On a redhat 6, openldap 2.4 and cyrus-sasl 2.1.23.
I create a sasldb syncuser user, in my slapd.d configuration I add: OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr "
I give the right of reading has the utisilsateur ldap on sasldb.
PB during a ldapsearch:
# ldapsearch -Y DIGEST-MD5-U syncuser ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional information: SASL ( 13 ): use(wear out) not found: no secret in database
Slapd in debug mode(fashion) sends back(dismisses) to me:
slapd[2608]: do_bind: dn () SASL mech DIGEST-MD5 slapd[2608]:slapd[2608]: ==> sasl_bind: dn="" mech=<continuing> datalen=277 slapd[2608]: SASL [conn=1002] Debug: DIGEST-MD5 server step 2 slapd[2608]: SASL Canonicalize [conn=1002]: authcid="syncuser" slapd[2608]: slap_sasl_getdn: conn 1002 id=syncuser [len=8] slapd[2608]: slap_sasl_getdn: u:id converted to uid=syncuser,cn=DIGEST-MD5,cn=auth slapd[2608]: >>> dnNormalize: <uid=syncuser,cn=DIGEST-MD5,cn=auth> slapd[2608]: <<< dnNormalize: <uid=syncuser,cn=digest-md5,cn=auth> slapd[2608]: ==>slap_sasl2dn: converting SASL name uid=syncuser,cn=digest-md5,cn=auth to a DN slapd[2608]: [rw] authid: "uid=syncuser,cn=digest-md5,cn=auth" -> "cn=syncuser,dc=xxx,dc=fr" slapd[2608]: slap_parseURI: parsing cn=syncuser,dc=xxx,dc=fr slapd[2608]: >>> dnNormalize: <cn=syncuser,dc=xxx,dc=fr> slapd[2608]: <<< dnNormalize: <cn=syncuser,dc=xxx,dc=fr> slapd[2608]: <==slap_sasl2dn: Converted SASL name to cn=syncuser,dc=xxx,dc=fr slapd[2608]: slap_sasl_getdn: dn:id converted to cn=syncuser,dc=xxx,dc=fr slapd[2608]: SASL Canonicalize [conn=1002]: slapAuthcDN="cn=syncuser,dc=xxx,dc=fr" slapd[2608]: => hdb_search slapd[2608]: daemon: activity on 1 descriptor slapd[2608]: daemon: activity on: slapd[2608]: slapd[2608]: daemon: epoll: listen=7 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=8 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=9 active_threads=1 tvp=zero slapd[2608]: daemon: epoll: listen=10 active_threads=1 tvp=zero slapd[2608]: bdb_dn2entry("cn=syncuser,dc=xxx,dc=fr") slapd[2608]: => hdb_dn2id("cn=syncuser,dc=xxx,dc=fr") slapd[2608]: <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) slapd[2608]: => access_allowed: disclose access to "dc=xxx,dc=fr" "entry" requested slapd[2608]: => dnpat: [5] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dnpat: [6] uid=([^,].*),ou=People,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dn: [7] ou=people,dc=xxx,dc=fr slapd[2608]: => dn: [8] ou=admin,dc=xxx,dc=fr slapd[2608]: => dn: [9] ou=services,dc=xxx,dc=fr slapd[2608]: => dnpat: [10] ou=groups,ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1 slapd[2608]: => dnpat: [11] ou=(.*),ou=web,dc=xxx,dc=fr nsub: 1 slapd[2608]: => acl_get: [12] attr entry slapd[2608]: => acl_mask: access to entry "dc=xxx,dc=fr", attr "entry" requested slapd[2608]: => acl_mask: to all values by "", (=0) slapd[2608]: <= check a_dn_pat: * slapd[2608]: <= acl_mask: [2] applying read(=rscxd) (stop) slapd[2608]: <= acl_mask: [2] mask: read(=rscxd) slapd[2608]: => slap_access_allowed: disclose access granted by read(=rscxd) slapd[2608]: => access_allowed: disclose access granted by read(=rscxd) slapd[2608]: send_ldap_result: conn=1002 op=1 p=3 slapd[2608]: send_ldap_result: err=10 matched="dc=xxx,dc=fr" text="" slapd[2608]: SASL Canonicalize [conn=1002]: authzid="syncuser" slapd[2608]: SASL [conn=1002] Failure: no secret in database slapd[2608]: send_ldap_result: conn=1002 op=1 p=3 slapd[2608]: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: no secret in database" slapd[2608]: send_ldap_response: msgid=2 tag=97 err=49 slapd[2608]: conn=1002 op=1 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database slapd[2608]: <== slap_sasl_bind: rc=49 slapd[2608]: daemon: activity on 1 descriptor slapd[2608]: daemon: activity on: slapd[2608]: 31r
Thank you for your suggestions.
B Chataigne
bea chataigne wrote:
# ldapsearch -Y DIGEST-MD5-U syncuser ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional information: SASL ( 13 ): use(wear out) not found: no secret in database
Does attribute userPassword of entry cn=syncuser,dc=xxx,dc=fr has a clear-text value? SASL DIGEST-MD5 does not work with hashed passwords.
Ciao, Michael.
Hello Michael,
Yes sasl-md5 work with clear password, that is why to me the password of syncuser is defined in the base sasl2db.
In my ldap configuration, I have only the following line:
OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr "
In my ldap base I thus have no entry "cn=syncuser,dc=xxx,dc=fr' defined.
My ldapsearch command : # ldapsearch -Y DIGEST-MD5-U syncuser -h localhost Reads that rule Hello Michael,
Yes sasl-md5 work with clear password, that is why to me the password of syncuser is defined in the base sasl2db.
In my ldap configuration, I have only the following line: OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr "
In my ldap base I thus have no entry "cn=syncuser,dc=xxx,dc=fr' defined.
In my ldapsearch command : # ldapsearch -Y DIGEST-MD5-U syncuser -h localhost
Reads that rule OlcAuthzRegexp: {0} " for the user "uid=syncuser, cn=DIGEST-MD5, cn=auth " translates into ldap entry "cn=syncuser,cn=xxx,cn=fr".
Then he compares the password at first in the base sasl2db, then in the ldap base. In my case the password being in the base sasldb, he should find one correspondence no??
It is correct to there???
Best regards chataigne
2011/10/29 Michael Ströder michael@stroeder.com
bea chataigne wrote:
# ldapsearch -Y DIGEST-MD5-U syncuser ldap_sasl_interactive_bind_s: Invalid credentials ( 49 ) additional information: SASL ( 13 ): use(wear out) not found: no secret in database
Does attribute userPassword of entry cn=syncuser,dc=xxx,dc=fr has a clear-text value? SASL DIGEST-MD5 does not work with hashed passwords.
Ciao, Michael.
openldap-technical@openldap.org