[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP crashes with MySQL SASL Plugin (ITS#2279)
Full_Name: Dwayne McGarty
Version: 2.12
OS: Red Hat 7.3
URL: ftp://ftp.openldap.org/incoming/DwayneMcGarty-030120.ext
Submission from: (NULL) (207.176.231.66)
I have installed Cyrus SASL 2.1.10 and am using the MySQL Plugin as a backend
for SASL. When authenticating something like an ldapsearch, the LDAP server
appears to crash immediately after the SASL conversation has verified the bind.
I believe I have a working SASL-MySQL setup as everything works for cyrus imapd
and postfix.
ie as cyrus unix user do:
[root@cyrus sasl2]# su - cyrus
bash-2.05a$ ldapsearch -b o=mcgarty.org "objectclass=*"
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: cyrus
SASL SSF: 128
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <o=mcgarty.org> with scope sub
# filter: objectclass=*
# requesting: ALL
#
ldap_result: Can't contact LDAP server (81)
In the Mysql log the query from the ldap server looks like:
2375 Connect mail@localhost on
2375 Init DB mail
2375 Query select password from accountuser where username ='cyrus' and
domain_name = 'mcgarty.org'
2375 Query select password from accountuser where username ='cyrus' and
domain_name = 'mcgarty.org'
2375 Query select password from accountuser where username ='cyrus' and
domain_name = 'mcgarty.org'
2375 Quit
>From the system log (/var/log/messages):
Jan 20 17:01:56 cyrus slapd[3873]: mysql auxprop plugin has been requested
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin Parse the username
cyrus@mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to a host
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to localhost
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from
userPassword cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from
cmusaslsecretDIGEST-MD5 cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin Parse the username
cyrus@mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to a host
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to localhost
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from t?E@ cyrus
mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from mailto:
cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from mailto:
cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus ldapsearch: Internal Error -5 in common.c near line 630
My slapd.conf:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/postfix.schema
loglevel 4
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
access to * by * read
password-hash {CLEARTEXT}
allow bind_v2
database ldbm
suffix "o=mcgarty.org"
rootdn "uid=manager,o=mcgarty.org" # LDAP DN root
rootpw {MD5}29d5C80j/edgcQHvamM3eQ== # LDAP DN root password
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
access to dn=".*,ou=support,o=mcgarty.org"
attr=userPassword
by group/groupofUniqueNames/uniquemember="cn=global
admins,ou=groups,o=mcgarty.org
" write
by group/groupofUniqueNames/uniquemember="cn=password
readers,ou=groups,o=mcgarty.
org" read
by * auth
access to dn=".*,ou=people,o=mcgarty.org"
attr=userPassword
by self write
by dn="uid=manager,o=mcgarty.org" write
by group/groupofUniqueNames/uniquemember="cn=global
admins,ou=groups,o=mcgarty.org
" write
by group/groupofUniqueNames/uniquemember="cn=password
admins,ou=groups,o=mcgarty.o
rg" write
by group/groupofUniqueNames/uniquemember="cn=password
readers,ou=groups,o=mcgarty.
org" read
by * auth
access to dn.subtree="o=mcgarty.org"
by group/groupofUniqueNames/uniquemember="cn=global
admins,ou=groups,o=mcgarty.org
" write
by * read
sasl-realm mcgarty.org # Override hostname as sasl realm
sasl-secprops none # Allow plaintext sasl mechanism
sasl-regexp uid=(.*),cn=digest-md5,cn=auth
uid=$1,ou=people,o=mcgarty.org
My /usr/lib/sasl2/slapd.conf file:
pwcheck_method: auxprop
auxprop_plugin: mysql
mysql_user: mail
mysql_passwd: xxxxxx
mysql_hostnames: 127.0.0.1:3306
mysql_database: mail
mysql_statement: select password from accountuser where username = '%u' and
domain_name = '%r'
mysql_verbose: yes
My ou=people LDIF used to load slapd:
dn: uid=cyrus,ou=people,o=mcgarty.org
uid: cyrus
sn: cyrus
userPassword: xxxxxx
cn: Cyrus User
objectclass: inetorgperson
objectclass: organizationalPerson