[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL / DIGEST-MD5





--On Friday, March 14, 2003 2:16 PM +0100 Francois Beretti <francois.beretti@enatel.com> wrote:

Hello all

I'm trying to get digest-md5 working with passwords stored in openldap
directory instead of sasldb2

According to the doc, it is possible
however, I got an error when I run this :

$ ldapsearch -Y DIGEST-MD5 -U francois -ZZ
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
(80)
        additional info: SASL(-13): user not found: no secret in
database

and in the logs I got this kind of things :
====> cache_find_entry_id( 4 )
"cn=francois,ou=people,dc=enatel,dc=local" (found) (1 tries)
[...]
=> access_allowed: search access to
"cn=francois,ou=people,dc=enatel,dc=local" "objectClass" requested
[...]
=> acl_mask: access to entry "cn=francois,ou=people,dc=enatel,dc=local",
attr "objectClass" requested
[...]
<= check a_dn_pat: self
<= check a_dn_pat: cn=root,dc=enatel,dc=local
<= check a_dn_pat: anonymous
<= acl_mask: [3] applying auth(=x) (stop)
<= acl_mask: [3] mask: auth(=x)
=> access_allowed: search access denied by auth(=x)

then a look up in the sasldb2 file, then the error

I have password-hash {CLEARTEXT} in slapd.conf, and password are
cleartext (I checked)
Here are my acls :

access  to dn=".*,ou=people,dc=enatel,dc=local"
        by self write
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

access  to *
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

I think there are too restrictive
What is wrong ?

thanks

Francois


Francois,

When you first bind to the ldap server, it has no idea who <you> are. So what happens is that you are at first seen as an "anonymous" user in the initial stages of the authentication process. Since you are not giving search access to the objectclass it needs to figure out who you are, it is ending.

Also, your ACL's are likely incorrect in their arrangement. If you want cn=root,dc=enatel,dc=local to have write access to your entire tree, they should look like:

access to dn.base=""
       by * read

access to *
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * break

access to dn=".*,ou=people,dc=enatel,dc=local"
        by self write
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none


-- Quanah Gibson-Mount Senior Systems Administrator ITSS/TSS/Computing Systems Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html