[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 Released



thierryW wrote:
Sorry i forgot one thing :
rootdn    "uid=master1,ou=admins,o=Mairie(not firm),dc=intranet,dc=fr"

saslRegexp
uid=(.*),cn=intranet.fr,cn=DIGEST-MD5,cn=auth
uid=$1,ou=admins,o=Mairie(not firm),dc=intranet,dc=fr
thierry

*ThierryW wrote:

2 questions :*

*First one, starting ssl or tls search failed with :*
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca s3_pkt.c:985
where it worked with 2.0.23 ?? What's wrong


*Second question :*
my config. : openldap2.1.2 sasl1.5
I cannot perform a search :
in slapd.conf (only what's important):

********************************
TLSCertificateFile      /usr/local/ssl/certs/certmorangis.pem
TLSCertificateKeyFile   /usr/local/ssl/certs/certmorangis.pem
TLSCACertificateFile    /usr/local/ssl/certs/certmorangis.pem

# Schema and objectClass definitions

sasl-realm             intranet.fr
sasl-host               openmail.intranet.fr
#sasl-secprops          none

database    bdb
directory       /usr/ldap/var/openldap-data
suffix        "dc=intranet,dc=fr"
rootdn    "uid=master1,ou=admins,o=firm,dc=intranet,dc=fr"

saslRegexp
 uid=(.*),cn=intranet.fr,cn=DIGEST-MD5,cn=auth
 uid=$1,ou=admins,o=firm,dc=intranet,dc=fr

#ldap://openmail.intranet.fr/ou=admins,o=mairie,dc=intranet,dc=fr??sub?uid=$1


access to * by dn="uid=master1\\+realm=intranet.fr" write by * read

#by dn="uid=master1.*\+realm=openmail.intranet.fr"  write

access to attr=userPassword
       by self write
       by anonymous auth
       by * none
*****************************************************

Like notice in 2.1 admin guide :
ldapsearch -h openmail.intranet.fr -X "u:master1" or -I or whatever you want... I got with slapd debug:
......
daemon: conn=2 fd=13 connection from IP=192.0.1.252:33951 (IP=192.0.1.252:389) accepted.
daemon: added 13r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=2
connection_read(13): checking for input on id=2
ber_get_next
ldap_read: want=9, got=9
0000: 30 3e 02 01 01 63 39 04 00 0>...c9..
ldap_read: want=55, got=55
0000: 0a 01 00 0a 01 00 02 01 00 02 01 00 01 01 00 87 ................
0010: 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 19 04 17 .objectclass0...
0020: 73 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 63 supportedSASLMec
0030: 68 61 6e 69 73 6d 73 hanisms
ber_get_next: tag 0x30 len 62 contents:
ber_dump: buf=0x081ec430 ptr=0x081ec430 end=0x081ec46e len=62
0000: 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 01 00 ...c9...........
0010: 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c ........objectcl
0020: 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 65 64 ass0...supported
0030: 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 SASLMechanisms
ber_get_next
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_search
ber_scanf fmt ({miiiib) ber:
ber_dump: buf=0x081ec430 ptr=0x081ec433 end=0x081ec46e len=59
0000: 63 39 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 c9..............
0010: 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 .....objectclass
0020: 30 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 0...supportedSAS
0030: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
SRCH "" 0 0 0 0 0
begin get_filter
PRESENT
ber_scanf fmt (m) ber:
ber_dump: buf=0x081ec430 ptr=0x081ec446 end=0x081ec46e len=40
0000: 87 0b 6f 62 6a 65 63 74 63 6c 61 73 73 30 19 04 ..objectclass0..
0010: 17 73 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 .supportedSASLMe
0020: 63 68 61 6e 69 73 6d 73 chanisms
end get_filter 0
filter: (objectClass=*)
ber_scanf fmt ({M}}) ber:
ber_dump: buf=0x081ec430 ptr=0x081ec453 end=0x081ec46e len=27
0000: 00 19 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 ....supportedSAS
0010: 4c 4d 65 63 68 61 6e 69 73 6d 73 LMechanisms
attrs: supportedSASLMechanisms
conn=2 op=0 SRCH base="" scope=0 filter="(objectClass=*)"
=> test_filter
PRESENT
=> access_allowed: search access to "" "objectClass" requested
=> acl_get: [1] check attr objectClass
<= acl_get: [1] acl attr: objectClass
=> acl_mask: access to entry "", attr "objectClass" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: uid=master1\+realm=intranet.fr
=> string_expand: pattern: uid=master1\+realm=intranet.fr
=> string_expand: expanded: uid=master1\+realm=intranet.fr
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: *
<= acl_mask: [4] applying read(=rscx) (stop)
<= acl_mask: [4] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 6
=> send_search_entry: dn=""
=> access_allowed: read access to "" "entry" requested
=> acl_get: [1] check attr entry
<= acl_get: [1] acl attr: entry
=> acl_mask: access to entry "", attr "entry" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: uid=master1\+realm=intranet.fr
=> string_expand: pattern: uid=master1\+realm=intranet.fr
=> string_expand: expanded: uid=master1\+realm=intranet.fr
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: *
<= acl_mask: [4] applying read(=rscx) (stop)
<= acl_mask: [4] mask: read(=rscx)
=> access_allowed: read access granted by read(=rscx)
=> access_allowed: read access to "" "supportedSASLMechanisms" requested
=> acl_get: [1] check attr supportedSASLMechanisms
<= acl_get: [1] acl attr: supportedSASLMechanisms
=> acl_mask: access to entry "", attr "supportedSASLMechanisms" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: uid=master1\+realm=intranet.fr
=> string_expand: pattern: uid=master1\+realm=intranet.fr
=> string_expand: expanded: uid=master1\+realm=intranet.fr
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: *
<= acl_mask: [4] applying read(=rscx) (stop)
<= acl_mask: [4] mask: read(=rscx)
=> access_allowed: read access granted by read(=rscx)
ber_flush: 52 bytes to sd 13
0000: 30 32 02 01 01 64 2d 04 00 30 29 30 27 04 17 73 02...d-..0)0'..s
0010: 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 63 68 upportedSASLMech
0020: 61 6e 69 73 6d 73 31 0c 04 0a 44 49 47 45 53 54 anisms1...DIGEST
0030: 2d 4d 44 35 -MD5
ldap_write: want=52, written=52
0000: 30 32 02 01 01 64 2d 04 00 30 29 30 27 04 17 73 02...d-..0)0'..s
0010: 75 70 70 6f 72 74 65 64 53 41 53 4c 4d 65 63 68 upportedSASLMech
0020: 61 6e 69 73 6d 73 31 0c 04 0a 44 49 47 45 53 54 anisms1...DIGEST
0030: 2d 4d 44 35 -MD5
conn=2 op=0 ENTRY dn=""
<= send_search_entry
send_ldap_result: conn=2 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=101 err=0
ber_flush: 14 bytes to sd 13
0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........
conn=2 op=0 RESULT tag=101 err=0 text=
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=2
connection_read(13): checking for input on id=2
ber_get_next
ldap_read: want=9, got=9
0000: 30 18 02 01 02 60 13 02 01 0....`...
ldap_read: want=17, got=17
0000: 03 04 00 a3 0c 04 0a 44 49 47 45 53 54 2d 4d 44 .......DIGEST-MD
0010: 35 5
ber_get_next: tag 0x30 len 24 contents:
ber_dump: buf=0x081ec558 ptr=0x081ec558 end=0x081ec570 len=24
0000: 02 01 02 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 ...`..........DI
0010: 47 45 53 54 2d 4d 44 35 GEST-MD5
ber_get_next
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x081ec558 ptr=0x081ec55b end=0x081ec570 len=21
0000: 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 `..........DIGES
0010: 54 2d 4d 44 35 T-MD5
ber_scanf fmt ({o) ber:
ber_dump: buf=0x081ec558 ptr=0x081ec562 end=0x081ec570 len=14
0000: 00 0c 04 0a 44 49 47 45 53 54 2d 4d 44 35 ....DIGEST-MD5
ber_scanf fmt (}}) ber:
ber_dump: buf=0x081ec558 ptr=0x081ec570 end=0x081ec570 len=0


*>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
conn=2 op=1 BIND dn="" method=163
==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
**send_ldap_sasl: err=14 len=162
send_ldap_response: msgid=2 tag=97 err=14*
ber_flush: 181 bytes to sd 13
0000: 30 81 b2 02 01 02 61 81 ac 0a 01 0e 04 00 04 00 0.....a.........
0010: 87 81 a2 72 65 61 6c 6d 3d 22 69 6e 74 72 61 6e ...realm="intran
0020: 65 74 2e 66 72 22 2c 6e 6f 6e 63 65 3d 22 75 49 et.fr",nonce="uI
0030: 43 54 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 CTiINyLtMQEmejJt
0040: 34 39 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b 73 49Y09rqaND0KN4+s
0050: 78 44 48 61 4c 43 54 35 6b 3d 22 2c 71 6f 70 3d xDHaLCT5k=",qop=
0060: 22 61 75 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 "auth,auth-int,a
0070: 75 74 68 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 uth-conf",cipher
0080: 3d 22 72 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c ="rc4-40,rc4-56,
0090: 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 74 66 rc4",charset=utf
00a0: 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 -8,algorithm=md5
00b0: 2d 73 65 73 73 -sess
ldap_write: want=181, written=181
0000: 30 81 b2 02 01 02 61 81 ac 0a 01 0e 04 00 04 00 0.....a.........
0010: 87 81 a2 72 65 61 6c 6d 3d 22 69 6e 74 72 61 6e ...realm="intran
0020: 65 74 2e 66 72 22 2c 6e 6f 6e 63 65 3d 22 75 49 et.fr",nonce="uI
0030: 43 54 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 CTiINyLtMQEmejJt
0040: 34 39 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b 73 49Y09rqaND0KN4+s
0050: 78 44 48 61 4c 43 54 35 6b 3d 22 2c 71 6f 70 3d xDHaLCT5k=",qop=
0060: 22 61 75 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 "auth,auth-int,a
0070: 75 74 68 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 uth-conf",cipher
0080: 3d 22 72 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c ="rc4-40,rc4-56,
0090: 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 74 66 rc4",charset=utf
00a0: 2d 38 2c 61 6c 67 6f 72 69 74 68 6d 3d 6d 64 35 -8,algorithm=md5
00b0: 2d 73 65 73 73 -sess
*<== slap_sasl_bind: rc=14*
............................
When i put my password :
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Unknown error (80)
additional info: unable to get user's secret
and debug :
.............
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=2
connection_read(13): checking for input on id=2
ber_get_next
ldap_read: want=9, got=9
0000: 30 82 01 48 02 01 03 60 82 0..H...`.
ldap_read: want=323, got=323
0000: 01 41 02 01 03 04 00 a3 82 01 38 04 0a 44 49 47 .A........8..DIG
0010: 45 53 54 2d 4d 44 35 04 82 01 28 75 73 65 72 6e EST-MD5...(*usern*
0020: 61 6d 65 3d 22 72 6f 6f 74 22 2c 72 65 61 6c 6d *ame="root"*,realm
0030: 3d 22 69 6e 74 72 61 6e 65 74 2e 66 72 22 2c 61 ="intranet.fr",a
0040: 75 74 68 7a 69 64 3d 22 75 3a 6d 61 73 74 65 72 uthzid="u:master
0050: 31 22 2c 6e 6f 6e 63 65 3d 22 75 49 43 54 69 49 1",nonce="uICTiI
0060: 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 34 39 59 30 NyLtMQEmejJt49Y0
0070: 39 72 71 61 4e 44 30 4b 4e 34 2b 73 78 44 48 61 9rqaND0KN4+sxDHa
0080: 4c 43 54 35 6b 3d 22 2c 63 6e 6f 6e 63 65 3d 22 LCT5k=",cnonce="
0090: 38 6b 2f 62 70 6b 65 57 43 66 65 47 61 77 5a 47 8k/bpkeWCfeGawZG
00a0: 67 4c 51 62 4d 68 33 67 72 42 66 61 47 47 35 57 gLQbMh3grBfaGG5W
00b0: 33 33 35 6f 4d 54 31 54 4a 43 34 3d 22 2c 6e 63 335oMT1TJC4=",nc
00c0: 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 3d 61 75 =00000001,qop=au
00d0: 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 72 3d 22 th-conf,cipher="
00e0: 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 74 66 rc4",charset=utf
00f0: 2d 38 2c 64 69 67 65 73 74 2d 75 72 69 3d 22 6c -8,digest-uri="l
0100: 64 61 70 2f 6f 70 65 6e 6d 61 69 6c 2e 69 6e 74 dap/openmail.int
0110: 72 61 6e 65 74 2e 66 72 22 2c 72 65 73 70 6f 6e ranet.fr",respon
0120: 73 65 3d 62 30 66 61 39 64 39 36 32 30 61 61 66 se=b0fa9d9620aaf
0130: 61 35 35 39 37 30 33 32 33 62 62 32 61 32 30 35 a55970323bb2a205
0140: 63 66 33 cf3
ber_get_next: tag 0x30 len 328 contents:
ber_dump: buf=0x081ebc00 ptr=0x081ebc00 end=0x081ebd48 len=328
0000: 02 01 03 60 82 01 41 02 01 03 04 00 a3 82 01 38 ...`..A........8
0010: 04 0a 44 49 47 45 53 54 2d 4d 44 35 04 82 01 28 ..DIGEST-MD5...(
0020: 75 73 65 72 6e 61 6d 65 3d 22 72 6f 6f 74 22 2c username="root",
0030: 72 65 61 6c 6d 3d 22 69 6e 74 72 61 6e 65 74 2e realm="intranet.
0040: 66 72 22 2c 61 75 74 68 7a 69 64 3d 22 75 3a 6d fr",authzid="u:m
0050: 61 73 74 65 72 31 22 2c 6e 6f 6e 63 65 3d 22 75 aster1",nonce="u
0060: 49 43 54 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a ICTiINyLtMQEmejJ
0070: 74 34 39 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b t49Y09rqaND0KN4+
0080: 73 78 44 48 61 4c 43 54 35 6b 3d 22 2c 63 6e 6f sxDHaLCT5k=",cno
0090: 6e 63 65 3d 22 38 6b 2f 62 70 6b 65 57 43 66 65 nce="8k/bpkeWCfe
00a0: 47 61 77 5a 47 67 4c 51 62 4d 68 33 67 72 42 66 GawZGgLQbMh3grBf
00b0: 61 47 47 35 57 33 33 35 6f 4d 54 31 54 4a 43 34 aGG5W335oMT1TJC4
00c0: 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 =",nc=00000001,q
00d0: 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 op=auth-conf,cip
00e0: 68 65 72 3d 22 72 63 34 22 2c 63 68 61 72 73 65 her="rc4",charse
00f0: 74 3d 75 74 66 2d 38 2c 64 69 67 65 73 74 2d 75 t=utf-8,digest-u
0100: 72 69 3d 22 6c 64 61 70 2f 6f 70 65 6e 6d 61 69 ri="ldap/openmai
0110: 6c 2e 69 6e 74 72 61 6e 65 74 2e 66 72 22 2c 72 l.intranet.fr",r
0120: 65 73 70 6f 6e 73 65 3d 62 30 66 61 39 64 39 36 esponse=b0fa9d96
0130: 32 30 61 61 66 61 35 35 39 37 30 33 32 33 62 62 20aafa55970323bb
0140: 32 61 32 30 35 63 66 33 2a205cf3
ber_get_next
ldap_read: want=9 error=Resource temporarily unavailable
ber_get_next on fd 13 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x081ebc00 ptr=0x081ebc03 end=0x081ebd48 len=325
0000: 60 82 01 41 02 01 03 04 00 a3 82 01 38 04 0a 44 `..A........8..D
0010: 49 47 45 53 54 2d 4d 44 35 04 82 01 28 75 73 65 IGEST-MD5...(use
0020: 72 6e 61 6d 65 3d 22 72 6f 6f 74 22 2c 72 65 61 rname="root",rea
0030: 6c 6d 3d 22 69 6e 74 72 61 6e 65 74 2e 66 72 22 lm="intranet.fr"
0040: 2c 61 75 74 68 7a 69 64 3d 22 75 3a 6d 61 73 74 ,authzid="u:mast
0050: 65 72 31 22 2c 6e 6f 6e 63 65 3d 22 75 49 43 54 er1",nonce="uICT
0060: 69 49 4e 79 4c 74 4d 51 45 6d 65 6a 4a 74 34 39 iINyLtMQEmejJt49
0070: 59 30 39 72 71 61 4e 44 30 4b 4e 34 2b 73 78 44 Y09rqaND0KN4+sxD
0080: 48 61 4c 43 54 35 6b 3d 22 2c 63 6e 6f 6e 63 65 HaLCT5k=",cnonce
0090: 3d 22 38 6b 2f 62 70 6b 65 57 43 66 65 47 61 77 ="8k/bpkeWCfeGaw
00a0: 5a 47 67 4c 51 62 4d 68 33 67 72 42 66 61 47 47 ZGgLQbMh3grBfaGG
00b0: 35 57 33 33 35 6f 4d 54 31 54 4a 43 34 3d 22 2c 5W335oMT1TJC4=",
00c0: 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 3d nc=00000001,qop=
00d0: 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 72 auth-conf,cipher
00e0: 3d 22 72 63 34 22 2c 63 68 61 72 73 65 74 3d 75 ="rc4",charset=u
00f0: 74 66 2d 38 2c 64 69 67 65 73 74 2d 75 72 69 3d tf-8,digest-uri=
0100: 22 6c 64 61 70 2f 6f 70 65 6e 6d 61 69 6c 2e 69 "ldap/openmail.i
0110: 6e 74 72 61 6e 65 74 2e 66 72 22 2c 72 65 73 70 ntranet.fr",resp
0120: 6f 6e 73 65 3d 62 30 66 61 39 64 39 36 32 30 61 onse=b0fa9d9620a
0130: 61 66 61 35 35 39 37 30 33 32 33 62 62 32 61 32 afa55970323bb2a2
0140: 30 35 63 66 33 05cf3
ber_scanf fmt ({o) ber:
ber_dump: buf=0x081ebc00 ptr=0x081ebc0c end=0x081ebd48 len=316
0000: 00 82 01 38 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...8..DIGEST-MD5
0010: 04 82 01 28 75 73 65 72 6e 61 6d 65 3d 22 72 6f ...(username="ro
0020: 6f 74 22 2c 72 65 61 6c 6d 3d 22 69 6e 74 72 61 ot",realm="intra
0030: 6e 65 74 2e 66 72 22 2c 61 75 74 68 7a 69 64 3d net.fr",authzid=
0040: 22 75 3a 6d 61 73 74 65 72 31 22 2c 6e 6f 6e 63 "u:master1",nonc
0050: 65 3d 22 75 49 43 54 69 49 4e 79 4c 74 4d 51 45 e="uICTiINyLtMQE
0060: 6d 65 6a 4a 74 34 39 59 30 39 72 71 61 4e 44 30 mejJt49Y09rqaND0
0070: 4b 4e 34 2b 73 78 44 48 61 4c 43 54 35 6b 3d 22 KN4+sxDHaLCT5k="
0080: 2c 63 6e 6f 6e 63 65 3d 22 38 6b 2f 62 70 6b 65 ,cnonce="8k/bpke
0090: 57 43 66 65 47 61 77 5a 47 67 4c 51 62 4d 68 33 WCfeGawZGgLQbMh3
00a0: 67 72 42 66 61 47 47 35 57 33 33 35 6f 4d 54 31 grBfaGG5W335oMT1
00b0: 54 4a 43 34 3d 22 2c 6e 63 3d 30 30 30 30 30 30 TJC4=",nc=000000
00c0: 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 01,qop=auth-conf
00d0: 2c 63 69 70 68 65 72 3d 22 72 63 34 22 2c 63 68 ,cipher="rc4",ch
00e0: 61 72 73 65 74 3d 75 74 66 2d 38 2c 64 69 67 65 arset=utf-8,dige
00f0: 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 6f 70 65 st-uri="ldap/ope
0100: 6e 6d 61 69 6c 2e 69 6e 74 72 61 6e 65 74 2e 66 nmail.intranet.f
0110: 72 22 2c 72 65 73 70 6f 6e 73 65 3d 62 30 66 61 r",response=b0fa
0120: 39 64 39 36 32 30 61 61 66 61 35 35 39 37 30 33 9d9620aafa559703
0130: 32 33 62 62 32 61 32 30 35 63 66 33 23bb2a205cf3
ber_scanf fmt (m) ber:
ber_dump: buf=0x081ebc00 ptr=0x081ebc1c end=0x081ebd48 len=300
0000: 04 82 01 28 75 73 65 72 6e 61 6d 65 3d 22 72 6f ...(username="ro
0010: 6f 74 22 2c 72 65 61 6c 6d 3d 22 69 6e 74 72 61 ot",realm="intra
0020: 6e 65 74 2e 66 72 22 2c 61 75 74 68 7a 69 64 3d net.fr",authzid=
0030: 22 75 3a 6d 61 73 74 65 72 31 22 2c 6e 6f 6e 63 "u:master1",nonc
0040: 65 3d 22 75 49 43 54 69 49 4e 79 4c 74 4d 51 45 e="uICTiINyLtMQE
0050: 6d 65 6a 4a 74 34 39 59 30 39 72 71 61 4e 44 30 mejJt49Y09rqaND0
0060: 4b 4e 34 2b 73 78 44 48 61 4c 43 54 35 6b 3d 22 KN4+sxDHaLCT5k="
0070: 2c 63 6e 6f 6e 63 65 3d 22 38 6b 2f 62 70 6b 65 ,cnonce="8k/bpke
0080: 57 43 66 65 47 61 77 5a 47 67 4c 51 62 4d 68 33 WCfeGawZGgLQbMh3
0090: 67 72 42 66 61 47 47 35 57 33 33 35 6f 4d 54 31 grBfaGG5W335oMT1
00a0: 54 4a 43 34 3d 22 2c 6e 63 3d 30 30 30 30 30 30 TJC4=",nc=000000
00b0: 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 01,qop=auth-conf
00c0: 2c 63 69 70 68 65 72 3d 22 72 63 34 22 2c 63 68 ,cipher="rc4",ch
00d0: 61 72 73 65 74 3d 75 74 66 2d 38 2c 64 69 67 65 arset=utf-8,dige
00e0: 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 6f 70 65 st-uri="ldap/ope
00f0: 6e 6d 61 69 6c 2e 69 6e 74 72 61 6e 65 74 2e 66 nmail.intranet.f
0100: 72 22 2c 72 65 73 70 6f 6e 73 65 3d 62 30 66 61 r",response=b0fa
0110: 39 64 39 36 32 30 61 61 66 61 35 35 39 37 30 33 9d9620aafa559703
0120: 32 33 62 62 32 61 32 30 35 63 66 33 23bb2a205cf3
ber_scanf fmt (}}) ber:
ber_dump: buf=0x081ebc00 ptr=0x081ebd48 end=0x081ebd48 len=0


*>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
conn=2 op=2 BIND dn="" method=163
==> sasl_bind: dn="" mech=<continuing> datalen=296
send_ldap_result: conn=2 op=2 p=3
send_ldap_result: err=80 matched="" text="unable to get user's secret"
send_ldap_response: msgid=3 tag=97 err=80*
ber_flush: 41 bytes to sd 13
0000: 30 27 02 01 03 61 22 0a 01 50 04 00 04 1b 75 6e 0'...a"..P....un
0010: 61 62 6c 65 20 74 6f 20 67 65 74 20 75 73 65 72 able to get user
0020: 27 73 20 73 65 63 72 65 74 's secret
ldap_write: want=41, written=41
0000: 30 27 02 01 03 61 22 0a 01 50 04 00 04 1b 75 6e 0'...a"..P....un
0010: 61 62 6c 65 20 74 6f 20 67 65 74 20 75 73 65 72 able to get user
0020: 27 73 20 73 65 63 72 65 74 's secret
*conn=2 op=2 RESULT tag=97 err=80 text=unable to get user's secret
<== slap_sasl_bind: rc=80*
daemon: select: listen=6 active_threads=1 tvp=NULL
daemon: select: listen=7 active_threads=1 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 13r
daemon: read activity on 13
connection_get(13)
connection_get(13): got connid=2
connection_read(13): checking for input on id=2
ber_get_next
ldap_read: want=9, got=0


ber_get_next on fd 13 failed errno=0 (Success)
connection_read(13): input error=-2 id=2, closing.
connection_closing: readying conn=2 sd=13 for close
connection_close: conn=2 sd=13
daemon: removing 13
conn=2 fd=13 closed
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

It seems not taking my username...? but root by default..
My ldif for user master1 is :

dn: uid=master1,ou=Admins,o=Mairie,dc=intranet,dc=fr
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: master1
sn: master1
uid: master1
userPassword: "mycleartextpassword" => like you answer to my last message

So could you help me please, what i'm doing wrong ??
Thierry


|Howard Chu wrote:

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo
Fredriksson


"Howard" == Howard Chu <hyc@highlandsun.com> writes:

   Turbo>  And if one uses Kerberos V? My 'userPassword' attribute is
   Turbo> currently of the form '{KERBEROS}USERPRINCIPAL' and I don't
   Turbo> change password in LDAP, but in Kerberos.

   Howard> That is an ugly, insecure, slow-performing hack. If you
   Howard> have Kerberos V then you should be using SASL/GSSAPI to
   Howard> login to LDAP, and completely ignoring the userPassword
   Howard> attribute.

I thought you HAD to use that to be able to use Kerberos V...

Oki, tested with my test user, it works with '*' in userPassword. One
question that comes up though, is WHY (ie, WHO) is this used in the
first place?


I don't know why anyone would use it. I think it may be a holdover from
Kerberos IV support in the original UMich distribution, before SASL support
existed. At any rate, it has always been a bad idea.


I'll pass on "WHO" and assume you meant "HOW" - the userPassword attribute
is used for LDAP Simple Binds. The user's "secret" password is sent across
the network in the clear. Unless you have TLS or SSL underneath the session,
then using these mechanisms will destroy any security you might have had.
If you're just running a public read-only server, perhaps you don't care
to worry about security. If you're running Kerberos, security is obviously
of some importance to you, and handing out your password like this is just
putting all your Kerberos setup effort to waste.


With the in-directory SASL-secret support in 2.1, the userPassword attribute
is directly used by many of the SASL mechanisms. E.g., DIGEST-MD5 and
CRAM-MD5 both start with the plaintext password and generate their secrets
based on
that. As such, if you care about the security of your database, you should
make sure that Simple Binds are never used over an unprotected connection,
otherwise all of your SASL mechanisms' security will be breached at once.


 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support