[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: test of SASL DIGEST-MD5 mechanism

That isn't enough. You are starting with "uid=u00997" and need to end up with
"cn=Andrew". These two strings have absolutely no relation to each other, so
a simple regexp isn't sufficient. You need the regexp to perform a search in
order to complete the mapping. 

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support 

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Chapman, Kyle

> also, your regexp is resetting the auth dn which contains 
> cn=u00997 to a dn in your db that starts out as uid=u00997.
> the dn your trying to map to from your ldif example doesnt 
> have the dn that contains 'u00997'.  try setting your -U 
> parameter to Andrew
> 
> -----Original Message-----
> From: Cindy Wang [mailto:cwang@KiNETWORKS.com]
> Sent: Tuesday, March 18, 2003 6:32 PM
> To: Chapman, Kyle
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: test of SASL DIGEST-MD5 mechanism
> 
> 
> Thanks, Chapman for pointing out the typo to me. I corrected 
> the typo, 
> but got the same error message. Any other comments? Thanks.
> 
> Cindy
> 
> Chapman, Kyle wrote:
> 
> >if you look at your regexp, cn=enigeer <> cn=engineer
> >
> >-----Original Message-----
> >From: Cindy Wang [mailto:cwang@KiNETWORKS.com]
> >Sent: Tuesday, March 18, 2003 5:51 PM
> >To: Chapman, Kyle
> >Cc: openldap-software@OpenLDAP.org
> >Subject: Re: test of SASL DIGEST-MD5 mechanism
> >
> >
> >I don't think it is a typo.  The sasl-regexp directive is 
> used to map 
> >authentication identities to LDAP entries.
> >
> >Cindy
> >
> >Chapman, Kyle wrote:
> >
> >  
> >
> >>is this a typo from your log?
> >>"uid=$1,cn=enigneer,dc=rtp,dc=KiNETWORKS,dc=com"
> >>
> >>your dn is:
> >>dn: cn=Andrew,cn=engineer,dc=rtp,dc=KiNETWORKS,dc=com
> >>
> >>-----Original Message-----
> >>From: Cindy Wang [mailto:cwang@kinetworks.com]
> >>Sent: Tuesday, March 18, 2003 2:17 PM
> >>To: openldap-software@OpenLDAP.org
> >>Subject: test of SASL DIGEST-MD5 mechanism
> >>
> >>
> >>Hi:
> >>
> >>I am trying to set up some simple tests of SASL  DIGEST-MD 
> 5 mechanism 
> >>running openldap.2.1.16 with SASL on Solaris 5.7.  But when 
> I did the 
> >>search, I got the following message:
> >>
> >>ldapsearch -Y DIGEST-MD5 -U u00997 -b 'dc=rtp,dc=KiNETWORKS,dc=com' 
> >>'cn=Andrew'
> >>SASL/DIGEST-MD5 authentication started
> >>Please enter your password:
> >>ldap_sasl_interactive_bind_s: Internal (implementation 
> specific) error
> >>(80)
> >>       additional info: SASL(-13): user not found: no secret in
> >>database
> >>
> >>I have an entry in the Directory as the following:
> >>
> >># Andrew, engineer, rtp.KiNETWORKS.com
> >>dn: cn=Andrew,cn=engineer,dc=rtp,dc=KiNETWORKS,dc=com
> >>objectClass: person
> >>objectClass: inetOrgPerson
> >>cn: Andrew
> >>sn: Findlay
> >>uid: u00997
> >>userPassword:: c2VjcmV0
> >>
> >>================== slapd.conf ====================
> >>password-hash   {CLEARTEXT}
> >>sasl-regexp
> >>       uid=(.*),cn=rtp.KiNETWORKS.com,cn=digest-md5,cn=auth
> >>       uid=$1,cn=enigneer,dc=rtp,dc=KiNETWORKS,dc=com
> >>================================================
> >>
> >>Could anyone tell if anything is wrong with the above sasl-regexp
> >>mapping?
> >>I even ran the debugger and found that in 
> servers/slapd/saslauthz.c, at 
> >>line
> >>302, the function call regexec( ) didn't return a 0 with the above 
> >>sasl-regexp.
> >>And the following is in the "reg" structure during the debugging:
> >>*reg = {
> >>   sr_match     = 0x83e3fd8 
> >>"uid=(.*),cn=rtp.KiNETWORKS.com,cn=digest-md5,cn=auth"
> >>   sr_replace   = 0x83a67b8 
> >>"uid=$1,cn=enigneer,dc=rtp,dc=KiNETWORKS,dc=com"
> >>   sr_workspace = {
> >>       re_nsub   = 1U
> >>       re_comp   = 0x83baba8
> >>       re_cflags = 5
> >>       re_erroff = 0
> >>       re_len    = 108U
> >>       re_sc     = 0x83bac30
> >>   }
> >>   sr_strings   = (
> >>{
> >>       rm_sp = 0x656e6973 "<bad address 0x656e6973>"
> >>       rm_ep = 0x61437373 "<bad address 0x61437373>"
> >>       rm_so = 1869047156
> >>       rm_eo = 606108018
> >>       rm_ss = 1918984992
> >>       rm_es = 1701013836
> >>   }{
> >>       rm_sp = 0x2065736e "<bad address 0x2065736e>"
> >>       rm_ep = 0x65642024 "<bad address 0x65642024>"
> >>       rm_so = 1953653104
> >>       rm_eo = 1953391981
> >>       rm_ss = 1651340622
> >>       rm_es = 606106213
> >>   }{
> >>       rm_sp = 0x69640920 "<bad address 0x69640920>"
> >>       rm_ep = 0x616c7073 "<bad address 0x616c7073>"
> >>       rm_so = 1835093625
> >>       rm_eo = 539238501
> >>       rm_ss = 1819307365
> >>       rm_es = 1701149039
> >>   }{
> >>       rm_sp = 0x626d754e "<bad address 0x626d754e>"
> >>       rm_ep = 0x24207265 "<bad address 0x24207265>"
> >>       rm_so = 1886217504
> >>       rm_eo = 1702457196
> >>       rm_ss = 1886999653
> >>       rm_es = 539238501
> >>   }{
> >>       rm_sp = 0x65766967 "<bad address 0x65766967>"
> >>       rm_ep = 0x6d614e6e "<bad address 0x6d614e6e>"
> >>       rm_so = 539238501
> >>       rm_eo = 1836017673
> >>       rm_ss = 1869107301
> >>       rm_es = 606102894
> >>   }{
> >>       rm_sp = 0x6d6f6820 "<bad address 0x6d6f6820>"
> >>       rm_ep = 0x736f5065 "<bad address 0x736f5065>"
> >>       rm_so = 1097621876
> >>       rm_eo = 1701995620
> >>       rm_ss = 606106483
> >>       rm_es = 1768843552
> >>   }{
> >>       rm_sp = 0x6c616974 "<bad address 0x6c616974>"
> >>       rm_ep = 0x20242073 "<bad address 0x20242073>"
> >>       rm_so = 1734701162
> >>       rm_eo = 1953458256
> >>       rm_ss = 539238511
> >>       rm_es = 1650551817
> >>   }{
> >>       rm_sp = 0x64656c65 "<bad address 0x64656c65>"
> >>       rm_ep = 0x20495255 "<bad address 0x20495255>"
> >>       rm_so = 1634541604
> >>       rm_eo = 606104681
> >>       rm_ss = 1851878688
> >>       rm_es = 1919248225
> >>   }{
> >>       rm_sp = 0x6d202420 "<bad address 0x6d202420>"
> >>       rm_ep = 0x6c69626f "<bad address 0x6c69626f>"
> >>       rm_so = 539238501
> >>       rm_eo = 539238511
> >>       rm_ss = 1701273968
> >>       rm_es = 539238514
> >>   }{
> >>       rm_sp = 0x6f687009 "<bad address 0x6f687009>"
> >>       rm_ep = 0x24206f74 "<bad address 0x24206f74>"
> >>       rm_so = 1869574688
> >>       rm_eo = 1836404333
> >>       rm_ss = 544367970
> >>       rm_es = 1702043684
> >>   }
> >>)
> >>   sr_offset    = (-2, 4, 46, -1, 1919251317, 1953654083, 
> 1667851881, 
> >>543519841, 2013863972, 1966092341, 1970366830, 1701071205)
> >>}
> >>
> >>
> >>
> >>================== log information for the slapd
> >>==========================
> >>==slap_sasl2dn: Converted SASL name to <nothing>
> >>SASL Canonicalize [conn=0]: 
> authcDN="uid=u00997,cn=digest-md5,cn=auth"
> >>SASL Canonicalize [conn=0]: authzid="u00997"
> >>SASL [conn=0] Failure: no secret in database
> >>send_ldap_result: conn=0 op=1 p=3
> >>send_ldap_result: err=80 matched="" text="SASL(-13): user 
> not found: no 
> >>secret in database"
> >>send_ldap_response: msgid=2 tag=97 err=80
> >>ber_flush: 62 bytes to sd 11
> >> 0000:  30 3c 02 01 02 61 37 0a  01 50 04 00 04 30 53 41   
> >>0<...a7..P...0SA 
> >> 0010:  53 4c 28 2d 31 33 29 3a  20 75 73 65 72 20 6e 6f   SL(-13): 
> >>user no 
> >> 0020:  74 20 66 6f 75 6e 64 3a  20 6e 6f 20 73 65 63 72   
> t found: no 
> >>secr 
> >> 0030:  65 74 20 69 6e 20 64 61  74 61 62 61 73 65         et in 
> >>database   
> >>ldap_write: want=62, written=62
> >> 0000:  30 3c 02 01 02 61 37 0a  01 50 04 00 04 30 53 41   
> >>0<...a7..P...0SA 
> >> 0010:  53 4c 28 2d 31 33 29 3a  20 75 73 65 72 20 6e 6f   SL(-13): 
> >>user no 
> >> 0020:  74 20 66 6f 75 6e 64 3a  20 6e 6f 20 73 65 63 72   
> t found: no 
> >>secr 
> >> 0030:  65 74 20 69 6e 20 64 61  74 61 62 61 73 65         et in 
> >>database   
> >>conn=0 op=1 RESULT tag=97 err=80 text=SASL(-13): user not found: no 
> >>secret in database
> >><== slap_sasl_bind: rc=80
> >>daemon: select: listen=7 active_threads=1 tvp=NULL
> >>daemon: activity on 1 descriptors
> >>daemon: activity on: 11r
> >>daemon: read activity on 11
> >>connection_get(11)
> >>connection_get(11): got connid=0
> >>connection_read(11): checking for input on id=0
> >>ber_get_next
> >>ldap_read: want=9, got=0
> >>
> >>ber_get_next on fd 11 failed errno=0 (Error 0)
> >>connection_read(11): input error=-2 id=0, closing.
> >>connection_closing: readying conn=0 sd=11 for close
> >>connection_close: conn=0 sd=11
> >>daemon: removing 11
> >>conn=0 fd=11 closed
> >>daemon: select: listen=7 active_threads=0 tvp=NULL
> >>daemon: activity on 1 descriptors
> >>daemon: select: listen=7 active_threads=0 tvp=NULL
> >>
> >>============================================================
> ==========
> >>
> >>Thanks very much for your help.
> >>
> >>Cindy Wang
> >>Software Product Engineer
> >>KiNETWORKS
> >>NOTICE: This E-mail may contain confidential information. 
> If you are not
> >>the addressee or the intended recipient please do not read 
> this E-mail
> >>and please immediately delete this e-mail message and any 
> attachments
> >>    
> >>
> >>from your workstation or network mail system. If you are 
> the addressee
> >  
> >
> >>or the intended recipient and you save or print a copy of 
> this E-mail,
> >>please place it in an appropriate file, depending on whether
> >>confidential information is contained in the message.
> >>
> >>
> >> 
> >>
> >>    
> >>
> >
> >
> >  
> >
> 
> 
> 
>

<<attachment: winmail.dat>>