SASL Auth with -d ok, otherwise internal error 80 - openldap-technical

4 Mar 2010


      Hello list,
this is my first time trying to set up SASL, I'm probably doing
something wrong. Anyhow:
- I'm on OpenSolaris snv_127
- using SUNWopenldap from IPS (which links with bdb 4.7.25) I got strange
slapd (and slapcat) hangs (probably in bdb). This forced me to set it all
up from source.
- I've compiled latest bdb 4.8 from source
- I've compiled latest OpenLDAP 2.4.21 from source with this configure
args:
   $ cat myconfigure 
   export CFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \
       CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include" \
       LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib \
                -R/usr/local/BerkeleyDB.4.8/lib"
   ./configure -C \
    --prefix=/usr/local/openldap \
    --enable-spasswd \
    --with-cyrus-sasl \
    --enable-syslog
- I've got my slapd.conf [1] in place and initialized my directory
- simple bind always works
- I want SASL with DIGEST-MD5 auth.
- when starting slapd with -d XXX (-d 256) SASL auth. works !!
$ ldapsearch -v -h localhost -p 10389 -LLL -U ldapadmin -D
"cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b
"ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin" '*'
ldap_initialize( ldap://localhost:10389 )
SASL/DIGEST-MD5 authentication started
Please enter your password: 
SASL username: ldapadmin
SASL SSF: 128
SASL installing layers
filter: cn=ldapadmin
requesting: * 
dn: cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de
cn: ldapadmin
gidNumber: 5000
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: person
objectClass: top
sn: Admin
uid: ldapadmin
uidNumber: 5000
homeDirectory: /tmp
userPassword:: ********
- when starting slapd without -d I get:
$ ldapsearch -v -h localhost -LLL -U ldapadmin -D
"cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" -b
"ou=Users,dc=hh,dc=supported,dc=de" -s sub "cn=ldapadmin"
ldap_initialize( ldap://localhost:10389 )
SASL/DIGEST-MD5 authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
(80)
        additional info: SASL(-1): generic failure:
There's an additional problem in that slapd is not logging to syslogd. Cf.
below I configured "loglevel 8191", my syslog.conf contains:
local4.debug    /var/log/openldap.log
Upon slapd startup I get two entries in the log, but nothing else, no
debugging:
Mar  4 12:48:10 os slapd[8083]: [ID 702911 local4.debug] @(#) $OpenLDAP:
slapd 2.4.21 (Mar  4 2010 12:12:43) $
Mar  4 12:48:10 os     
ralph@os:/export/home/ralph/openldap-2.4.21/servers/slapd
Can anybody point me in the right direction? Thanks!
Cheers, Ralph
[1]
slapd.conf:
include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/nis.schema
include        
/usr/local/openldap/etc/openldap/schema/inetorgperson.schema
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
loglevel 8191
moduleload      back_hdb.la
##############
# I've added these in sick attempts
security ssf=0 sasl=0
sasl-secprops none
############
authz-regexp
    uid=(.*),cn=DIGEST-MD5,cn=auth
    cn=$1,ou=Users,dc=hh,dc=supported,dc=de
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,shadowLastChange
    by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write
    by anonymous auth
    by self write
    by * none
access to *
    by dn="cn=ldapadmin,ou=Users,dc=hh,dc=supported,dc=de" write
        by self write
        by users read
        by anonymous auth
rootdn          "cn=root,ou=Users,dc=hh,dc=supported,dc=de"
rootpw          ******
database        hdb
suffix          "dc=hh,dc=supported,dc=de"
directory       /var/openldap
index   objectClass     eq