[Date Prev][Date Next] [Chronological] [Thread] [Top]
SASL with OpenLDAP

To: openldap-software@OpenLDAP.org
Subject: SASL with OpenLDAP
From: "Delia J. Micu" <djmicu@nexvu.com>
Date: 30 Jun 2003 17:50:08 -0500
Organization: NEXVU Technologies
I have been trying to set up my OpenLDAP server 2.1.19 in such a way
that I could test DIGEST-MD5. 

The Administrator's Guide for OpenLDAP 2.1 says this:

" 10.2.3. DIGEST-MD5
This section describes the use of the SASL DIGEST-MD5 mechanism using
secrets stored either in the directory itself or in Cyrus SASL's own
database. "

So, I take it that I can have the LDAP server authenticate using
DIGEST-MD5 mechanism.  Please let me know if it's trying to say
otherwise.

The config file is plain and simple


include         /usr/local/etc/openldap/schema/core.schema

pidfile         /usr/local/var/slapd.pid
argsfile        /usr/local/var/slapd.args


#   Disallow clear text exchange of passwords
 disallow bind_simple_unprotected

disallow bind_anon

#DIGEST-MD5 entries stored in LDAP
password-hash   {CLEARTEXT}
#
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
 security ssf=1 update_ssf=112 simple_bind=64


# Read slapd.conf(5) for possible values
loglevel                2048  # Only entry parsing errors

sasl-realm      athena.siegler.com
sasl-host       localhost
sasl-secprops   none

sasl-regexp     uid=(.*),cn=.*,cn=.*,cn=auth
                uid=$1,ou=People,o=JNDITutorial,dc=my-domain,dc=com

database        bdb
suffix          "dc=my-domain,dc=com"
rootdn          "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
#rootpw         {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq


If I search for a user with uid=diana


./ldapsearch -b "dc=my-domain,dc=com" -s sub "(uid=diana)" -x  -D
"cn=Manager,dc=my-domain,dc=com" -w secret

# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope sub
# filter: (uid=diana)
# requesting: ALL
#

# diana, People, JNDITutorial, my-domain.com
dn: uid=diana,ou=People,o=JNDITutorial,dc=my-domain,dc=com
cn: Diana Micu
sn: Micu
facsimileTelephoneNumber: +1 630 872-1122
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: uidObject
uid: diana
userPassword:: ZGlhbmFwYXNzd29yZA==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

BUT if I try to search for the user

./ldapsearch -Y DIGEST-MD5 -U diana -b  "dc=my-domain,dc=com"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81)


And the trace is

put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ber_scanf fmt (m) ber:
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 24 contents:
do_bind
ber_get_next
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({o) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=191
send_ldap_response: msgid=1 tag=97 err=14
ber_flush: 210 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 313 contents:
ber_get_next
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({o) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
getdn: u:id converted to
uid=diana,cn=athena.siegler.com,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=diana,cn=athena.siegler.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=diana,cn=athena.siegler.com,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=diana,cn=athena.siegler.com,cn=DIGEST-MD5,cn=auth,0)=0
=> ldap_dn2bv(272)
<=
ldap_dn2bv(uid=diana,cn=athena.siegler.com,cn=digest-md5,cn=auth,272)=0
<<< dnNormalize: <uid=diana,cn=athena.siegler.com,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=diana,cn=athena.siegler.com,cn=digest-md5,cn=auth to a DN
slap_sasl_regexp: converting SASL name
uid=diana,cn=athena.siegler.com,cn=digest-md5,cn=auth
slap_sasl_regexp: converted SASL name to
uid=diana,ou=People,o=JNDITutorial,dc=my-domain,dc=com
slap_parseURI: parsing
uid=diana,ou=People,o=JNDITutorial,dc=my-domain,dc=com
ldap_url_parse_ext(uid=diana,ou=People,o=JNDITutorial,dc=my-domain,dc=com)
>>> dnNormalize:
<uid=diana,ou=People,o=JNDITutorial,dc=my-domain,dc=com>
=> ldap_bv2dn(uid=diana,ou=People,o=JNDITutorial,dc=my-domain,dc=com,0)
<=
ldap_bv2dn(uid=diana,ou=People,o=JNDITutorial,dc=my-domain,dc=com,0)=0
=> ldap_dn2bv(272)
<=
ldap_dn2bv(uid=diana,ou=people,o=jnditutorial,dc=my-domain,dc=com,272)=0
<<< dnNormalize:
<uid=diana,ou=people,o=jnditutorial,dc=my-domain,dc=com>
<==slap_sasl2dn: Converted SASL name to
uid=diana,ou=people,o=jnditutorial,dc=my-domain,dc=com
getdn: dn:id converted to
uid=diana,ou=people,o=jnditutorial,dc=my-domain,dc=com
Segmentation fault


Maybe I have this all wrong.  Please help me.  

Thank you much.

Delia Micu
Prev by Date: Re: Authentication for KDE/GNOME
Next by Date: Re: Useradd script.
Index(es):
- Chronological
- Thread