[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5266) "authorization failure: invalid authcid" during SASL auto_transition



Full_Name: Dan White
Version: 2.3.39
OS: Linux
URL: http://support.olp.net/ldap/log2.txt
Submission from: (NULL) (65.161.252.42)


If I enable SASL auto_transition, I receive the following error during
authentication:

SASL(-14): authorization failure: invalid authcid

I'm using openldap version 2.3.39 for both slapd and my ldap utils
(ldapsearch).
I'm using the bdb backend.

I'm also using Debian Etch with the following versions of software:

Cyrus SASL 2.1.22(.dfsg1-8)
libdb 4.2.52(+dfsg-2)
libc6 2.3.6(.ds1-13etch2)
PAM 0.79(-4)
pam_ldap 184(-2)

I'm using saslauthd's PAM backend, and in turn using pam_ldap for
authentication, although I don't believe the problem is related to the
saslauthd/pam configuration.

Here's the client side output from the attempted bind:

hiro:~# ldapsearch -LLL -Y PLAIN -U abrown@olp.net uid=n/a
SASL/PLAIN authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
        additional info: SASL(-14): authorization failure: invalid authcid

If I turn off auto_transition, it works:

hiro:~# ldapsearch -LLL -Y PLAIN -U abrown@olp.net uid=n/a
SASL/PLAIN authentication started
Please enter your password: 
SASL username: abrown@olp.net
SASL SSF: 0
hiro:~# 

My slapd.conf SASL service file looks like:

hiro:~# cat /usr/lib/sasl2/slapd.conf
keytab: /etc/krb5.keytab-ldap
pwcheck_method: saslauthd
auxprop_plugin: slapd
auto_transition: yes
log_level: 7

And the server log (loglevel -1) is located at:

http://support.olp.net/ldap/log2.txt

The error appears to be occurring while transitioning the password to the
auxprop store, in the slap_sasl_authorize function:

        /* Skip SLAP_SASL_PROP_CONN */
        prop_getnames( props, slap_propnames+1, auxvals );

        /* Should not happen */
        if ( !auxvals[0].values ) {
                sasl_seterror( sconn, 0, "invalid authcid" );
                return SASL_NOAUTHZ;
        }

What I'm expecting to happen during the bind, is to have SASL overwrite my
userPassword and cmusaslsecretOTP attributes, via the slapd auxprop plugin.

I have a lot of passwords in crypted form (which PAM authenticates), and I'm
aiming towards a clear-text password store by using this functionality.