[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapdb auxprop SASL plugin



By the way, if you upgrade to OpenLDAP 2.1.13 you can use SASL/EXTERNAL with
ldapi. This is much better than using SASL/PLAIN because you don't even need
to put a username or password into the config file:
	ldapdb_uri: ldapi://
	ldapdb_mech: EXTERNAL

This is the regexp mapping you need:
	sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
		ldap:///dc=komi,dc=mts,dc=ru??sub?(&(uidnumber=$1)(gidnumber=$2))

The SASL DN is "uidNumber=xx+gidNumber=yy,cn=peercred,cn=external,cn=auth"
and you have to escape the "+" because it is a regexp metacharacter.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: Alex Deiter [mailto:tiamat@komi.mts.ru]
> Sent: Wednesday, February 26, 2003 7:12 AM
> To: hyc@highlandsun.com
> Subject: ldapdb auxprop SASL plugin
>
>
> Hello!
>
> Help me please with ldapdb auxprop SASL plugin.
>
> I try to realize such circuit:
> service(smtp/imap/pop3) -> SASLv2 -> libldapdb -> LDAP
> directory (users with
> cleartext passwords)
>
> I compile openldap-2.1.12 + cyrus-sasl-2.1.12 + ldapdb.c on
> FreeBSD 4.7
> STABLE, also has setting them as follows:
>
> /usr/local/etc/openldap/slapd.conf:
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/nis.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> pidfile         /var/run/slapd.pid
> argsfile        /var/run/slapd.args
> database        bdb
> suffix          "dc=komi,dc=mts,dc=ru"
> rootdn          "cn=Manager,dc=komi,dc=mts,dc=ru"
> rootpw          secret
> directory       /var/db/openldap-data
> index   objectClass     eq
> loglevel 256
> saslAuthzTo:    cn=.*,dc=komi,dc=mts,dc=ru
>
>
> /usr/local/lib/sasl2/sample.conf:
> ldapdb_uri: ldapi://
> ldapdb_id: root
> ldapdb_pw: secret
> ldapdb_mech: PLAIN
>
>
> Create ldap entry:
>
> dn: cn=root,dc=komi,dc=mts,dc=ru
> cn: deiter
> objectclass: posixAccount
> objectClass: account
> uid: root
> userpassword: secret
> loginshell: /bin/csh
> uidnumber: 0
> gidnumber: 0
>
> dn: cn=deiter,dc=komi,dc=mts,dc=ru
> cn: deiter
> objectclass: posixAccount
> objectClass: account
> uid: deiter
> userpassword: deiter
> loginshell: /bin/csh
> uidnumber: 777
> gidnumber: 777
>
>
> And create user root in sasldb with password secret:
> # sasldblistusers2
> root@deiter.komi.mts.ru: userPassword
>
> Started sample/server -p 5555, sample/client -p 5555 -m PLAIN
> deiter and has
> tried to check up them:
>
> server:
> accepted new connection
> send: {46}
> NTLM LOGIN ANONYMOUS PLAIN DIGEST-MD5 CRAM-MD5
> recv: {5}
> PLAIN
> recv: {1}
> Y
> recv: {20}
> deiter[0]deiter[0]deiter
> starting SASL negotiation: user not foundclosing connection
>
> client:
> receiving capability list... recv: {46}
> NTLM LOGIN ANONYMOUS PLAIN DIGEST-MD5 CRAM-MD5
> NTLM LOGIN ANONYMOUS PLAIN DIGEST-MD5 CRAM-MD5
> please enter an authentication id: deiter
> please enter an authorization id: deiter
> Password: deiter
> send: {5}
> PLAIN
> send: {1}
> Y
> send: {20}
> deiter[0]deiter[0]deiter
> authentication failed
> closing connection
>
> /var/log/slapd.log:
> Feb 26 17:41:32 deiter slapd[95525]: auxpropfunc error -7
> Feb 26 17:41:32 deiter slapd[95525]: _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: ldapdb
> Feb 26 17:41:32 deiter slapd[95525]: bdb_initialize:
> Sleepycat Software:
> Berkeley DB 4.0.14: (November 18, 2001)
> Feb 26 17:41:32 deiter slapd[95525]: bdb_db_init:
> Initializing BDB database
> Feb 26 17:41:33 deiter slapd[95526]: slapd starting
> Feb 26 17:55:51 deiter slapd[95526]: conn=2 fd=14 ACCEPT from PATH=
> (PATH=/var/db/ldapi)
> Feb 26 17:55:51 deiter slapd[95526]: conn=2 op=0 BIND dn="" method=163
> Feb 26 17:55:51 deiter slapd[95526]: SASL [conn=2] Failure:
> no user in db
> Feb 26 17:55:51 deiter slapd[95526]: SASL [conn=2] Failure: Invalid
> credentials
> Feb 26 17:55:51 deiter slapd[95526]: SASL [conn=2] Failure:
> no user in db
> Feb 26 17:55:51 deiter slapd[95526]: SASL [conn=2] Failure:
> no user in db
> Feb 26 17:55:51 deiter slapd[95526]: SASL [conn=2] Failure:
> not authorized
> Feb 26 17:55:51 deiter slapd[95526]: conn=2 op=0 RESULT tag=97 err=50
> text=SASL(-14): authorization failure: not authorized
> Feb 26 17:55:51 deiter slapd[95526]: conn=2 op=1 UNBIND
> Feb 26 17:55:51 deiter slapd[95526]: conn=2 fd=14 closed
>
> Probably, i have not correctly setting slapd? Whether it is
> possible to
> check users and passwords in LDAP, instead of sasldb?
>
> Big thanks!
>