[Date Prev][Date Next] [Chronological] [Thread] [Top]
SASL, indirectory passwords...

To: OpenLDAP-Software@OpenLDAP.org
Subject: SASL, indirectory passwords...
From: Jeff Warnica <jeffw@chebucto.ns.ca>
Date: Tue, 13 May 2003 16:06:56 -0300 (ADT)
Has anyone actualy gotten this to work?

After my latest reconfigure/compile, I am getting closer to being able to 
authenticate with SASL mechs, with SASL secrets being stored in the 
directory.

I try a simple search to test:

$ ldapsearch -D "uid=jeffw,ou=staff,o=chebucto,c=ca"  -b "o=chebucto,c=ca" 
"(objectclass=*)" -Y DIGEST-MD5

and get the result:

SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: client 
response doesn't match what we generated

from the debug of slapd:

<snip>
>>> dnPrettyNormal: <uid=jeffw,ou=staff,o=chebucto,c=ca>
=> ldap_bv2dn(uid=jeffw,ou=staff,o=chebucto,c=ca,0)
<= ldap_bv2dn(uid=jeffw,ou=staff,o=chebucto,c=ca,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=jeffw,ou=staff,o=chebucto,c=ca,272)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=jeffw,ou=staff,o=chebucto,c=ca,272)=0
<<< dnPrettyNormal: <uid=jeffw,ou=staff,o=chebucto,c=ca>, 
<uid=jeffw,ou=staff,o=chebucto,c=ca>
do_sasl_bind: dn (uid=jeffw,ou=staff,o=chebucto,c=ca) mech DIGEST-MD5
==> sasl_bind: dn="uid=jeffw,ou=staff,o=chebucto,c=ca" mech=<continuing> 
datalen=283
SASL [conn=0] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=0]: authcid="jeffw"
slap_sasl_getdn: id=jeffw [len=5]
getdn: u:id converted to uid=jeffw,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=jeffw,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=jeffw,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=jeffw,cn=DIGEST-MD5,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=jeffw,cn=digest-md5,cn=auth,272)=0
<<< dnNormalize: <uid=jeffw,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=jeffw,cn=digest-md5,cn=auth to a 
DN
slap_sasl_regexp: converting SASL name uid=jeffw,cn=digest-md5,cn=auth
slap_sasl_regexp: converted SASL name to 
uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca
slap_parseURI: parsing uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca
ldap_url_parse_ext(uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca)
>>> dnNormalize: <uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca>
=> ldap_bv2dn(uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca,0)
<= ldap_bv2dn(uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca,272)=0
<<< dnNormalize: <uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca>
<==slap_sasl2dn: Converted SASL name to 
uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca
getdn: dn:id converted to uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca
SASL Canonicalize [conn=0]: 
authcDN="uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca"
=> bdb_back_search
bdb_dn2entry_rw("uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca")
=> bdb_dn2id_matched( "uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca" )
<= bdb_dn2id_matched: id=0x0000000c: entry 
uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca
entry_decode: "uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca"
<= entry_decode(uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca)
base_candidates: base: "uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca" 
(0x0000000c)
====> bdb_cache_return_entry_r( 12 ): created (0)
====> bdb_cache_find_entry_id( 12 ) 
"uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca" (found) (1 tries)
=> test_filter
    PRESENT
<= test_filter 6
slap_auxprop: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
====> bdb_cache_return_entry_r( 12 ): returned (0)
daemon: select: listen=6 active_threads=1 tvp=NULL
SASL Canonicalize [conn=0]: authzid="jeffw"
SASL [conn=0] Failure: client response doesn't match what we generated
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=49 matched="" text="SASL(-13): authentication 
failure: client response doesn't match what we generated"
send_ldap_response: msgid=2 tag=97 err=49
</snip>


The DN mapping is correct... It seems to me that the problem is the 
"slap_auxprop" line... Why is slapd trying to use cmusaslsecretDIGEST-MD5 
and not userPassword? What have I done wrong?



configured with:
./configure --enable-crypt --with-cyrus-sasl

<snip>
checking for sasl/sasl.h... yes
checking for sasl.h... no
checking for sasl_client_init in -lsasl2... yes
checking Cyrus SASL library version... yes
checking for sasl_version... yes
</snip>

and the relevent .conf lines:

password-hash   {CLEARTEXT}

        sasl-regexp
          uid=(.*),cn=.*,cn=auth
          uid=$1,ou=staff,ou=people,o=chebucto,c=ca
Prev by Date: Re: Implementing "ldappasswd" in perl
Next by Date: faked transactions
Index(es):
- Chronological
- Thread