[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL's for SASL compat.
ok,
I was sick yesterday with the flu, back to it:
Before I go any further let's find out if this is a problem, the version I am using returns SASL_OK:
diff -uNr rh/cyrus-sasl-1.5.24/lib/server.c cyrus/cyrus-sasl-1.5.24/lib/server.c
--- rh/cyrus-sasl-1.5.24/lib/server.c Mon Jul 10 14:54:45 2000
+++ cyrus/cyrus-sasl-1.5.24/lib/server.c Sun Aug 13 22:04:42 2000
@@ -895,7 +895,7 @@
s_conn->base.oparams.user = (char *) canonuser;
}
- return SASL_OK;
+ return ret;
}
I'd like to notify the vendor (RedHat) if the rpm they shipped is buggy.
Anyway I tried with cyrus-sasl-1.5.24 from the url you posted and this is what I get:
[root@schoenberg openldap-2.0.4]# /usr/local/bin/ldapmodify -Y DIGEST-MD5 -U testuser -X "dn:uid=testuser + realm=schoenberg" -f /tmp/modify.ldif
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access
additional info: no proxy policy
if I try without the -X,
usr/local/bin/ldapmodify -Y DIGEST-MD5 -U testuser -P 3 -f /tmp/modify.ldif
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: testuser
SASL realm: schoenberg
SASL SSF: 128
SASL installing layers
modifying entry "uid=testuser,portalId=ADBE,ou=People,o=RedGorilla"
ldap_modify: Insufficient access
ldif_record() = 50
Oct 6 15:05:25 schoenberg slapd[4194]: connection_get(9)
Oct 6 15:05:25 schoenberg slapd[4196]: ==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
Oct 6 15:05:27 schoenberg slapd[4194]: connection_get(9)
Oct 6 15:05:27 schoenberg slapd[4196]: ==> sasl_bind: dn="" mech=<continuing> datalen=298
Oct 6 15:05:27 schoenberg slapd[4194]: connection_get(9)
Oct 6 15:05:27 schoenberg slapd[4196]: ==> sasl_bind: dn="" mech=<continuing> datalen=0
Oct 6 15:05:27 schoenberg slapd[4196]: SASL Authorize [conn=6]: authcid="testuser" authzid="testuser"
Oct 6 15:05:27 schoenberg slapd[4194]: connection_get(9)
Oct 6 15:05:27 schoenberg slapd[4196]: do_modify: dn (uid=testuser,portalId=ADBE,ou=People,o=RedGorilla)
Oct 6 15:05:27 schoenberg slapd[4196]: modifications:
Oct 6 15:05:27 schoenberg slapd[4196]: ^Ireplace: sn
Oct 6 15:05:27 schoenberg slapd[4196]: entry_rdwr_rtrylock: ID: 13
Oct 6 15:05:27 schoenberg slapd[4196]: entry_rdwr_runlock: ID: 13
Oct 6 15:05:27 schoenberg slapd[4196]: ldbm_back_modify:
Oct 6 15:05:27 schoenberg slapd[4196]: entry_rdwr_wtrylock: ID: 13
Oct 6 15:05:27 schoenberg slapd[4196]: send_ldap_result: 50::
Oct 6 15:05:27 schoenberg slapd[4196]: entry_rdwr_wunlock: ID: 13
Oct 6 15:05:27 schoenberg slapd[4194]: connection_get(9)
So if I try to modify the authzid I get a "no proxy policy" error, otherwise, the auth ID remains, just "testuser".
Cheers,
On Wed, Oct 04, 2000 at 03:53:40PM -0700, Kurt D. Zeilenga wrote:
> At 02:58 PM 10/4/00 -0400, Marc Heckmann wrote:
> > I have a trace of what happens below, it seems that the authorization
> >DN is only "testuser" and not "uid=testuser+realm=schoenberg"
>
> Just "testuser"? Sounds like you might be suffering from a nasty
> (and dangerous) Cyrus SASL bug. Make sure you have Cyrus SASL 1.5.24
> installed as currently available from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail.
> Do not install versions from any other source as there appears to
> be multiple versions labeled 1.5.24 floating about (due to a silent
> upgrade) and only the version in the official FTP site is known not
> to contain the bug.
>
> Then, when testing with OpenLDAP, be sure to specify TRACE. ARGS is
> useful as well. This will report not only the authentication and
> authorization identities, but the authorization (or subject) DN.
>
> Other notes: -D is for simple bind... irrelevant for SASL bind.
> -W is for simple bind, SASL bind will prompt as needed (but will
> use value provided via -W or -w as well). And don't use -X
> (authorization identity) with OpenLDAP slapd... as slapd only
> supports authorization identities which are equivalent to the
> authentication identity (empty or u:user for user).
>
> Kurt
>
>
--
Marc Heckmann - Network Operations
HBE Software/Opendesk.Com
heckmann@hbesoftware.com www.hbesoftware.com
heckmann@opendesk.com www.opendesk.com
Tel. (514) 876-7881 ext. 219
Fax. (514) 876-9223