[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL replication - the continuing saga
Hello,
I'm including the output from the sample Cyrus client and server in this
email. I'd previously configured this and it appears to be working, though
I'm far from an expert on the matter. Left to it's own devices, it selects
"PLAIN" as the best available method.
--- /usr/lib/sasl/slapd.conf ---
pwcheck_method: sasldb
I picked that tip up from "Cyrus SASL for Systems Aministrators" at:
http://www.sendmail.org/~ca/email/cyrus/sysadmin.html - I think it's mirrored
at other locations as well.
--- Server output: ---
[root@server sample]# sasldblistusers
user: REPL.LDAP.COMPANY.COM realm: server.company.com mech: PLAIN
user: REPL.LDAP.COMPANY.COM realm: server.company.com mech: CRAM-MD5
user: REPL.LDAP.COMPANY.COM realm: server.company.com mech: DIGEST-MD5
[root@server sample]# ./sample-server -s slapd
Generating client mechanism list...
Sending list of 5 mechanism(s)
S: UExBSU4gTE9HSU4gRElHRVNULU1ENSBDUkFNLU1ENSBBTk9OWU1PVVM=
Waiting for client mechanism...
C:
UExBSU4AUkVQTC5MREFQLlNBRkVDTy5DT00AUkVQTC5MREFQLlNBRkVDTy5DT00AYzE5dmZmeHg=
got 'PLAIN'
Negotiation complete
Username: REPL.LDAP.COMPANY.COM
Realm: server.company.com
SSF: 0
--- Client output: ---
[root@server sample]# ./sample-client -s slapd -u REPL.LDAP.COMPANY.COM -a
REPL.LDAP.COMPANY.COM
service=slapd
Waiting for mechanism list from server...
S: UExBSU4gTE9HSU4gRElHRVNULU1ENSBDUkFNLU1ENSBBTk9OWU1PVVM=
Choosing best mechanism from: PLAIN LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS
Password:
Using mechanism PLAIN
Preparing initial.
Sending initial response...
C:
UExBSU4AUkVQTC5MREFQLlNBRkVDTy5DT00AUkVQTC5MREFQLlNBRkVDTy5DT00AYzE5dmZmeHg=
Waiting for server reply...
After some digging, I found that there's a -b option for both the client and
the server, indicating the number of bits. As it's there in the slapd.conf,
I set this to 112 and watched the output:
--- Server output: ---
[root@server sample]# ./sample-server -b min=112
Generating client mechanism list...
Sending list of 1 mechanism(s)
S: RElHRVNULU1ENQ==
Waiting for client mechanism...
--- Client output: ---
[root@server sample]# ./sample-client -b min=112 -s slapd -u
REPL.LDAP.COMPANY.COM -a REPL.LDAP.COMPANY.COM service=slapd
Waiting for mechanism list from server...
S: RElHRVNULU1ENQ==
Choosing best mechanism from: DIGEST-MD5
lt-sample-client: Starting SASL negotiation: no mechanism available
So, it might very well be that SASL isn't working with DIGEST-MD5. All the
available evidence points to this. Which is unusual, as the sasldblistusers
command lists the REPL.LDAP.COMPANY.COM as having a DIGEST-MD5 password.
When I initially compiled SASL, I used the command: ./configure
--enable-sample
--enable-plain --disable-krb4
According to the limited SASL documentation, DIGEST-MD5 should be
automatically detected. But, just to be thorough, I've since re-compiled
with the command:
./configure --enable-sample --enable-cram --enable-digest --disable-krb4
--disable-gssapi
This has not improved matters - the sample client still gets:
[root@server sample]# ./sample-client -b min=112 -s slapd -u
REPL.LDAP.COMPANY.COM -a REPL.LDAP.COMPANY.COM service=slapd
Waiting for mechanism list from server...
S: RElHRVNULU1ENQ==
Choosing best mechanism from: DIGEST-MD5
lt-sample-client: Starting SASL negotiation: no mechanism available
After yet further digging, I found the SASL mailing list. I can't say that I
learned much from it. I did find an UNANSERED message that almost describes
the issue I've encountered:
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=digest-md5&msg=642
The main point of interest was that DIGEST-MD5 was only possible if you had
installed OpenSSL. Fair enough. Before I installed Cyrus, I compiled and
installed OpenSSL as follows:
Type tar -xzvf openssl-0.9.6b.tar.gz and press Enter.
Type cd /openssl-0.9.6b and press Enter.
Type ./config --prefix=/usr --openssldir=/usr/lib/ssl and press Enter.
Type make -f Makefile.ssl all and press Enter.
Type make -f Makefile.ssl install and press Enter.
That was based on a newsgroup posting that I don't recall the location of.
Typing ./config --help doesn't really help, and the OpenSSL INSTALL file
doesn't indicate that DIGEST-MD5 would be turned off OR on by default. It
just specifies how you'd build without a cipher, and I didn't specify that on
the command line. Based on that, I'm assuming that DIGEST-MD5 was installed
SOMEWHERE, given that sasldblistusers DOES SHOW the replication account as
having a DIGEST-MD5 password.
I'm now 45 hours into this research, and I once again find myself stuck.
Further help will be required for me to continue.
Thanks in advance,
On Wednesday 29 August 2001 08:20 am, Kurt D. Zeilenga wrote:
> Have you gotten authentication working using the sample Cyrus
> SASL client and server? This is a very important first step.
> If it doesn't work there, it won't work in OpenLDAP. I suggest
> you sort out your DIGEST-MD5 problems there before trying to
> tackle OpenLDAP specific configuration.
>
> At 06:45 AM 2001-08-29, Kayne McGladrey wrote:
> >Hello everyone,
> >
> >I'm continuing my effort to successfully configure OpenLDAP and SASL.
> > This effort has thus far taken 40 hours of my time. I'm doing this in the
> > hopes that I will be able to have OpenLDAP replication use SASL
> > authentication.
> >
> >I had previously not been able to have the supportedSASLMechanisms
> > attribute report anything. After some further experimentation with
> > SASL-SECPROPS and SECURITY in slapd.conf, and /usr/lib/sasl/slapd.conf,
> > it now reports PLAIN and LOGIN. I can't get it to recognize DIGEST-MD5,
> > which is what I'm hoping to have it use.
> >
> >As this is progress, I thought I'd try to use either PLAIN or LOGIN for
> >authentication. This DOES NOT work. I'm specifically concerned with these
> >lines in the slurpd output:
> >
> > bind to backup.company.com as repl.ldap.company.com via PLAIN
> > (SASL) ldap_interactive_sasl_bind_s: user selected: PLAIN
> > ldap_int_sasl_bind: PLAIN
> >
> >The "user selected: PLAIN" is either a poorly-written debug message or in
> >error. The user I've specified is repl.ldap.company.com.
> >
> >Any assistance would be greatly appreciated. I hope to consolidate my
> > efforts into a FAQ or installation guide. This seems to be the most
> > frequently asked question on the list.
> >
> >I'm including full output from the relevant items (ldapsearch,
> >sasldblistusers, slurpd, slapd.conf).
> >
> >--- ldapsearch on server ---
> >[root@ldap openldap-2.0.11]# ldapsearch -x -b "" -s base -LLL
> >supportedSASLMechanisms
> >dn:
> >supportedSASLMechanisms: PLAIN
> >supportedSASLMechanisms: LOGIN
> >
> >--- ldapsearch on backup ---
> >[root@backup /root]# ldapsearch -x -b "" -s base -LLL
> > supportedSASLMechanisms dn:
> >supportedSASLMechanisms: PLAIN
> >supportedSASLMechanisms: LOGIN
> >
> >--- sasldblistusers on backup ---
> >[root@backup /root]# sasldblistusers
> >user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: PLAIN
> >user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: CRAM-MD5
> >user: REPL.LDAP.COMPANY.COM realm: backup.company.com mech: DIGEST-MD5
> >
> >--- slurpd output ---
> >[root@ldap openldap-2.0.11]# /usr/local/libexec/slurpd -d 255
> >Config: opening config file "/usr/local/etc/openldap/slapd.conf"
> >Config: (include
> > /usr/local/etc/openldap/schema/core.schema) Config: (include
> > /usr/local/etc/openldap/schema/cosine.schema) Config: (include
> >/usr/local/etc/openldap/schema/inetorgperson.schema)
> >Config: (include
> > /usr/local/etc/openldap/schema/local.schema) Config: (pidfile
> > /usr/local/var/slapd.pid)
> >Config: (argsfile /usr/local/var/slapd.args)
> >Config: (loglevel 0)
> >Config: (idletimeout 30)
> >Config: (sizelimit 100)
> >Config: (timelimit 120)
> >Config: (defaultsearchbase "dc=company,dc=com")
> >Config: (schemacheck on)
> >Config: (disallows bind_krbv4)
> >Config: (sasl-secprops noanonymous minssf=112)
> >Config: (security update_sasl=112 update_ssf=112)
> >Config: (database ldbm)
> >Config: (rootdn "cn=LDAProot,dc=company,dc=com")
> >Config: (rootpw {crypt}papAq5PwY/QQM)
> >Config: (suffix "dc=company,dc=com")
> >Config: (replogfile /usr/local/etc/openldap/replog/replog.log)
> >Config: (lastmod off)
> >Config: (replica host=backup.company.com:389
> >binddn="uid=repl.ldap.company.com" bindmethod=sasl saslmech=PLAIN
> >authcID="repl.ldap.company.com" authzID="repl.ldap.company.com"
> >realm=company.com credentials="password")
> >Config: ** successfully added replica "backup.company.com:389"
> >Config: (security update_ssf=112)
> >Config: (directory /usr/local/var/openldap-ldbm)
> >Config: (mode 0600)
> >Config: (index objectClass eq,pres)
> >Config: (index uid eq)
> >Config: (index cn eq,sub)
> >Config: (index mail eq,pres,sub)
> >Config: (index givenName eq,sub)
> >Config: (index sn eq,sub)
> >Config: (index o eq,sub)
> >Config: (access to attr=userPassword by dn="cn=LDAPRoot, dc=company,
> >dc=com" write by * none)
> >Config: (access to * by anonymous read by dn="cn=LDAPRoot,
> >dc=company, dc=com" write)
> >Config: (dbnolocking)
> >Config: (dbnosync)
> >Config: (cachesize 10000)
> >Config: (dbcachesize 100000)
> >Config: ** configuration file successfully read and parsed
> >Retrieved state information for backup.company.com:389 (timestamp
> > 997309400.0) begin replication thread for backup.company.com:389
> >Replica backup.company.com:389, skip repl record for
> >uid=Roman_Gebhart,ou=Distributors,dc=company,dc=com (old)
> >Initializing session to backup.company.com:389
> >ldap_create
> >bind to backup.company.com as repl.ldap.company.com via PLAIN (SASL)
> >ldap_interactive_sasl_bind_s: user selected: PLAIN
> >ldap_int_sasl_bind: PLAIN
> >ldap_new_connection
> >ldap_int_open_connection
> >ldap_connect_to_host
> >ldap_new_socket: 6
> >ldap_prepare_socket: 6
> >ldap_connect_to_host: Trying 192.168.1.2:389
> >ldap_connect_timeout: fd: 6 tm: -1 async: 0
> >ldap_ndelay_on: 6
> >ldap_is_sock_ready: 6
> >ldap_ndelay_off: 6
> >ldap_int_sasl_open: backup.company.com
> >ldap_err2string
> >Error: LDAP SASL for backup.company.com:389 failed: Unknown authentication
> >method
> >ldap_unbind
> >ldap_free_connection
> >ldap_send_unbind
> >ber_flush: 7 bytes to sd 6
> > 0000: 30 05 02 01 01 42 00 0....B.
> >ldap_write: want=7, written=7
> > 0000: 30 05 02 01 01 42 00 0....B.
> >ldap_free_connection: actually freed
> >fm: exiting
> >Retrying operation for DN uid=roman_g,ou=Distributors,dc=company,dc=com on
> >replica backup.company.com:389
> >end replication thread for backup.company.com:389
> >slurpd: terminated.
> >
> >--- slapd.conf on server
> ># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20
> > 23:32:43 kurt Exp $
> >#
> ># See slapd.conf(5) for details on configuration options.
> ># This file should NOT be world readable.
> >#
> >include /usr/local/etc/openldap/schema/core.schema
> >include /usr/local/etc/openldap/schema/cosine.schema
> >include /usr/local/etc/openldap/schema/inetorgperson.schema
> >include /usr/local/etc/openldap/schema/local.schema
> >
> >pidfile /usr/local/var/slapd.pid
> >argsfile /usr/local/var/slapd.args
> >
> >loglevel 0
> >idletimeout 30
> >sizelimit 100
> >timelimit 120
> >defaultsearchbase "dc=company,dc=com"
> >schemacheck on
> >disallows bind_krbv4
> >
> >sasl-secprops noanonymous minssf=112
> >security update_sasl=112 update_ssf=112
> >
> >#######################################################################
> ># ldbm database definitions
> >#######################################################################
> >
> >database ldbm
> >rootdn "cn=LDAProot,dc=company,dc=com"
> >rootpw {crypt}papAq5PwY/QQM
> >suffix "dc=company,dc=com"
> >
> >replogfile /usr/local/etc/openldap/replog/replog.log
> >lastmod off
> >
> >## REPLICATION OPTIONS
> >replica host=backup.company.com:389
> > binddn="uid=repl.ldap.company.com"
> > bindmethod=sasl
> > saslmech=PLAIN
> > authcID="repl.ldap.company.com"
> > authzID="repl.ldap.company.com"
> > realm=company.com
> > credentials="password"
> >
> >security update_ssf=112
> >
> ># The database directory MUST exist prior to running slapd AND
> ># should only be accessible by the slapd/tools. Mode 700 recommended.
> >directory /usr/local/var/openldap-ldbm
> >mode 0600
> >
> ># Indices to maintain
> >index objectClass eq,pres
> >index uid eq
> >
> >index cn eq,sub
> >index mail eq,pres,sub
> >index givenName eq,sub
> >index sn eq,sub
> >index o eq,sub
> >
> >#ldbm access control definitions
> >access to attr=userPassword
> > by dn="cn=LDAPRoot, dc=company, dc=com" write
> > by * none
> >
> >access to *
> > by anonymous read
> > by dn="cn=LDAPRoot, dc=company, dc=com" write
> >
> >dbnolocking
> >dbnosync
> >cachesize 10000
> >dbcachesize 100000
> >
> >--- slapd.conf on backup ---
> ># $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20
> > 23:32:43 kurt Exp $
> >#
> ># See slapd.conf(5) for details on configuration options.
> ># This file should NOT be world readable.
> >#
> >
> >include /usr/local/etc/openldap/schema/core.schema
> >include /usr/local/etc/openldap/schema/cosine.schema
> >include /usr/local/etc/openldap/schema/inetorgperson.schema
> >include /usr/local/etc/openldap/schema/local.schema
> >
> >pidfile /usr/local/var/slapd.pid
> >argsfile /usr/local/var/slapd.args
> >
> >loglevel 0
> >idletimeout 30
> >sizelimit 100
> >timelimit 120
> >defaultsearchbase "dc=company,dc=com"
> >schemacheck on
> >disallows bind_krbv4
> >
> >sasl-secprops noanonymous minssf=112
> >security update_sasl=112 update_ssf=112
> >
> >#######################################################################
> ># ldbm database definitions
> >#######################################################################
> >
> >database ldbm
> >rootdn "cn=LDAProot,dc=company,dc=com"
> >rootpw {crypt}papAq5PwY/QQM
> >suffix "dc=company,dc=com"
> >
> >updatedn "UID=REPL.LDAP.COMPANY.COM+REALM=BACKUP.COMPANY.COM"
> >updateref ldap://ldap.company.com
> >
> >security update_ssf=112
> >
> ># The database directory MUST exist prior to running slapd AND
> ># should only be accessible by the slapd/tools. Mode 700 recommended.
> >directory /usr/local/var/openldap-ldbm
> >mode 0600
> >
> ># Indices to maintain
> >index objectClass eq,pres
> >index uid eq
> >
> >index cn eq,sub
> >index mail eq,pres,sub
> >index givenName eq,sub
> >index sn eq,sub
> >index o eq,sub
> >
> >#ldbm access control definitions
> >access to attr=userPassword
> > by dn="cn=LDAPRoot, dc=company, dc=com" write
> > by * none
> >
> >access to *
> > by anonymous read
> > by dn="cn=LDAPRoot, dc=company, dc=com" write
> >
> >dbnolocking
> >dbnosync
> >cachesize 10000
> >dbcachesize 100000