[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP crashes with MySQL SASL Plugin (ITS#2279)



Full_Name: Dwayne McGarty
Version: 2.12
OS: Red Hat 7.3
URL: ftp://ftp.openldap.org/incoming/DwayneMcGarty-030120.ext
Submission from: (NULL) (207.176.231.66)


I have installed Cyrus SASL 2.1.10 and am using the MySQL Plugin as a backend
for SASL.  When authenticating something like an ldapsearch, the LDAP server
appears to crash immediately after the SASL conversation has verified the bind. 
I believe I have a working SASL-MySQL setup as everything works for cyrus imapd
and postfix.

ie as cyrus unix user do:

[root@cyrus sasl2]# su - cyrus
bash-2.05a$ ldapsearch -b o=mcgarty.org "objectclass=*"
SASL/DIGEST-MD5 authentication started
Please enter your password: 
SASL username: cyrus
SASL SSF: 128
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <o=mcgarty.org> with scope sub
# filter: objectclass=*
# requesting: ALL
#

ldap_result: Can't contact LDAP server (81)

In the Mysql log the query from the ldap server looks like:

2375 Connect     mail@localhost on 
2375 Init DB     mail
2375 Query       select password from accountuser where username ='cyrus' and
domain_name = 'mcgarty.org'
2375 Query       select password from accountuser where username ='cyrus' and
domain_name = 'mcgarty.org'
2375 Query       select password from accountuser where username ='cyrus' and
domain_name = 'mcgarty.org'
2375 Quit

>From the system log (/var/log/messages):

Jan 20 17:01:56 cyrus slapd[3873]: mysql auxprop plugin has been requested
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin Parse the username
cyrus@mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to a host
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to localhost
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from
userPassword cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from
cmusaslsecretDIGEST-MD5 cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin Parse the username
cyrus@mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to a host
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin try and connect to localhost
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from t?E@ cyrus
mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from mailto:
cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin create statement from mailto:
cyrus mcgarty.org
Jan 20 17:01:56 cyrus slapd[3873]: mysql plugin doing query select password from
accountuser where username ='cyrus' and domain_name = 'mcgarty.org'
Jan 20 17:01:56 cyrus ldapsearch: Internal Error -5 in common.c near line 630


My slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/postfix.schema
loglevel        4
pidfile /var/run/slapd.pid
argsfile        /var/run/slapd.args
access to * by * read
password-hash   {CLEARTEXT}
allow bind_v2
database        ldbm
suffix          "o=mcgarty.org"
rootdn  "uid=manager,o=mcgarty.org" # LDAP DN root
rootpw  {MD5}29d5C80j/edgcQHvamM3eQ== # LDAP DN root password
directory       /var/lib/ldap
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
access to dn=".*,ou=support,o=mcgarty.org"
        attr=userPassword
        by group/groupofUniqueNames/uniquemember="cn=global
admins,ou=groups,o=mcgarty.org
" write
        by group/groupofUniqueNames/uniquemember="cn=password
readers,ou=groups,o=mcgarty.
org" read 
        by * auth
access to dn=".*,ou=people,o=mcgarty.org"
   attr=userPassword
   by self write
   by dn="uid=manager,o=mcgarty.org" write
        by group/groupofUniqueNames/uniquemember="cn=global
admins,ou=groups,o=mcgarty.org
" write
        by group/groupofUniqueNames/uniquemember="cn=password
admins,ou=groups,o=mcgarty.o
rg" write
        by group/groupofUniqueNames/uniquemember="cn=password
readers,ou=groups,o=mcgarty.
org" read 
   by * auth
access to dn.subtree="o=mcgarty.org"
        by group/groupofUniqueNames/uniquemember="cn=global
admins,ou=groups,o=mcgarty.org
" write
   by * read
sasl-realm      mcgarty.org # Override hostname as sasl realm
sasl-secprops   none # Allow plaintext sasl mechanism
sasl-regexp uid=(.*),cn=digest-md5,cn=auth
                uid=$1,ou=people,o=mcgarty.org

My /usr/lib/sasl2/slapd.conf file:

pwcheck_method: auxprop
auxprop_plugin: mysql
mysql_user: mail
mysql_passwd: xxxxxx
mysql_hostnames: 127.0.0.1:3306
mysql_database: mail
mysql_statement: select password from accountuser where username = '%u' and
domain_name = '%r'
mysql_verbose: yes

My ou=people LDIF used to load slapd:

dn:     uid=cyrus,ou=people,o=mcgarty.org
uid:    cyrus
sn:     cyrus
userPassword:   xxxxxx
cn:     Cyrus User
objectclass:    inetorgperson
objectclass:    organizationalPerson