Hi all Thanks for all your suggestions
I tried the suggested command (thanks Moorthi): ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I with no success. I got this error:
firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I SASL/DIGEST-MD5 authentication started SASL Interaction Default: u:test Please enter your authorization name: test Default: proxyuser Please enter your authentication name: proxyuser Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: unable authorization ID
(Logs are at the bottom of this mail for details)
I also realized that the logs changed almost nothing either the command below is running or not:
saslauthd -d -V -a ldap -r -O /etc/saslauthd.conf
so I can say that unfortunately there's no comunication between SASLAUTHD and LDAP.
Now I will try the suggestion to separate saslauthd and ldapdb (thanks Dieter)
But I'm still wondering if there's a way to work ldap server and cyrus-sasl together. Let's be more accuratte
1.- Connect to ldap server throught cyrus-sasl (let's say authenticated/authorized proxyuser connected to ldap server) 2.- Once connected to the ldap server, authenticate/authorize other user (or any object ) saved on ldap server using previous connection done in step 1
Is that posible? Or, Am I driving crazy for nothing?
Thanks in advance
Fernando Torrez
LDAP LOGS Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on: Nov 17 10:10:44 firewall slapd[2901]: Nov 17 10:10:44 firewall slapd[2901]: slap_listener_activate(8): Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=8 busy Nov 17 10:10:44 firewall slapd[2901]: >>> slap_listener(ldap://) Nov 17 10:10:44 firewall slapd[2901]: daemon: listen=8, new connection on 13 Nov 17 10:10:44 firewall slapd[2901]: daemon: added 13r (active) listener=(nil) Nov 17 10:10:44 firewall slapd[2901]: conn=1002 fd=13 ACCEPT from IP=[::1]:39399 (IP=[::]:389) Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on: Nov 17 10:10:44 firewall slapd[2901]: Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on: Nov 17 10:10:44 firewall slapd[2901]: 13r Nov 17 10:10:44 firewall slapd[2901]: Nov 17 10:10:44 firewall slapd[2901]: daemon: read active on 13 Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 17 10:10:44 firewall slapd[2901]: connection_get(13) Nov 17 10:10:44 firewall slapd[2901]: connection_get(13): got connid=1002 Nov 17 10:10:44 firewall slapd[2901]: connection_read(13): checking for input on id=1002 Nov 17 10:10:44 firewall slapd[2901]: op tag 0x60, time 1290003044 Nov 17 10:10:44 firewall slapd[2901]: conn=1002 op=0 do_bind Nov 17 10:10:44 firewall slapd[2901]: >>> dnPrettyNormal: <> Nov 17 10:10:44 firewall slapd[2901]: <<< dnPrettyNormal: <>, <> Nov 17 10:10:44 firewall slapd[2901]: conn=1002 op=0 BIND dn="" method=163 Nov 17 10:10:44 firewall slapd[2901]: do_bind: dn () SASL mech DIGEST-MD5 Nov 17 10:10:44 firewall slapd[2901]: ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0 Nov 17 10:10:44 firewall slapd[2901]: SASL [conn=1002] Debug: DIGEST-MD5 server step 1 Nov 17 10:10:44 firewall slapd[2901]: send_ldap_sasl: err=14 len=182 Nov 17 10:10:44 firewall slapd[2901]: send_ldap_response: msgid=1 tag=97 err=14 Nov 17 10:10:44 firewall slapd[2901]: conn=1002 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Nov 17 10:10:44 firewall slapd[2901]: <== slap_sasl_bind: rc=14 Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:10:44 firewall slapd[2901]: daemon: activity on: Nov 17 10:10:44 firewall slapd[2901]: Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:10:44 firewall slapd[2901]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 17 10:10:44 firewall ldapwhoami: DIGEST-MD5 client step 2 Nov 17 10:11:02 firewall ldapwhoami: DIGEST-MD5 client step 2 Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on: Nov 17 10:11:02 firewall slapd[2901]: 13r Nov 17 10:11:02 firewall slapd[2901]: Nov 17 10:11:02 firewall slapd[2901]: daemon: read active on 13 Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: connection_get(13) Nov 17 10:11:02 firewall slapd[2901]: connection_get(13): got connid=1002 Nov 17 10:11:02 firewall slapd[2901]: connection_read(13): checking for input on id=1002 Nov 17 10:11:02 firewall slapd[2901]: op tag 0x60, time 1290003062 Nov 17 10:11:02 firewall slapd[2901]: conn=1002 op=1 do_bind Nov 17 10:11:02 firewall slapd[2901]: >>> dnPrettyNormal: <> Nov 17 10:11:02 firewall slapd[2901]: <<< dnPrettyNormal: <>, <> Nov 17 10:11:02 firewall slapd[2901]: conn=1002 op=1 BIND dn="" method=163 Nov 17 10:11:02 firewall slapd[2901]: do_bind: dn () SASL mech DIGEST-MD5 Nov 17 10:11:02 firewall slapd[2901]: ==> sasl_bind: dn="" mech=<continuing> datalen=294 Nov 17 10:11:02 firewall slapd[2901]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2 Nov 17 10:11:02 firewall slapd[2901]: SASL Canonicalize [conn=1002]: authcid="proxyuser" Nov 17 10:11:02 firewall slapd[2901]: slap_sasl_getdn: conn 1002 id=proxyuser [len=9] Nov 17 10:11:02 firewall slapd[2901]: slap_sasl_getdn: u:id converted to uid=proxyuser,cn=DIGEST-MD5,cn=auth Nov 17 10:11:02 firewall slapd[2901]: >>> dnNormalize: <uid=proxyuser,cn=DIGEST-MD5,cn=auth> Nov 17 10:11:02 firewall slapd[2901]: <<< dnNormalize: <uid=proxyuser,cn=digest-md5,cn=auth> Nov 17 10:11:02 firewall slapd[2901]: ==>slap_sasl2dn: converting SASL name uid=proxyuser,cn=digest-md5,cn=auth to a DN Nov 17 10:11:02 firewall slapd[2901]: [rw] authid: "uid=proxyuser,cn=digest-md5,cn=auth" -> "uid=proxyuser,ou=people,dc=plainjoe,dc=org" Nov 17 10:11:02 firewall slapd[2901]: slap_parseURI: parsing uid=proxyuser,ou=people,dc=plainjoe,dc=org Nov 17 10:11:02 firewall slapd[2901]: >>> dnNormalize: <uid=proxyuser,ou=people,dc=plainjoe,dc=org> Nov 17 10:11:02 firewall slapd[2901]: <<< dnNormalize: <uid=proxyuser,ou=people,dc=plainjoe,dc=org> Nov 17 10:11:02 firewall slapd[2901]: <==slap_sasl2dn: Converted SASL name to uid=proxyuser,ou=people,dc=plainjoe,dc=org Nov 17 10:11:02 firewall slapd[2901]: slap_sasl_getdn: dn:id converted to uid=proxyuser,ou=people,dc=plainjoe,dc=org Nov 17 10:11:02 firewall slapd[2901]: SASL Canonicalize [conn=1002]: slapAuthcDN="uid=proxyuser,ou=people,dc=plainjoe,dc=org" Nov 17 10:11:02 firewall slapd[2901]: => bdb_search Nov 17 10:11:02 firewall slapd[2901]: bdb_dn2entry("uid=proxyuser,ou=people,dc=plainjoe,dc=org") Nov 17 10:11:02 firewall slapd[2901]: => access_allowed: auth access to "uid=proxyuser,ou=people,dc=plainjoe,dc=org" "entry" requested Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on: Nov 17 10:11:02 firewall slapd[2901]: Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: => acl_get: [2] attr entry Nov 17 10:11:02 firewall slapd[2901]: => acl_mask: access to entry "uid=proxyuser,ou=people,dc=plainjoe,dc=org", attr "entry" requested Nov 17 10:11:02 firewall slapd[2901]: => acl_mask: to all values by "", (=0) Nov 17 10:11:02 firewall slapd[2901]: <= check a_dn_pat: * Nov 17 10:11:02 firewall slapd[2901]: <= acl_mask: [1] applying read(=rscxd) (stop) Nov 17 10:11:02 firewall slapd[2901]: <= acl_mask: [1] mask: read(=rscxd) Nov 17 10:11:02 firewall slapd[2901]: => slap_access_allowed: auth access granted by read(=rscxd) Nov 17 10:11:02 firewall slapd[2901]: => access_allowed: auth access granted by read(=rscxd) Nov 17 10:11:02 firewall slapd[2901]: base_candidates: base: "uid=proxyuser,ou=people,dc=plainjoe,dc=org" (0x00000011) Nov 17 10:11:02 firewall slapd[2901]: => test_filter Nov 17 10:11:02 firewall slapd[2901]: PRESENT Nov 17 10:11:02 firewall slapd[2901]: => access_allowed: auth access to "uid=proxyuser,ou=people,dc=plainjoe,dc=org" "objectClass" requested Nov 17 10:11:02 firewall slapd[2901]: => acl_get: [2] attr objectClass Nov 17 10:11:02 firewall slapd[2901]: => acl_mask: access to entry "uid=proxyuser,ou=people,dc=plainjoe,dc=org", attr "objectClass" requested Nov 17 10:11:02 firewall slapd[2901]: => acl_mask: to all values by "", (=0) Nov 17 10:11:02 firewall slapd[2901]: <= check a_dn_pat: * Nov 17 10:11:02 firewall slapd[2901]: <= acl_mask: [1] applying read(=rscxd) (stop) Nov 17 10:11:02 firewall slapd[2901]: <= acl_mask: [1] mask: read(=rscxd) Nov 17 10:11:02 firewall slapd[2901]: => slap_access_allowed: auth access granted by read(=rscxd) Nov 17 10:11:02 firewall slapd[2901]: => access_allowed: auth access granted by read(=rscxd) Nov 17 10:11:02 firewall slapd[2901]: <= test_filter 6 Nov 17 10:11:02 firewall slapd[2901]: => access_allowed: auth access to "uid=proxyuser,ou=people,dc=plainjoe,dc=org" "userPassword" requested Nov 17 10:11:02 firewall slapd[2901]: => acl_get: [1] attr userPassword Nov 17 10:11:02 firewall slapd[2901]: => acl_mask: access to entry "uid=proxyuser,ou=people,dc=plainjoe,dc=org", attr "userPassword" requested Nov 17 10:11:02 firewall slapd[2901]: => acl_mask: to all values by "", (=0) Nov 17 10:11:02 firewall slapd[2901]: <= check a_dn_pat: self Nov 17 10:11:02 firewall slapd[2901]: <= check a_dn_pat: anonymous Nov 17 10:11:02 firewall slapd[2901]: <= acl_mask: [2] applying auth(=xd) (stop) Nov 17 10:11:02 firewall slapd[2901]: <= acl_mask: [2] mask: auth(=xd) Nov 17 10:11:02 firewall slapd[2901]: => slap_access_allowed: auth access granted by auth(=xd) Nov 17 10:11:02 firewall slapd[2901]: => access_allowed: auth access granted by auth(=xd) Nov 17 10:11:02 firewall slapd[2901]: slap_ap_lookup: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined Nov 17 10:11:02 firewall slapd[2901]: send_ldap_result: conn=1002 op=1 p=3 Nov 17 10:11:02 firewall slapd[2901]: send_ldap_result: err=0 matched="" text="" Nov 17 10:11:02 firewall slapd[2901]: SASL Canonicalize [conn=1002]: authzid="test" Nov 17 10:11:02 firewall slapd[2901]: slap_sasl_getdn: conn 1002 id=test [len=4] Nov 17 10:11:02 firewall slapd[2901]: SASL [conn=1002] Failure: Inappropriate authentication Nov 17 10:11:02 firewall slapd[2901]: SASL [conn=1002] Failure: unable authorization ID Nov 17 10:11:02 firewall slapd[2901]: send_ldap_result: conn=1002 op=1 p=3 Nov 17 10:11:02 firewall slapd[2901]: send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: unable authorization ID" Nov 17 10:11:02 firewall slapd[2901]: send_ldap_response: msgid=2 tag=97 err=50 Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on: Nov 17 10:11:02 firewall slapd[2901]: 13r Nov 17 10:11:02 firewall slapd[2901]: Nov 17 10:11:02 firewall slapd[2901]: daemon: read active on 13 Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: connection_get(13) Nov 17 10:11:02 firewall slapd[2901]: connection_get(13): got connid=1002 Nov 17 10:11:02 firewall slapd[2901]: connection_read(13): checking for input on id=1002 Nov 17 10:11:02 firewall slapd[2901]: ber_get_next on fd 13 failed errno=0 (Success) Nov 17 10:11:02 firewall slapd[2901]: connection_read(13): input error=-2 id=1002, closing. Nov 17 10:11:02 firewall slapd[2901]: connection_closing: readying conn=1002 sd=13 for close Nov 17 10:11:02 firewall slapd[2901]: connection_close: deferring conn=1002 sd=13 Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on 1 descriptor Nov 17 10:11:02 firewall slapd[2901]: daemon: activity on: Nov 17 10:11:02 firewall slapd[2901]: Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=7 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: daemon: epoll: listen=8 active_threads=0 tvp=zero Nov 17 10:11:02 firewall slapd[2901]: conn=1002 op=1 RESULT tag=97 err=50 text=SASL(-14): authorization failure: unable authorization ID Nov 17 10:11:02 firewall slapd[2901]: <== slap_sasl_bind: rc=50 Nov 17 10:11:02 firewall slapd[2901]: connection_resched: attempting closing conn=1002 sd=13 Nov 17 10:11:02 firewall slapd[2901]: connection_close: conn=1002 sd=13 Nov 17 10:11:02 firewall slapd[2901]: daemon: removing 13 Nov 17 10:11:02 firewall slapd[2901]: conn=1002 fd=13 closed (connection lost) Nov 17 10:11:13 firewall sshd[2983]: Accepted keyboard-interactive/pam for root from 192.168.0.2 port 1622 ssh2 Nov 17 10:11:13 firewall sshd[2983]: subsystem request for sftp
Fernando Torrez fernando_torrez@hotmail.com writes:
Hi all Thanks for all your suggestions
I tried the suggested command (thanks Moorthi): ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I with no success. I got this error:
firewall:~ # ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I SASL/DIGEST-MD5 authentication started SASL Interaction Default: u:test Please enter your authorization name: test Default: proxyuser Please enter your authentication name: proxyuser Please enter your password: ldap_sasl_interactive_bind_s: Insufficient access (50) additional info: SASL(-14): authorization failure: unable authorization ID
(Logs are at the bottom of this mail for details)
I also realized that the logs changed almost nothing either the command below is running or not:
saslauthd -d -V -a ldap -r -O /etc/saslauthd.conf
so I can say that unfortunately there's no comunication between SASLAUTHD and LDAP.
Now I will try the suggestion to separate saslauthd and ldapdb (thanks Dieter)
But I'm still wondering if there's a way to work ldap server and cyrus-sasl together. Let's be more accuratte
1.- Connect to ldap server throught cyrus-sasl (let's say authenticated/ authorized proxyuser connected to ldap server) 2.- Once connected to the ldap server, authenticate/authorize other user (or any object ) saved on ldap server using previous connection done in step 1
Is that posible? Or, Am I driving crazy for nothing?
[...]
Is there any particular reason to include an external identiy provider deamon like saslauthd? Why don't you just use build in sasl functions? As I already mentioned:
1. create plaintext userPasswords, 2. configure authz-regexp to map sasl authentication string to an entry, (man slapd.conf(5)) 3. add to /etc/sasl2/slapd.conf 'auxprop_plugin: slapd' 4. test whith ldapwhoami
If you want additonal proxy authentication 1. add a auth-policy to slapd.conf 2. add authzTo attribute and appropriate value to a proxy user entry, 3. test with ldapwhoami -X u:<proxy-user> -U <user> -Y <mechanism>
-Dieter
On 17/11/10 11:09 -0400, Fernando Torrez wrote:
I tried the suggested command (thanks Moorthi): ldapwhoami -U proxyuser -X u:test -Y digest-md5 -I with no success. I got this error:
saslauthd -d -V -a ldap -r -O /etc/saslauthd.conf
digest-md5 and saslauthd are incompatible. The cyrus library requires the use of an auxprop store to retrieve the shared secret that the digest-md5 mechanism uses.
You could use the 'plain' or 'login' mechanisms to authenticate against saslauthd, but you'd need to set:
sasl-secprops none
(or some other setting which allows plain authentication)
However, that's a potential security risk unless you have some other network security layer in place.
so I can say that unfortunately there's no comunication between SASLAUTHD and LDAP.
Now I will try the suggestion to separate saslauthd and ldapdb (thanks Dieter)
But I'm still wondering if there's a way to work ldap server and cyrus-sasl together. Let's be more accuratte
1.- Connect to ldap server throught cyrus-sasl (let's say authenticated/authorized proxyuser connected to ldap server)
If you're looking to do digest-md5 authentication directly to slapd, then you'll probably want to look at using the internal slapd auxprop plugin.
See chapter 15 of the OpenLDAP Administrator's Guide for documentation.
2.- Once connected to the ldap server, authenticate/authorize other user (or any object ) saved on ldap server using previous connection done in step 1
I'm not sure I understand what you're trying to do in step 2. Are you attempting to authenticate some other service other than slapd?
openldap-technical@openldap.org