But it's not, it uses the password stored in
userpassword attribute of this user which is a item of openldap.
>>> So I want to know, how can slapd use password stored in
sasldb
to do the sasl authentication.
>>
>> I attempted to do this as well and failed. Setting auxprop_plugin to
sasldb
>> did not provide the expected response. Regardless of whether
I set
it to
>> slapd or sasldb, the server authenticates my digest-md5 sasl
bind
using the
>> internal slapd plugin.
>>
>> I recommend you file a bug report.
>
> File the bug with the correct people. OpenLDAP doesn't do anything in
> particular with SASL configuration. If you can't get the desired
behavior
> by setting the SASL config file, then file a bug against Cyrus
SASL.
It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
found the insertion of a SASL_CB_GETOPT function which replaces
whatever
auxprop_plugin value is found in the sasl config file with the
sasl-auxprops openldap config option, or defaults to 'slapd' if no
sasl-auxprops is defined.
It's perfectly documented in the slapd.conf man page... just never
occurred
to me to look.
LI,
setting:
sasl-auxprops sasldb
within the openldap slapd.conf works for me.
My mistake. This was added last year.
http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/