Hello All,
I'm a new bie to LDAP and trying to enable SASL on the newly created user.
I read link at open ldap forum: http://www.openldap.org/doc/admin24/sasl.html#DIGEST-MD5
*and performed following steps:* Step-1: saslpasswd2 -c sasluser2 <asked for password>
Step-2: sasldblistusers2 sasluser2@test0.devcs: userPassword
add_sasl_accnt.ldif ---------------------------- # TEST Account for SASL: dn: uid=sasluser2,ou=System,o=db uid: sasluser2 ou: System description: Special account for SASL Testing userPassword: sasluser2 objectClass: account objectClass: simpleSecurityObject
Step-3: ldapadd -x -D cn=Manager,o=db -W -f add_sasl_accnt.ldif
After performing these stpes, i tried to perform ldapsearch and landed up in getting error:
ldapsearch -U sasluser2 -b 'o=db' '(objectclass=*)' *ldap_sasl_interactive_bind_s: No such attribute (16)*
ldapsearch -LLL -U sasluser2 -b 'o=db' *ldap_sasl_interactive_bind_s: No such attribute (16)*
Kindly help.
Thanks and Regards, Gaurav Gugnani
Hello All,
After some more research into it and reading some more links: http://www.linuxtopia.org/online_books/network_administration_guides/ldap_ad... http://tldp.org/HOWTO/LDAP-HOWTO/sasl.html
I did some more steps like- *Step-1:* In the file slapd.conf i add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=db
And perform ldapsearch in different way: ldapsearch -Y DIGEST-MD5 -U sasluser2 -b 'o=db'
But again got error as: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Please help in getting out of this issue.
Thanks and Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 11:36 AM, Gaurav Gugnani gugnanigaurav@gmail.comwrote:
Hello All,
I'm a new bie to LDAP and trying to enable SASL on the newly created user.
I read link at open ldap forum: http://www.openldap.org/doc/admin24/sasl.html#DIGEST-MD5
*and performed following steps:* Step-1: saslpasswd2 -c sasluser2
<asked for password>
Step-2: sasldblistusers2 sasluser2@test0.devcs: userPassword
add_sasl_accnt.ldif
# TEST Account for SASL: dn: uid=sasluser2,ou=System,o=db uid: sasluser2 ou: System description: Special account for SASL Testing userPassword: sasluser2 objectClass: account objectClass: simpleSecurityObject
Step-3: ldapadd -x -D cn=Manager,o=db -W -f add_sasl_accnt.ldif
After performing these stpes, i tried to perform ldapsearch and landed up in getting error:
ldapsearch -U sasluser2 -b 'o=db' '(objectclass=*)' *ldap_sasl_interactive_bind_s: No such attribute (16)*
ldapsearch -LLL -U sasluser2 -b 'o=db' *ldap_sasl_interactive_bind_s: No such attribute (16)*
Kindly help.
Thanks and Regards, Gaurav Gugnani
On 02/02/2012 10:40 AM, Gaurav Gugnani wrote:
Hello All,
After some more research into it and reading some more links: http://www.linuxtopia.org/online_books/network_administration_guides/ldap_ad... http://tldp.org/HOWTO/LDAP-HOWTO/sasl.html
I did some more steps like- *Step-1:* In the file slapd.conf i add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=db
And perform ldapsearch in different way: ldapsearch -Y DIGEST-MD5 -U sasluser2 -b 'o=db'
But again got error as: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Did you installed the sasl modules? (On debian the package name is libsasl2-modules )
Please help in getting out of this issue.
Thanks and Regards, Gaurav Gugnani
Hello,
I too suppose that my package is missing for cyrus-sasl DIGEST MD5.
I'm working on linux 86_64 machine and want to implement DIGEST MD5 mechanism.
Following packages are installed: /u01/app/openldap/product/2.4.26/etc/openldap>rpm -qa | grep cyrus-sasl cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-plain-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3 cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3 cyrus-sasl-plain-2.1.22-5.el5_4.3 cyrus-sasl-2.1.22-5.el5_4.3
Please suggest, if package is missing or will the DIGEST MD% mechanism works with this cyrus-sasl modules.
Thanks for your help.
Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 4:03 PM, Raffael Sahli public@raffaelsahli.comwrote:
On 02/02/2012 10:40 AM, Gaurav Gugnani wrote:
Hello All,
After some more research into it and reading some more links:
http://www.linuxtopia.org/online_books/network_administration_guides/ldap_ad... http://tldp.org/HOWTO/LDAP-HOWTO/sasl.html
I did some more steps like- *Step-1:* In the file slapd.conf i add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=db
And perform ldapsearch in different way: ldapsearch -Y DIGEST-MD5 -U sasluser2 -b 'o=db'
But again got error as: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Did you installed the sasl modules? (On debian the package name is libsasl2-modules )
Please help in getting out of this issue.
Thanks and Regards, Gaurav Gugnani
-- Raffael Sahlipublic@raffaelsahli.com
On 02/02/12 16:24 +0530, Gaurav Gugnani wrote:
Hello,
I too suppose that my package is missing for cyrus-sasl DIGEST MD5.
I'm working on linux 86_64 machine and want to implement DIGEST MD5 mechanism.
Following packages are installed: /u01/app/openldap/product/2.4.26/etc/openldap>rpm -qa | grep cyrus-sasl cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-plain-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3 cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3 cyrus-sasl-plain-2.1.22-5.el5_4.3 cyrus-sasl-2.1.22-5.el5_4.3
Use pluginviewer (or possibly saslpluginviewer) to verify that digest-md5 is installed. If not, you'll need to find out which package you need from your distribution's support.
Once installed, and verified using pluginviewer, verify that slapd is offering the mechanism with:
ldapsearch -x -H ldap://ldap.example.net -s "base" "supportedSASLMechanisms"
Please suggest, if package is missing or will the DIGEST MD% mechanism works with this cyrus-sasl modules.
Thanks for your help.
Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 4:03 PM, Raffael Sahli public@raffaelsahli.comwrote:
On 02/02/2012 10:40 AM, Gaurav Gugnani wrote:
Hello All,
After some more research into it and reading some more links:
http://www.linuxtopia.org/online_books/network_administration_guides/ldap_ad... http://tldp.org/HOWTO/LDAP-HOWTO/sasl.html
I did some more steps like- *Step-1:* In the file slapd.conf i add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=db
And perform ldapsearch in different way: ldapsearch -Y DIGEST-MD5 -U sasluser2 -b 'o=db'
But again got error as: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Did you installed the sasl modules? (On debian the package name is libsasl2-modules )
Please help in getting out of this issue.
Thanks and Regards, Gaurav Gugnani
-- Raffael Sahlipublic@raffaelsahli.com
Hello,
Thks for helping me out. Yes, the package is missing.
The O/P of plugin viewer: /u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: ANONYMOUS PLAIN LOGIN EXTERNAL
And clearly it is not displaying any MD5 SASL mechanism.
Now, i'll try to install package and will try my steps.
Once again thks a lot for helping.
Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 9:03 PM, Dan White dwhite@olp.net wrote:
On 02/02/12 16:24 +0530, Gaurav Gugnani wrote:
Hello,
I too suppose that my package is missing for cyrus-sasl DIGEST MD5.
I'm working on linux 86_64 machine and want to implement DIGEST MD5 mechanism.
Following packages are installed: /u01/app/openldap/product/2.4.**26/etc/openldap>rpm -qa | grep cyrus-sasl cyrus-sasl-devel-2.1.22-5.el5_**4.3 cyrus-sasl-plain-2.1.22-5.el5_**4.3 cyrus-sasl-lib-2.1.22-5.el5_4.**3 cyrus-sasl-devel-2.1.22-5.el5_**4.3 cyrus-sasl-lib-2.1.22-5.el5_4.**3 cyrus-sasl-plain-2.1.22-5.el5_**4.3 cyrus-sasl-2.1.22-5.el5_4.3
Use pluginviewer (or possibly saslpluginviewer) to verify that digest-md5 is installed. If not, you'll need to find out which package you need from your distribution's support.
Once installed, and verified using pluginviewer, verify that slapd is offering the mechanism with:
ldapsearch -x -H ldap://ldap.example.net -s "base" "supportedSASLMechanisms"
Please suggest, if package is missing or will the DIGEST MD% mechanism
works with this cyrus-sasl modules.
Thanks for your help.
Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 4:03 PM, Raffael Sahli public@raffaelsahli.com** wrote:
On 02/02/2012 10:40 AM, Gaurav Gugnani wrote:
Hello All,
After some more research into it and reading some more links:
http://www.linuxtopia.org/**online_books/network_** administration_guides/ldap_**administration/sasl_SASL_** Authentication.htmlhttp://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/sasl_SASL_Authentication.html http://tldp.org/HOWTO/LDAP-**HOWTO/sasl.htmlhttp://tldp.org/HOWTO/LDAP-HOWTO/sasl.html
I did some more steps like- *Step-1:*
In the file slapd.conf i add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=db
And perform ldapsearch in different way: ldapsearch -Y DIGEST-MD5 -U sasluser2 -b 'o=db'
But again got error as: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Did you installed the sasl modules? (On debian the package name is libsasl2-modules )
Please help in getting out of this issue.
Thanks and Regards, Gaurav Gugnani
-- Raffael Sahlipublic@raffaelsahli.com
-- Dan White
Hello All,
I've installed the cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm package.
*Logs:*
/root>pluginviewer
Installed SASL (server side) mechanisms are:
*CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL*
......
**
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms dn: *supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5**
* and again started with SASL process (tried several times) but everytime... got an error: *Steps i followed:* 1> saslpasswd2 -c sasluser3 2> sasldblistusers2 3> Stop LDAP 4> edit slapd.conf and add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz 5> Start LDAP 6> Add account from ldif: add_sasl_accnt3.ldif ---------------------------- # TEST Account for SASL: dn: uid=sasluser3,ou=System,o=xyz uid: sasluser3 ou: System description: Special account for SASL Testing userPassword: sasluser3 objectClass: account objectClass: simpleSecurityObject 7> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt3.ldif 8> *ldapsearch -Y DIGEST-MD5 -U sasluser3 -b 'o=xyz'* Or *ldapsearch -U sasluser5 -b 'o=xyz'*
But evrytime got error as: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
Thks a lot for helping me.
Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 11:13 PM, Gaurav Gugnani gugnanigaurav@gmail.comwrote:
Hello,
Thks for helping me out. Yes, the package is missing.
The O/P of plugin viewer: /u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: ANONYMOUS PLAIN LOGIN EXTERNAL
And clearly it is not displaying any MD5 SASL mechanism.
Now, i'll try to install package and will try my steps.
Once again thks a lot for helping.
Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 9:03 PM, Dan White dwhite@olp.net wrote:
On 02/02/12 16:24 +0530, Gaurav Gugnani wrote:
Hello,
I too suppose that my package is missing for cyrus-sasl DIGEST MD5.
I'm working on linux 86_64 machine and want to implement DIGEST MD5 mechanism.
Following packages are installed: /u01/app/openldap/product/2.4.**26/etc/openldap>rpm -qa | grep cyrus-sasl cyrus-sasl-devel-2.1.22-5.el5_**4.3 cyrus-sasl-plain-2.1.22-5.el5_**4.3 cyrus-sasl-lib-2.1.22-5.el5_4.**3 cyrus-sasl-devel-2.1.22-5.el5_**4.3 cyrus-sasl-lib-2.1.22-5.el5_4.**3 cyrus-sasl-plain-2.1.22-5.el5_**4.3 cyrus-sasl-2.1.22-5.el5_4.3
Use pluginviewer (or possibly saslpluginviewer) to verify that digest-md5 is installed. If not, you'll need to find out which package you need from your distribution's support.
Once installed, and verified using pluginviewer, verify that slapd is offering the mechanism with:
ldapsearch -x -H ldap://ldap.example.net -s "base" "supportedSASLMechanisms"
Please suggest, if package is missing or will the DIGEST MD% mechanism
works with this cyrus-sasl modules.
Thanks for your help.
Regards, Gaurav Gugnani
On Thu, Feb 2, 2012 at 4:03 PM, Raffael Sahli public@raffaelsahli.com* *wrote:
On 02/02/2012 10:40 AM, Gaurav Gugnani wrote:
Hello All,
After some more research into it and reading some more links:
http://www.linuxtopia.org/**online_books/network_** administration_guides/ldap_**administration/sasl_SASL_** Authentication.htmlhttp://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/sasl_SASL_Authentication.html http://tldp.org/HOWTO/LDAP-**HOWTO/sasl.htmlhttp://tldp.org/HOWTO/LDAP-HOWTO/sasl.html
I did some more steps like- *Step-1:*
In the file slapd.conf i add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=db
And perform ldapsearch in different way: ldapsearch -Y DIGEST-MD5 -U sasluser2 -b 'o=db'
But again got error as: ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found
Did you installed the sasl modules? (On debian the package name is libsasl2-modules )
Please help in getting out of this issue.
Thanks and Regards, Gaurav Gugnani
-- Raffael Sahlipublic@raffaelsahli.com
-- Dan White
On 02/03/12 16:12 +0530, Gaurav Gugnani wrote:
Hello All,
I've installed the cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm package.
*Logs:*
/root>pluginviewer
Installed SASL (server side) mechanisms are:
*CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL*
......
**
/u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms dn: *supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5**
and again started with SASL process (tried several times) but everytime... got an error: *Steps i followed:* 1> saslpasswd2 -c sasluser3 2> sasldblistusers2
These two steps are not necessary.
3> Stop LDAP 4> edit slapd.conf and add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz 5> Start LDAP 6> Add account from ldif: add_sasl_accnt3.ldif
# TEST Account for SASL: dn: uid=sasluser3,ou=System,o=xyz uid: sasluser3 ou: System description: Special account for SASL Testing userPassword: sasluser3 objectClass: account objectClass: simpleSecurityObject 7> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt3.ldif 8> *ldapsearch -Y DIGEST-MD5 -U sasluser3 -b 'o=xyz'* Or *ldapsearch -U sasluser5 -b 'o=xyz'*
But evrytime got error as: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
This is an error indicating that the user entry within ldap could not be found, and two possible reasons are you do not have ACLs configured properly, or your sasl-regexp is misconfigured.
Depending on the version of slapd, 'sasl-regexp' should instead be 'authz-regexp'. It appears from the output below that you are using version 2.4.26, so you should using 'authz-regexp'.
For documentation on configuring them, reference the OpenLDAP 2.4 Admin Guide.
For trouble shooting ACL misconfigurations, try running slapd in debug mode, or increase your logging.
On Thu, Feb 2, 2012 at 11:13 PM, Gaurav Gugnani gugnanigaurav@gmail.comwrote:
Hello,
Thks for helping me out. Yes, the package is missing.
The O/P of plugin viewer: /u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: ANONYMOUS PLAIN LOGIN EXTERNAL
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the issue has not yet resolved.
*Error:* /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U sasluser7 -b 'o=xyz' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
access to attrs="userpassword" by self write by anonymous auth by dn="uid=sasluser7,ou=System,o=xyz" read access to dn.base="o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read by users read access to dn.subtree="ou=Subscribers,o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read access to * by self write by dn="uid=sasluser7,ou=System,o=xyz" read
I hope it is fine.
Moreover, we can say that the user is created: /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -W -D 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=xyz' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=sasluser7,ou=System,o=xyz> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sasluser7, System, xyz dn: uid=sasluser7,ou=System,o=xyz uid: sasluser7 ou: System description: Special account for SASL Testing userPassword:: c2FzbVHzZXI3 objectClass: account objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that be an issue point? /u01/app/openldap/product/2.4.26/etc/openldap>sasldblistusers -bash: sasldblistusers: command not found
Please help me out in moving forward. Thks a lot for your support.
Regards, Gaurav Gugnani
On Fri, Feb 3, 2012 at 8:44 PM, Dan White dwhite@olp.net wrote:
On 02/03/12 16:12 +0530, Gaurav Gugnani wrote:
Hello All,
I've installed the cyrus-sasl-md5-2.1.22-5.el5_4.**3.x86_64.rpm package.
*Logs:*
/root>pluginviewer
Installed SASL (server side) mechanisms are:
*CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL*
......
**
/u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms dn: *supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5**
and again started with SASL process (tried several times) but everytime... got an error: *Steps i followed:*
1> saslpasswd2 -c sasluser3 2> sasldblistusers2
These two steps are not necessary.
3> Stop LDAP
4> edit slapd.conf and add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz 5> Start LDAP 6> Add account from ldif: add_sasl_accnt3.ldif
# TEST Account for SASL: dn: uid=sasluser3,ou=System,o=xyz uid: sasluser3 ou: System description: Special account for SASL Testing userPassword: sasluser3 objectClass: account objectClass: simpleSecurityObject 7> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt3.ldif 8> *ldapsearch -Y DIGEST-MD5 -U sasluser3 -b 'o=xyz'* Or *ldapsearch -U sasluser5 -b 'o=xyz'*
But evrytime got error as: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
This is an error indicating that the user entry within ldap could not be found, and two possible reasons are you do not have ACLs configured properly, or your sasl-regexp is misconfigured.
Depending on the version of slapd, 'sasl-regexp' should instead be 'authz-regexp'. It appears from the output below that you are using version 2.4.26, so you should using 'authz-regexp'.
For documentation on configuring them, reference the OpenLDAP 2.4 Admin Guide.
For trouble shooting ACL misconfigurations, try running slapd in debug mode, or increase your logging.
On Thu, Feb 2, 2012 at 11:13 PM, Gaurav Gugnani gugnanigaurav@gmail.com
**wrote:
Hello,
Thks for helping me out. Yes, the package is missing.
The O/P of plugin viewer: /u01/app/openldap/product/2.4.**26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: ANONYMOUS PLAIN LOGIN EXTERNAL
-- Dan White
Hi Gaurav which SASL DB do you try to access? Do you load the corresponding plugin? here, we use the /etc/sasldb2 database through the auxprop plugin. To define this, we need to have in /etc/openldap/slapd.conf sasl-auxprops sasldb which in the cn=config subtree gives olcSaslAuxprops: sasldb
Then we need to have a file /usr/lib64/sasl2/slapd.conf with the content: pwcheck_method: auxprop mech_list: plain login digest-md5 cram-md5 auxprop_plugin: sasldb
To list the users in the database we use sasldblistusers2
And finally we need to have the file /etc/sasldb2 which contains the userid and passwords and is created/maintained by saslpasswd2 It is actually a sleepycat database and can be read by the sleepycat tools. this file must not be accessible by all users, but it must be readable by the userid/group under which the slapd runs.
Also check to see, what is in your slapd-log, which in our installation is /var/log/localmessages.
suomi
On 02/06/2012 07:10 AM, Gaurav Gugnani wrote:
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the issue has not yet resolved.
*Error:* /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U sasluser7 -b 'o=xyz' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
access to attrs="userpassword" by self write by anonymous auth by dn="uid=sasluser7,ou=System,o=xyz" read access to dn.base="o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read by users read access to dn.subtree="ou=Subscribers,o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read access to * by self write by dn="uid=sasluser7,ou=System,o=xyz" read
I hope it is fine.
Moreover, we can say that the user is created: /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -W -D 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=xyz' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=sasluser7,ou=System,o=xyz> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sasluser7, System, xyz dn: uid=sasluser7,ou=System,o=xyz uid: sasluser7 ou: System description: Special account for SASL Testing userPassword:: c2FzbVHzZXI3 objectClass: account objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that be an issue point? /u01/app/openldap/product/2.4.26/etc/openldap>sasldblistusers -bash: sasldblistusers: command not found
Please help me out in moving forward. Thks a lot for your support.
Regards, Gaurav Gugnani
On Fri, Feb 3, 2012 at 8:44 PM, Dan White <dwhite@olp.net mailto:dwhite@olp.net> wrote:
On 02/03/12 16:12 +0530, Gaurav Gugnani wrote: Hello All, I've installed the cyrus-sasl-md5-2.1.22-5.el5_4.__3.x86_64.rpm package. *Logs:* /root>pluginviewer Installed SASL (server side) mechanisms are: *CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL* ...... ** /u01/app/openldap/product/2.4.__26/etc/openldap>ldapsearch -x -b "" -s base -LLL supportedSASLMechanisms dn: *supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: DIGEST-MD5** * and again started with SASL process (tried several times) but everytime... got an error: *Steps i followed:* 1> saslpasswd2 -c sasluser3 2> sasldblistusers2 These two steps are not necessary. 3> Stop LDAP 4> edit slapd.conf and add following lines: password-hash {CLEARTEXT} sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz 5> Start LDAP 6> Add account from ldif: add_sasl_accnt3.ldif ---------------------------- # TEST Account for SASL: dn: uid=sasluser3,ou=System,o=xyz uid: sasluser3 ou: System description: Special account for SASL Testing userPassword: sasluser3 objectClass: account objectClass: simpleSecurityObject 7> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt3.ldif 8> *ldapsearch -Y DIGEST-MD5 -U sasluser3 -b 'o=xyz'* Or *ldapsearch -U sasluser5 -b 'o=xyz'* But evrytime got error as: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database This is an error indicating that the user entry within ldap could not be found, and two possible reasons are you do not have ACLs configured properly, or your sasl-regexp is misconfigured. Depending on the version of slapd, 'sasl-regexp' should instead be 'authz-regexp'. It appears from the output below that you are using version 2.4.26, so you should using 'authz-regexp'. For documentation on configuring them, reference the OpenLDAP 2.4 Admin Guide. For trouble shooting ACL misconfigurations, try running slapd in debug mode, or increase your logging. On Thu, Feb 2, 2012 at 11:13 PM, Gaurav Gugnani <gugnanigaurav@gmail.com <mailto:gugnanigaurav@gmail.com>>__wrote: Hello, Thks for helping me out. Yes, the package is missing. The O/P of plugin viewer: /u01/app/openldap/product/2.4.__26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: ANONYMOUS PLAIN LOGIN EXTERNAL -- Dan White
On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the issue has not yet resolved.
You should run your server in debug mode to determine what's going awry.
*Error:* /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U sasluser7 -b 'o=xyz' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
access to attrs="userpassword" by self write by anonymous auth by dn="uid=sasluser7,ou=System,o=xyz" read access to dn.base="o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read by users read access to dn.subtree="ou=Subscribers,o=xyz" by dn="uid=sasluser7,ou=System,o=xyz" read access to * by self write by dn="uid=sasluser7,ou=System,o=xyz" read
I hope it is fine.
I have 'by anonymous auth' on the following:
access to dn.base="ou=people,dc=example,dc=net" access to attrs=userPassword access to attrs=authzTo access to attrs=objectClass access to attrs=entry,uidNumber
You could determine if that's sufficient for you piecemeal wise but, again, use debug output to figure it out. For example:
slapd -d -1 -h ldap:/// -u openldap -g openldap
See the manpage for slapd for details.
Moreover, we can say that the user is created: /u01/app/openldap/product/2.4.26/etc/openldap>ldapsearch -x -W -D 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=xyz' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=sasluser7,ou=System,o=xyz> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sasluser7, System, xyz dn: uid=sasluser7,ou=System,o=xyz uid: sasluser7 ou: System description: Special account for SASL Testing userPassword:: c2FzbVHzZXI3
Be aware that the above is a simple uuencoding of your password. It should now be considered publicly known.
objectClass: account objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that be an issue point? /u01/app/openldap/product/2.4.26/etc/openldap>sasldblistusers -bash: sasldblistusers: command not found
Any of the cyrus sasl* commands are most likely doing the wrong thing, which default to using the sasldb auxprop store (which uses /etc/sasldb2) rather that slapd or ldapdb. I would not use them at this point as they're bound to confuse the matter.
Hello All,
Thks to all for helping me out. i hope now the destination is not too far as i achieved the SASL but it is storing using sasldb. However, i want it to store information in ldap direcotry.
I've installed the corresponding package: cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb ------------------------------------------------------
1> saslpasswd2 -c sasluser14 2> sasldblistusers2
3> service ldap stop
4> vi etc/openldap/slapd.conf sasl-auxprops sasldb authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz - Give proper ACL to sasluser14
5> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: sasldb #auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 sasldb_path: /etc/sasldb2
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif # TEST Account for SASL: dn: uid=sasluser14,ou=System,o=xyz uid: sasluser14 ou: System description: Special account for SASL Testing userPassword: sasluser14 objectClass: account objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b 'uid=sasluser7,ou=system,o=xyz'
But now the problem is - it is storing the users in sasldb. and we want to use ldap directory. Can any one please suggest - What changes i need to make to achieve it?
Thks a lot for your support.
Regards, Gaurav Gugnani
On Mon, Feb 6, 2012 at 9:17 PM, Dan White dwhite@olp.net wrote:
On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the issue has not yet resolved.
You should run your server in debug mode to determine what's going awry.
*Error:*
/u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U sasluser7 -b 'o=xyz' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**auth uid=$1,ou=System,o=xyz
access to attrs="userpassword" by self write by anonymous auth by dn="uid=sasluser7,ou=System,o=**xyz" read access to dn.base="o=xyz" by dn="uid=sasluser7,ou=System,o=**xyz" read by users read access to dn.subtree="ou=Subscribers,o=**xyz" by dn="uid=sasluser7,ou=System,o=**xyz" read access to * by self write by dn="uid=sasluser7,ou=System,o=**xyz" read
I hope it is fine.
I have 'by anonymous auth' on the following:
access to dn.base="ou=people,dc=example,**dc=net" access to attrs=userPassword access to attrs=authzTo access to attrs=objectClass access to attrs=entry,uidNumber
You could determine if that's sufficient for you piecemeal wise but, again, use debug output to figure it out. For example:
slapd -d -1 -h ldap:/// -u openldap -g openldap
See the manpage for slapd for details.
Moreover, we can say that the user is created:
/u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -x -W -D 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=**xyz' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=sasluser7,ou=System,o=**xyz> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sasluser7, System, xyz dn: uid=sasluser7,ou=System,o=xyz uid: sasluser7 ou: System description: Special account for SASL Testing userPassword:: c2FzbVHzZXI3
Be aware that the above is a simple uuencoding of your password. It should now be considered publicly known.
objectClass: account
objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that be an issue point? /u01/app/openldap/product/2.4.**26/etc/openldap>**sasldblistusers -bash: sasldblistusers: command not found
Any of the cyrus sasl* commands are most likely doing the wrong thing, which default to using the sasldb auxprop store (which uses /etc/sasldb2) rather that slapd or ldapdb. I would not use them at this point as they're bound to confuse the matter.
-- Dan White
Hello All,
i was working on this problem and figured out that ldapdb plugin auxprop is missing.
/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL ... Installed auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 4 supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled. http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
The package has been installed and the below files are there: libldapdb.la libldapdb.so.2.0.22 libldapdb.so.2 libldapdb.so
Please help me, how to set SASL using ldap directory.
Thks for your help.
Regards, Gaurav Gugnani
On Tue, Feb 7, 2012 at 11:01 AM, Gaurav Gugnani gugnanigaurav@gmail.comwrote:
Hello All,
Thks to all for helping me out. i hope now the destination is not too far as i achieved the SASL but it is storing using sasldb. However, i want it to store information in ldap direcotry.
I've installed the corresponding package: cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb
1> saslpasswd2 -c sasluser14 2> sasldblistusers2
3> service ldap stop
4> vi etc/openldap/slapd.conf sasl-auxprops sasldb
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz - Give proper ACL to sasluser145> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: sasldb #auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 sasldb_path: /etc/sasldb2
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif
# TEST Account for SASL: dn: uid=sasluser14,ou=System,o=xyz uid: sasluser14
ou: System description: Special account for SASL Testing userPassword: sasluser14 objectClass: account objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b 'uid=sasluser7,ou=system,o=xyz'
But now the problem is - it is storing the users in sasldb. and we want to use ldap directory. Can any one please suggest - What changes i need to make to achieve it?
Thks a lot for your support.
Regards, Gaurav Gugnani
On Mon, Feb 6, 2012 at 9:17 PM, Dan White dwhite@olp.net wrote:
On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the issue has not yet resolved.
You should run your server in debug mode to determine what's going awry.
*Error:*
/u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U sasluser7 -b 'o=xyz' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**auth uid=$1,ou=System,o=xyz
access to attrs="userpassword" by self write by anonymous auth by dn="uid=sasluser7,ou=System,o=**xyz" read access to dn.base="o=xyz" by dn="uid=sasluser7,ou=System,o=**xyz" read by users read access to dn.subtree="ou=Subscribers,o=**xyz" by dn="uid=sasluser7,ou=System,o=**xyz" read access to * by self write by dn="uid=sasluser7,ou=System,o=**xyz" read
I hope it is fine.
I have 'by anonymous auth' on the following:
access to dn.base="ou=people,dc=example,**dc=net" access to attrs=userPassword access to attrs=authzTo access to attrs=objectClass access to attrs=entry,uidNumber
You could determine if that's sufficient for you piecemeal wise but, again, use debug output to figure it out. For example:
slapd -d -1 -h ldap:/// -u openldap -g openldap
See the manpage for slapd for details.
Moreover, we can say that the user is created:
/u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -x -W -D 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=**xyz' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=sasluser7,ou=System,o=**xyz> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sasluser7, System, xyz dn: uid=sasluser7,ou=System,o=xyz uid: sasluser7 ou: System description: Special account for SASL Testing userPassword:: c2FzbVHzZXI3
Be aware that the above is a simple uuencoding of your password. It should now be considered publicly known.
objectClass: account
objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that be an issue point? /u01/app/openldap/product/2.4.**26/etc/openldap>**sasldblistusers -bash: sasldblistusers: command not found
Any of the cyrus sasl* commands are most likely doing the wrong thing, which default to using the sasldb auxprop store (which uses /etc/sasldb2) rather that slapd or ldapdb. I would not use them at this point as they're bound to confuse the matter.
-- Dan White
Hi All,
I hope now i'm only 1 step far:
I've enabled the ldapdb auxprop plugin.
/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer -a
Installed auxprop mechanisms are:
ldapdb sasldb
List of auxprop plugins follows
Plugin "ldapdb" , API version: 4
supports store: yes
Plugin "sasldb" , API version: 4
supports store: yes
File modified (newly created): */usr/lib64/sasl2/pluginviewer.conf*
Now, its getting me to the different point: Whatever i'm executing - its getting hanged for infinite time.
Example: ldapsearch -x -D cn=Manager,o=xyz -W -b 'uid=sasluser21,ou=System,o=xyz' Enter LDAP Password:
So, after taking its passwd ....no result :(
One more thing: ldapwhoami -Y DIGEST-MD5 -U sasluser21 -H ldap://localhost SASL/DIGEST-MD5 authentication started
*Same result - NO O/P.*
Plz help.
Thanks and Regards, Gaurav Gugnani
On Tue, Feb 7, 2012 at 4:43 PM, Gaurav Gugnani gugnanigaurav@gmail.comwrote:
Hello All,
i was working on this problem and figured out that ldapdb plugin auxprop is missing.
/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL ... Installed auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 4 supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled. http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
The package has been installed and the below files are there: libldapdb.la libldapdb.so.2.0.22 libldapdb.so.2 libldapdb.so
Please help me, how to set SASL using ldap directory.
Thks for your help.
Regards, Gaurav Gugnani
On Tue, Feb 7, 2012 at 11:01 AM, Gaurav Gugnani gugnanigaurav@gmail.comwrote:
Hello All,
Thks to all for helping me out. i hope now the destination is not too far as i achieved the SASL but it is storing using sasldb. However, i want it to store information in ldap direcotry.
I've installed the corresponding package: cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb
1> saslpasswd2 -c sasluser14 2> sasldblistusers2
3> service ldap stop
4> vi etc/openldap/slapd.conf sasl-auxprops sasldb
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=authuid=$1,ou=System,o=xyz - Give proper ACL to sasluser14
5> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: sasldb #auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 sasldb_path: /etc/sasldb2
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif
# TEST Account for SASL: dn: uid=sasluser14,ou=System,o=xyz uid: sasluser14
ou: System description: Special account for SASL Testing userPassword: sasluser14 objectClass: account objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b 'uid=sasluser7,ou=system,o=xyz'
But now the problem is - it is storing the users in sasldb. and we want to use ldap directory. Can any one please suggest - What changes i need to make to achieve it?
Thks a lot for your support.
Regards, Gaurav Gugnani
On Mon, Feb 6, 2012 at 9:17 PM, Dan White dwhite@olp.net wrote:
On 02/06/12 11:40 +0530, Gaurav Gugnani wrote:
Hello All,
Thks for helping me out, however i'm still stuck in middle of it and the issue has not yet resolved.
You should run your server in debug mode to determine what's going awry.
*Error:*
/u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -Y DIGEST-MD5 -U sasluser7 -b 'o=xyz' SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
I checked for ACL and also now i'm using authz with following lines:
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**auth uid=$1,ou=System,o=xyz
access to attrs="userpassword" by self write by anonymous auth by dn="uid=sasluser7,ou=System,o=**xyz" read access to dn.base="o=xyz" by dn="uid=sasluser7,ou=System,o=**xyz" read by users read access to dn.subtree="ou=Subscribers,o=**xyz" by dn="uid=sasluser7,ou=System,o=**xyz" read access to * by self write by dn="uid=sasluser7,ou=System,o=**xyz" read
I hope it is fine.
I have 'by anonymous auth' on the following:
access to dn.base="ou=people,dc=example,**dc=net" access to attrs=userPassword access to attrs=authzTo access to attrs=objectClass access to attrs=entry,uidNumber
You could determine if that's sufficient for you piecemeal wise but, again, use debug output to figure it out. For example:
slapd -d -1 -h ldap:/// -u openldap -g openldap
See the manpage for slapd for details.
Moreover, we can say that the user is created:
/u01/app/openldap/product/2.4.**26/etc/openldap>ldapsearch -x -W -D 'cn=manager,o=xyz' -b 'uid=sasluser7,ou=System,o=**xyz' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=sasluser7,ou=System,o=**xyz> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# sasluser7, System, xyz dn: uid=sasluser7,ou=System,o=xyz uid: sasluser7 ou: System description: Special account for SASL Testing userPassword:: c2FzbVHzZXI3
Be aware that the above is a simple uuencoding of your password. It should now be considered publicly known.
objectClass: account
objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Also, i would like to highlight one thing:
That when i check for sasl dblist users - it thorws me an error. Can that be an issue point? /u01/app/openldap/product/2.4.**26/etc/openldap>**sasldblistusers -bash: sasldblistusers: command not found
Any of the cyrus sasl* commands are most likely doing the wrong thing, which default to using the sasldb auxprop store (which uses /etc/sasldb2) rather that slapd or ldapdb. I would not use them at this point as they're bound to confuse the matter.
-- Dan White
On 02/07/12 11:01 +0530, Gaurav Gugnani wrote:
Hello All,
Thks to all for helping me out. i hope now the destination is not too far as i achieved the SASL but it is storing using sasldb. However, i want it to store information in ldap direcotry.
I've installed the corresponding package: cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb
1> saslpasswd2 -c sasluser14 2> sasldblistusers2
I can't stress enough that these commands are going to confuse you when using slapd. There really are only a few advanced uses for using these commands in your desired environment.
3> service ldap stop
4> vi etc/openldap/slapd.conf sasl-auxprops sasldb
This is the wrong thing to do. You should remove this option if you wish to have slapd use userPassword to authenticate your users. By specifying sasldb here, you're instructing slapd, by way of libsasl2, to authenticate your users against /etc/sasldb2.
Also,
sasl-auxprops ldapdb
would also be the wrong thing to do. In addition to 'sasldb' and 'ldapdb', slapd implements it's own auxprop plugin called 'slapd' which is the default, and which Does the Right Thing (TM). However, be aware that 'slapd' will not show up in the output of pluginviewer (or at least I'm not aware of a way to make it do so).
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz - Give proper ACL to sasluser145> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: sasldb
Again this is the wrong thing to do. In recent versions of slapd this value is overridden by 'sasl-auxprops'.
#auxprop_plugin: slapd
You should uncomment this, if using older versions of slapd. Few newer versions of slapd, 'sasl-auxprops' defaults to slapd.
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
CRAM-MD5 and DIGEST-MD5 are fine here. If you really want to use PLAIN and LOGIN, specify a relaxed 'sasl-secprops' within your slapd configuration.
sasldb_path: /etc/sasldb2
Unnecessary.
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif # TEST Account for SASL: dn: uid=sasluser14,ou=System,o=xyz uid: sasluser14 ou: System description: Special account for SASL Testing userPassword: sasluser14 objectClass: account objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b 'uid=sasluser7,ou=system,o=xyz'
But now the problem is - it is storing the users in sasldb. and we want to use ldap directory. Can any one please suggest - What changes i need to make to achieve it?
See above.
On 02/07/12 16:43 +0530, Gaurav Gugnani wrote:
Hello All,
i was working on this problem and figured out that ldapdb plugin auxprop is missing.
/u01/app/openldap/product/2.4.26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL ... Installed auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 4 supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled. http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
ldapdb should only be used from outside of slapd. For instance, if you were running a mail server that you wish to authenticate against slapd, then ldapdb would be appropriate.
Hello,
Thks for replying.
Now, i am proceeding with following steps but still getting an error:
Steps: 1> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
2> cat /etc/openladp/slapd.conf password-hash {CLEARTEXT} sasl-auxprops slapd authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
*Note:* ACL are given properly.
3> Then i'm trying to add user: cat add_sasl_accnt21.ldif dn: uid=sasluser21,ou=System,o=xyz uid: sasluser21 ou: System description: Special account for SASL Testing userPassword: sasluser21 objectClass: account objectClass: simpleSecurityObject
ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif
5> Now, when i do ldapsearch: ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b 'uid=sasluser12,ou=System,o=xyz'
SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
In log file i got some clue: that its trying to use modify dn.
Have a look plz: slapd[14125]: >>> dnPrettyNormal: <> slapd[14125]: <<< dnPrettyNormal: <>, <> slapd[14125]: conn=1228 op=1 BIND dn="" method=163 slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5 slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2 slapd[14125]: slap_sasl_getdn: u:id converted to uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=digest-md5,cn=auth> slapd[14125]: ==>slap_sasl2dn: converting SASL name uid=uid\3Dsasluser21,cn=digest-md5,cn=auth to a DN slapd[14125]: ==> rewrite_context_apply [depth=1] string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' slapd[14125]: ==> rewrite_rule_apply rule='uid=([^,]*),cn=DIGEST-MD5,cn=auth' string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' [1 pass(es)] slapd[14125]: ==> rewrite_context_apply [depth=1] res={0,'uid=uid\3Dsasluser21,ou=System,o=xyz'} slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=System,o=xyz slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=System,o=xyz> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=system,o=xyz> slapd[14125]: <==slap_sasl2dn: Converted SASL name to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: slap_sasl_getdn: dn:id converted to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: => bdb_search slapd[14125]: bdb_dn2entry("uid=uid\3Dsasluser21,ou=system,o=xyz") slapd[14125]: => bdb_dn2id("uid=uid\3Dsasluser21,ou=system,o=xyz") slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz" "entry" requested slapd[14125]: => dn: [2] o=xyz slapd[14125]: => dn: [3] ou=subscribers,o=xyz slapd[14125]: => acl_get: [4] attr entry slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry" requested slapd[14125]: => acl_mask: to all values by "", (=0) slapd[14125]: <= check a_dn_pat: self slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop) slapd[14125]: => slap_access_allowed: disclose access denied by =0 slapd[14125]: => access_allowed: no more rules slapd[14125]: send_ldap_result: conn=1228 op=1 p=3 slapd[14125]: SASL [conn=1228] Failure: no secret in database slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
In LDAP it storing perfectly fine: ldapsearch -x -D cn=Manager,o=xyz -W -b 'uid=sasluser21,ou=System,o=xyz' # sasluser21, System, xyz dn: uid=sasluser21,ou=System,o=xyz uid: sasluser21 ou: System description: Special account for SASL Testing userPassword:: c2FzbHVzZXIyMQ== objectClass: account objectClass: simpleSecurityObject
Now, Kindly suggest as proceeding in this direction too .... gave me an error :( :(
Thanks and Regards, Gaurav Gugnani
On Tue, Feb 7, 2012 at 8:37 PM, Dan White dwhite@olp.net wrote:
On 02/07/12 11:01 +0530, Gaurav Gugnani wrote:
Hello All,
Thks to all for helping me out. i hope now the destination is not too far as i achieved the SASL but it is storing using sasldb. However, i want it to store information in ldap direcotry.
I've installed the corresponding package: cyrus-sasl-ldap-2.1.22-5.el5_**4.3.x86_64.rpm
Steps for SASL in LDAP using sasldb ------------------------------**------------------------
1> saslpasswd2 -c sasluser14 2> sasldblistusers2
I can't stress enough that these commands are going to confuse you when using slapd. There really are only a few advanced uses for using these commands in your desired environment.
3> service ldap stop
4> vi etc/openldap/slapd.conf sasl-auxprops sasldb
This is the wrong thing to do. You should remove this option if you wish to have slapd use userPassword to authenticate your users. By specifying sasldb here, you're instructing slapd, by way of libsasl2, to authenticate your users against /etc/sasldb2.
Also,
sasl-auxprops ldapdb
would also be the wrong thing to do. In addition to 'sasldb' and 'ldapdb', slapd implements it's own auxprop plugin called 'slapd' which is the default, and which Does the Right Thing (TM). However, be aware that 'slapd' will not show up in the output of pluginviewer (or at least I'm not aware of a way to make it do so).
authz-regexp uid=([^,]*),cn=DIGEST-MD5,cn=**authuid=$1,ou=System,o=xyz - Give proper ACL to sasluser14
5> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: sasldb
Again this is the wrong thing to do. In recent versions of slapd this value is overridden by 'sasl-auxprops'.
#auxprop_plugin: slapd
You should uncomment this, if using older versions of slapd. Few newer versions of slapd, 'sasl-auxprops' defaults to slapd.
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
CRAM-MD5 and DIGEST-MD5 are fine here. If you really want to use PLAIN and LOGIN, specify a relaxed 'sasl-secprops' within your slapd configuration.
sasldb_path: /etc/sasldb2
Unnecessary.
6> service ldap start
7> ps -eaf | grep -i ldap
8> vi add_sasl_accnt14.ldif # TEST Account for SASL: dn: uid=sasluser14,ou=System,o=xyz uid: sasluser14 ou: System description: Special account for SASL Testing userPassword: sasluser14 objectClass: account objectClass: simpleSecurityObject
9> ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt14.ldif
10> ldapsearch -Y DIGEST-MD5 -U sasluser14 -b 'uid=sasluser7,ou=system,o=**xyz'
But now the problem is - it is storing the users in sasldb. and we want to use ldap directory. Can any one please suggest - What changes i need to make to achieve it?
See above.
On 02/07/12 16:43 +0530, Gaurav Gugnani wrote:
Hello All,
i was working on this problem and figured out that ldapdb plugin auxprop is missing.
/u01/app/openldap/product/2.4.**26/etc/openldap>pluginviewer Installed SASL (server side) mechanisms are: CRAM-MD5 ANONYMOUS DIGEST-MD5 PLAIN LOGIN EXTERNAL ... Installed auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 4 supports store: yes
I read that to use such thing, ldapdb auxprop plugin should be enabled. http://lists.andrew.cmu.edu/**pipermail/cyrus-sasl/2008-** September/001552.htmlhttp://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2008-September/001552.html
ldapdb should only be used from outside of slapd. For instance, if you were running a mail server that you wish to authenticate against slapd, then ldapdb would be appropriate.
-- Dan White
On 02/08/12 16:22 +0530, Gaurav Gugnani wrote:
Hello,
Thks for replying.
Now, i am proceeding with following steps but still getting an error:
Steps: 1> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
2> cat /etc/openladp/slapd.conf password-hash {CLEARTEXT} sasl-auxprops slapd authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
*Note:* ACL are given properly.
3> Then i'm trying to add user: cat add_sasl_accnt21.ldif dn: uid=sasluser21,ou=System,o=xyz uid: sasluser21 ou: System description: Special account for SASL Testing userPassword: sasluser21 objectClass: account objectClass: simpleSecurityObject
ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif
5> Now, when i do ldapsearch: ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b 'uid=sasluser12,ou=System,o=xyz'
You should be providing just the username with the -U option. I recommend using ldapwhoami to test your authz-regexp rules:
ldapwhoami -Y digest-md5 -U sasluser21
SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
In log file i got some clue: that its trying to use modify dn.
Have a look plz: slapd[14125]: >>> dnPrettyNormal: <> slapd[14125]: <<< dnPrettyNormal: <>, <> slapd[14125]: conn=1228 op=1 BIND dn="" method=163 slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5 slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2 slapd[14125]: slap_sasl_getdn: u:id converted to uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=DIGEST-MD5,cn=auth> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=digest-md5,cn=auth> slapd[14125]: ==>slap_sasl2dn: converting SASL name uid=uid\3Dsasluser21,cn=digest-md5,cn=auth to a DN slapd[14125]: ==> rewrite_context_apply [depth=1] string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' slapd[14125]: ==> rewrite_rule_apply rule='uid=([^,]*),cn=DIGEST-MD5,cn=auth' string='uid=uid\3Dsasluser21,cn=digest-md5,cn=auth' [1 pass(es)] slapd[14125]: ==> rewrite_context_apply [depth=1] res={0,'uid=uid\3Dsasluser21,ou=System,o=xyz'} slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=System,o=xyz slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=System,o=xyz> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=system,o=xyz> slapd[14125]: <==slap_sasl2dn: Converted SASL name to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: slap_sasl_getdn: dn:id converted to uid=uid\3Dsasluser21,ou=system,o=xyz slapd[14125]: => bdb_search slapd[14125]: bdb_dn2entry("uid=uid\3Dsasluser21,ou=system,o=xyz") slapd[14125]: => bdb_dn2id("uid=uid\3Dsasluser21,ou=system,o=xyz")
Notice the uid=uid\3Dsasluser21... here, instead of the desired uid=sasluser21...
slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz" "entry" requested slapd[14125]: => dn: [2] o=xyz slapd[14125]: => dn: [3] ou=subscribers,o=xyz slapd[14125]: => acl_get: [4] attr entry slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry" requested slapd[14125]: => acl_mask: to all values by "", (=0) slapd[14125]: <= check a_dn_pat: self slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop) slapd[14125]: => slap_access_allowed: disclose access denied by =0
You might need a more permissive (by anonymous auth) ACL here, for dn.base="ou=System,o=xyz" and "attrs=entry".
See slapd.access(5).
slapd[14125]: => access_allowed: no more rules slapd[14125]: send_ldap_result: conn=1228 op=1 p=3 slapd[14125]: SASL [conn=1228] Failure: no secret in database slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
Hello Dan,
Thks for replying. But there is 1 Q's: Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*
I executed ldapwhoami and here are the findings:
ldapwhoami -Y digest-md5 -U sasluser21 SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
*Logs:* ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5 ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2 ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to uid=sasluser21,cn=DIGEST-MD5,cn=auth ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,cn=DIGEST-MD5,cn=auth> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,cn=digest-md5,cn=auth> ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name uid=sasluser21,cn=digest-md5,cn=auth to a DN ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] string='uid=sasluser21,cn=digest-md5,cn=auth' ldap-test0 slapd[25625]: ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=sasluser21,cn=digest-md5,cn=auth' [1 pass
ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] res={0,'uid=sasluser21,ou=System,o=xyz'} ldap-test0 slapd[25625]: slap_parseURI: parsing uid=sasluser21,ou=System,o=xyz ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=xyz> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=xyz> ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: => bdb_search ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,ou=system,o=xyz") ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=system,o=xyz") ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=xyz" ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,ou=System,o=xyz) ldap-test0 slapd[25625]: => access_allowed: auth access to "uid=sasluser21,ou=System,o=xyz" "entry" requested ldap-test0 slapd[25625]: => dn: [2] o=xyz ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz ldap-test0 slapd[25625]: => acl_get: [4] attr entry ldap-test0 slapd[25625]: => acl_mask: access to entry "uid=sasluser21,ou=System,o=xyz", attr "entry" requested ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0) ldap-test0 slapd[25625]: <= check a_dn_pat: self ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0 (stop) ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0 ldap-test0 slapd[25625]: => access_allowed: no more rules
On Wed, Feb 8, 2012 at 9:32 PM, Dan White dwhite@olp.net wrote:
On 02/08/12 16:22 +0530, Gaurav Gugnani wrote:
Hello,
Thks for replying.
Now, i am proceeding with following steps but still getting an error:
Steps: 1> cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
2> cat /etc/openladp/slapd.conf password-hash {CLEARTEXT} sasl-auxprops slapd authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
*Note:* ACL are given properly.
3> Then i'm trying to add user: cat add_sasl_accnt21.ldif dn: uid=sasluser21,ou=System,o=xyz uid: sasluser21 ou: System description: Special account for SASL Testing userPassword: sasluser21 objectClass: account objectClass: simpleSecurityObject
ldapadd -x -D cn=Manager,o=xyz -W -f add_sasl_accnt21.ldif
5> Now, when i do ldapsearch: ldapsearch -Y DIGEST-MD5 -U uid=sasluser21 -b 'uid=sasluser12,ou=System,o=**xyz'
You should be providing just the username with the -U option. I recommend using ldapwhoami to test your authz-regexp rules:
ldapwhoami -Y digest-md5 -U sasluser21
SASL/DIGEST-MD5 authentication started
Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
In log file i got some clue: that its trying to use modify dn.
Have a look plz: slapd[14125]: >>> dnPrettyNormal: <> slapd[14125]: <<< dnPrettyNormal: <>, <> slapd[14125]: conn=1228 op=1 BIND dn="" method=163 slapd[14125]: do_bind: dn () SASL mech DIGEST-MD5 slapd[14125]: SASL [conn=1228] Debug: DIGEST-MD5 server step 2 slapd[14125]: slap_sasl_getdn: u:id converted to uid=uid\3Dsasluser21,cn=**DIGEST-MD5,cn=auth slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,cn=** DIGEST-MD5,cn=auth> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,cn=** digest-md5,cn=auth> slapd[14125]: ==>slap_sasl2dn: converting SASL name uid=uid\3Dsasluser21,cn=**digest-md5,cn=auth to a DN slapd[14125]: ==> rewrite_context_apply [depth=1] string='uid=uid\3Dsasluser21,**cn=digest-md5,cn=auth' slapd[14125]: ==> rewrite_rule_apply rule='uid=([^,]*),cn=DIGEST-**MD5,cn=auth' string='uid=uid\3Dsasluser21,**cn=digest-md5,cn=auth' [1 pass(es)] slapd[14125]: ==> rewrite_context_apply [depth=1] res={0,'uid=uid\3Dsasluser21,**ou=System,o=xyz'} slapd[14125]: slap_parseURI: parsing uid=uid\3Dsasluser21,ou=** System,o=xyz slapd[14125]: >>> dnNormalize: <uid=uid\3Dsasluser21,ou=**System,o=xyz> slapd[14125]: <<< dnNormalize: <uid=uid\3Dsasluser21,ou=**system,o=xyz> slapd[14125]: <==slap_sasl2dn: Converted SASL name to uid=uid\3Dsasluser21,ou=**system,o=xyz slapd[14125]: slap_sasl_getdn: dn:id converted to uid=uid\3Dsasluser21,ou=**system,o=xyz slapd[14125]: => bdb_search slapd[14125]: bdb_dn2entry("uid=uid**3Dsasluser21,ou=system,o=xyz") slapd[14125]: => bdb_dn2id("uid=uid**3Dsasluser21,ou=system,o=xyz")
Notice the uid=uid\3Dsasluser21... here, instead of the desired uid=sasluser21...
slapd[14125]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data
pair found (-30988) slapd[14125]: => access_allowed: disclose access to "ou=System,o=xyz" "entry" requested slapd[14125]: => dn: [2] o=xyz slapd[14125]: => dn: [3] ou=subscribers,o=xyz slapd[14125]: => acl_get: [4] attr entry slapd[14125]: => acl_mask: access to entry "ou=System,o=xyz", attr "entry" requested slapd[14125]: => acl_mask: to all values by "", (=0) slapd[14125]: <= check a_dn_pat: self slapd[14125]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz slapd[14125]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz slapd[14125]: <= acl_mask: no more <who> clauses, returning =0 (stop) slapd[14125]: => slap_access_allowed: disclose access denied by =0
You might need a more permissive (by anonymous auth) ACL here, for dn.base="ou=System,o=xyz" and "attrs=entry".
See slapd.access(5).
slapd[14125]: => access_allowed: no more rules
slapd[14125]: send_ldap_result: conn=1228 op=1 p=3 slapd[14125]: SASL [conn=1228] Failure: no secret in database slapd[14125]: send_ldap_result: conn=1228 op=1 p=3
-- Dan White
On 02/08/12 21:51 +0530, Gaurav Gugnani wrote:
Hello Dan,
Thks for replying. But there is 1 Q's: Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*
Because you were passing '-U uid=sasluser21' to ldapsearch. '\3D' is the hex escape value for '='.
I executed ldapwhoami and here are the findings:
ldapwhoami -Y digest-md5 -U sasluser21 SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
*Logs:* ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5 ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2 ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to uid=sasluser21,cn=DIGEST-MD5,cn=auth ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,cn=DIGEST-MD5,cn=auth> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,cn=digest-md5,cn=auth> ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name uid=sasluser21,cn=digest-md5,cn=auth to a DN ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] string='uid=sasluser21,cn=digest-md5,cn=auth' ldap-test0 slapd[25625]: ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,cn=auth' string='uid=sasluser21,cn=digest-md5,cn=auth' [1 pass
ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] res={0,'uid=sasluser21,ou=System,o=xyz'} ldap-test0 slapd[25625]: slap_parseURI: parsing uid=sasluser21,ou=System,o=xyz ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=xyz> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=xyz> ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: => bdb_search ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,ou=system,o=xyz") ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=system,o=xyz") ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=xyz" ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,ou=System,o=xyz) ldap-test0 slapd[25625]: => access_allowed: auth access to "uid=sasluser21,ou=System,o=xyz" "entry" requested ldap-test0 slapd[25625]: => dn: [2] o=xyz ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz ldap-test0 slapd[25625]: => acl_get: [4] attr entry ldap-test0 slapd[25625]: => acl_mask: access to entry "uid=sasluser21,ou=System,o=xyz", attr "entry" requested ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0) ldap-test0 slapd[25625]: <= check a_dn_pat: self ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0 (stop) ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0 ldap-test0 slapd[25625]: => access_allowed: no more rules
Notice "auth access denied".
On Wed, Feb 8, 2012 at 9:32 PM, Dan White dwhite@olp.net wrote:
You might need a more permissive (by anonymous auth) ACL here, for dn.base="ou=System,o=xyz" and "attrs=entry".
See slapd.access(5).
Read through the manpage for slapd.access, and fix your ACL config as described above.
Thks Dan, it worked.
Now hopefully last query from my side (sorry to bother you so much)
As i gave:
access to dn.subtree="ou=System,o=xyz" by dn="uid=sasluser21,ou=System,o=xyz" read by anonymous auth
*So, will giving anonymous privilege any issue? * I read following: Next is by anonymous auth. This phrase grants an anonymous user (one who has not yet authenticated) permission to authenticate using a password. More accurately, it indicates that when a user submits a request for authentication, the directory server is allowed to perform an authentication operation (which amounts to comparing the submitted password with the value in the userPassword attribute for the corresponding user's entry).
What is its impact, Please put some light on it?
Thanks and Regards, Gaurav Gugnani
On Wed, Feb 8, 2012 at 10:25 PM, Dan White dwhite@olp.net wrote:
On 02/08/12 21:51 +0530, Gaurav Gugnani wrote:
Hello Dan,
Thks for replying. But there is 1 Q's: Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*
Because you were passing '-U uid=sasluser21' to ldapsearch. '\3D' is the hex escape value for '='.
I executed ldapwhoami and here are the findings:
ldapwhoami -Y digest-md5 -U sasluser21 SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
*Logs:*
ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5 ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2 ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to uid=sasluser21,cn=DIGEST-MD5,**cn=auth ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,cn=DIGEST-MD5,**cn=auth> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,cn=digest-md5,**cn=auth> ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name uid=sasluser21,cn=digest-md5,**cn=auth to a DN ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] string='uid=sasluser21,cn=**digest-md5,cn=auth' ldap-test0 slapd[25625]: ==> rewrite_rule_apply rule='uid=(.*),cn=DIGEST-MD5,**cn=auth' string='uid=sasluser21,cn=**digest-md5,cn=auth' [1 pass
ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1] res={0,'uid=sasluser21,ou=**System,o=xyz'} ldap-test0 slapd[25625]: slap_parseURI: parsing uid=sasluser21,ou=System,o=xyz ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=** xyz> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=** xyz> ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: => bdb_search ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,**ou=system,o=xyz") ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=**system,o=xyz") ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=**xyz" ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,** ou=System,o=xyz) ldap-test0 slapd[25625]: => access_allowed: auth access to "uid=sasluser21,ou=System,o=**xyz" "entry" requested ldap-test0 slapd[25625]: => dn: [2] o=xyz ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz ldap-test0 slapd[25625]: => acl_get: [4] attr entry ldap-test0 slapd[25625]: => acl_mask: access to entry "uid=sasluser21,ou=System,o=**xyz", attr "entry" requested ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0) ldap-test0 slapd[25625]: <= check a_dn_pat: self ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0 (stop) ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0 ldap-test0 slapd[25625]: => access_allowed: no more rules
Notice "auth access denied".
On Wed, Feb 8, 2012 at 9:32 PM, Dan White dwhite@olp.net wrote:
You might need a more permissive (by anonymous auth) ACL here, for dn.base="ou=System,o=xyz" and "attrs=entry".
See slapd.access(5).
Read through the manpage for slapd.access, and fix your ACL config as described above.
-- Dan White
On 02/09/12 00:13 +0530, Gaurav Gugnani wrote:
Thks Dan, it worked.
Now hopefully last query from my side (sorry to bother you so much)
As i gave:
access to dn.subtree="ou=System,o=xyz" by dn="uid=sasluser21,ou=System,o=xyz" read by anonymous auth*So, will giving anonymous privilege any issue? * I read following: Next is by anonymous auth. This phrase grants an anonymous user (one who has not yet authenticated) permission to authenticate using a password. More accurately, it indicates that when a user submits a request for authentication, the directory server is allowed to perform an authentication operation (which amounts to comparing the submitted password with the value in the userPassword attribute for the corresponding user's entry).
What is its impact, Please put some light on it?
Chapter 8 of the OpenLDAP Administrator's Guide has more explanation.
Hello Dan,
Thks a lot for making things worked.
I'm jotting down the steps which i executed to make SASL work:
*Steps to make SASL configuration working:* ---------------------------------------------------------------------
1> Install the following packages: - cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm - cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
2> Create sasl2/slapd.conf vi /usr/lib64/sasl2/slapd.conf
[root@ldap-test0 openldap]# cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
3> Modify $LDAP_HOME/etc/openladp/slapd.conf password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
#ACL access to attrs="userpassword" by anonymous auth by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to dn.base="o=xyz" by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=serviceusr,ou=System,o=xyz" read by dn="uid=monitorusr,ou=System,o=xyz" read by dn="uid=replicator,ou=System,o=xyz" read by users read access to dn.subtree="ou=Subscribers,o=xyz" by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=serviceusr,ou=System,o=xyz" write by dn="uid=monitorusr,ou=System,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to dn.subtree="ou=System,o=xyz" by anonymous auth by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to * by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read
On execution of command: ldapsearch -Y DIGEST-MD5 -U serviceusr -b 'Subscriberid=002f-11e0-bc40-000c29611c4c,ou=Subscribers,o=xyz'
Its clearly displaying in the log: ..... *conn=12323 op=1 BIND dn="uid=serviceusr,ou=system,o=bcs" mech=DIGEST-MD5 sasl_ssf=128 ssf=128 do_bind: SASL/DIGEST-MD5 bind: dn="uid=serviceusr,ou=system,o=bcs" sasl_ssf=128* .....
Now, i wanted to confirm is these are the only steps Or Am i missing something? How do i confirm that SASL has been enabled and its working fine?
Plz provide some input on this.
Thanks and Regards, Gaurav Gugnani
On Thu, Feb 9, 2012 at 1:48 AM, Dan White dwhite@olp.net wrote:
On 02/09/12 00:13 +0530, Gaurav Gugnani wrote:
Thks Dan, it worked.
Now hopefully last query from my side (sorry to bother you so much)
As i gave:
access to dn.subtree="ou=System,o=xyz"
by dn="uid=sasluser21,ou=System,**o=xyz" read by anonymous auth*So, will giving anonymous privilege any issue? *
I read following: Next is by anonymous auth. This phrase grants an anonymous user (one who has not yet authenticated) permission to authenticate using a password. More accurately, it indicates that when a user submits a request for authentication, the directory server is allowed to perform an authentication operation (which amounts to comparing the submitted password with the value in the userPassword attribute for the corresponding user's entry).
What is its impact, Please put some light on it?
Chapter 8 of the OpenLDAP Administrator's Guide has more explanation.
-- Dan White
Hi Gaurav
you show it yourself in the log output, that SASL is working OK with your LDAP Server: 1. The conversion from -U serviceusr to the DN uid=serviceusr,ou=system,o=bcs is OK, 2. (I presume) that the password of this DN was entered correctly with the ldapsearch command 3. according to your log output, the connection was established
suomi
On 02/13/2012 12:10 PM, Gaurav Gugnani wrote:
Hello Dan,
Thks a lot for making things worked.
I'm jotting down the steps which i executed to make SASL work:
*Steps to make SASL configuration working:*
1> Install the following packages: - cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64.rpm - cyrus-sasl-ldap-2.1.22-5.el5_4.3.x86_64.rpm
2> Create sasl2/slapd.conf vi /usr/lib64/sasl2/slapd.conf
[root@ldap-test0 openldap]# cat /usr/lib64/sasl2/slapd.conf # SASL Configuration pwcheck_method: auxprop auxprop_plugin: slapd mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD53> Modify $LDAP_HOME/etc/openladp/slapd.conf password-hash {CLEARTEXT} authz-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=System,o=xyz
#ACL access to attrs="userpassword" by anonymous auth by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to dn.base="o=xyz" by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=serviceusr,ou=System,o=xyz" read by dn="uid=monitorusr,ou=System,o=xyz" read by dn="uid=replicator,ou=System,o=xyz" read by users read access to dn.subtree="ou=Subscribers,o=xyz" by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=serviceusr,ou=System,o=xyz" write by dn="uid=monitorusr,ou=System,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to dn.subtree="ou=System,o=xyz" by anonymous auth by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" read access to * by self write by group="cn=LDAP Admins,ou=Groups,o=xyz" write by dn="uid=replicator,ou=System,o=xyz" readOn execution of command: ldapsearch -Y DIGEST-MD5 -U serviceusr -b 'Subscriberid=002f-11e0-bc40-000c29611c4c,ou=Subscribers,o=xyz'
Its clearly displaying in the log: ..... *conn=12323 op=1 BIND dn="uid=serviceusr,ou=system,o=bcs" mech=DIGEST-MD5 sasl_ssf=128 ssf=128 do_bind: SASL/DIGEST-MD5 bind: dn="uid=serviceusr,ou=system,o=bcs" sasl_ssf=128* .....
Now, i wanted to confirm is these are the only steps Or Am i missing something? How do i confirm that SASL has been enabled and its working fine?
Plz provide some input on this.
Thanks and Regards, Gaurav Gugnani
On Thu, Feb 9, 2012 at 1:48 AM, Dan White <dwhite@olp.net mailto:dwhite@olp.net> wrote:
On 02/09/12 00:13 +0530, Gaurav Gugnani wrote: Thks Dan, it worked. Now hopefully last query from my side (sorry to bother you so much) As i gave: access to dn.subtree="ou=System,o=xyz" by dn="uid=sasluser21,ou=System,__o=xyz" read by anonymous auth *So, will giving anonymous privilege any issue? * I read following: Next is by anonymous auth. This phrase grants an anonymous user (one who has not yet authenticated) permission to authenticate using a password. More accurately, it indicates that when a user submits a request for authentication, the directory server is allowed to perform an authentication operation (which amounts to comparing the submitted password with the value in the userPassword attribute for the corresponding user's entry). What is its impact, Please put some light on it? Chapter 8 of the OpenLDAP Administrator's Guide has more explanation. -- Dan White
openldap-technical@openldap.org
-
anax -
Dan White -
Gaurav Gugnani -
Raffael Sahli