[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl_regexp: won't work with internal search URL

To: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Subject: sasl_regexp: won't work with internal search URL
From: Charles Owens <owensc@enc.edu>
Date: Tue, 05 Aug 2003 12:38:13 -0400
Organization: Eastern Nazarene College
User-agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624

Howdy,

I've been able to successfully use sasl_regexp in its more basic form... directly mapping an authorization DN to a real entry DN. I'm coming up dry, however, when trying to have slapd search for the authententicating user's entry. This technique is documented in Admin Guide section 10.2.5. Is anyone out there using this technique in production? Are there any known gotchas with it?

So... here's the specifics. See the following ldif. This is the user as whom I'd like to authenticate

dn: ueid=XyZ123,ou=people,dc=enc,dc=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: uniqueEntryObject
objectClass: uniquePerson
sn: Test
cn: Jim Test
ueid: XyZ123
givenName: Jim
uid: testj
# This second value was added to facilitate testing of DN mapping
uid: XyZ123
userPassword:: ***********

"ueid" is a custom attr from custom auxilliary objectclass uniqueEntryObject and it is being used as the naming attribute for person entries. Its value is a unique random string. Here I've artificially added a second "uid" value... set same as the "ueid" attrib, just so I could test the direct DN mapping usage of sasl_regexp. Speaking of which, the following works nicely:

 sasl-regexp
     uid=(.*),cn=plain,cn=auth
     ueid=$1,ou=people,dc=enc,dc=edu

This ldapsearch works exactly as it should:

   ldapsearch -b dc=enc,dc=edu -ZZ -U XyZ123 -Y plain ou=sys

Of course, this is not what I want, because I don't want the RDN value of person entries to have anything to do with the 'uid' attribute. Accordingly, I've tried this setting:

  sasl-regexp
      uid=(.*),cn=plain,cn=auth
      ldap:///ou=person,dc=enc,dc=edu??sub?(&(uid=$1)(objectclass=person))


... with this search:

ldapsearch -b dc=enc,dc=edu -ZZ -U testj -Y plain ou=sys

SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: Password verification failed

I've picked up that anonymous binding and searching of the uid attribute is needed for this technique to work (yes?). I have very basic ACLs at the moment... just what came with the sample slapd.conf . I'm pretty sure they're not getting in the way:

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
	by self write
	by users read
	by anonymous auth

Appended below is slapd debug output (level 37) produced by the failed ldapsearch. Things start to look weird to me around the calls to get_filter()... but that's just rampant speculation. Is this broken, or is my configuration wrong?


Thanks much,

Charles


connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_read(13): unable to get TLS client DN error=49 id=0
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 36 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({o) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:

dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech PLAIN
==> sasl_bind: dn="" mech=PLAIN datalen=15
SASL Canonicalize [conn=0]: authcid="testj"
slap_sasl_getdn: id=testj [len=5]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth

dnNormalize: <uid=testj,cn=PLAIN,cn=auth>

=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to ldap:///ou=person,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing ldap:///ou=person,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=person,dc=enc,dc=edu??sub?(&(uid=testj)(objectclas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0

dnNormalize: <ou=person,dc=enc,dc=edu>

=> ldap_bv2dn(ou=person,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=person,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=person,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=person,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=person,dc=enc,dc=edu, scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=person,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=person,dc=enc,dc=edu" )
<= bdb_dn2id_matched: id=0x00000001: matched dc=enc,dc=edu
entry_decode: "dc=enc,dc=edu"
<= entry_decode(dc=enc,dc=edu)
====> bdb_cache_return_entry_r( 1 ): created (0)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=10 matched="dc=enc,dc=edu" text=""
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=testj,cn=plain,cn=auth"
SASL [conn=0] Failure: Could not open db
slap_sasl_getdn: id=testj [len=0]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth

dnNormalize: <uid=testj,cn=PLAIN,cn=auth>

=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to ldap:///ou=person,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing ldap:///ou=person,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=person,dc=enc,dc=edu??sub?(&(uid=testj)(objectclas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0

dnNormalize: <ou=person,dc=enc,dc=edu>

=> ldap_bv2dn(ou=person,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=person,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=person,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=person,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=person,dc=enc,dc=edu, scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=person,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=person,dc=enc,dc=edu" )
====> bdb_cache_find_entry_dn2id("dc=enc,dc=edu"): 1 (1 tries)
====> bdb_cache_find_entry_id( 1 ) "dc=enc,dc=edu" (found) (1 tries)
====> bdb_cache_return_entry_r( 1 ): returned (0)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=10 matched="dc=enc,dc=edu" text=""
<==slap_sasl2dn: Converted SASL name to <nothing>
ldap_err2string
SASL [conn=0] Failure: Invalid credentials
SASL Canonicalize [conn=0]: authcid="testj"
slap_sasl_getdn: id=testj [len=5]
getdn: u:id converted to uid=testj,cn=PLAIN,cn=auth

dnNormalize: <uid=testj,cn=PLAIN,cn=auth>

=> ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=testj,cn=PLAIN,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=testj,cn=plain,cn=auth,272)=0
<<< dnNormalize: <uid=testj,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=testj,cn=plain,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=testj,cn=plain,cn=auth
slap_sasl_regexp: converted SASL name to ldap:///ou=person,dc=enc,dc=edu??sub?(&
(uid=testj)(objectclass=person))
slap_parseURI: parsing ldap:///ou=person,dc=enc,dc=edu??sub?(&(uid=testj)(object
class=person))
ldap_url_parse_ext(ldap:///ou=person,dc=enc,dc=edu??sub?(&(uid=testj)(objectclas
s=person)))
str2filter "(&(uid=testj)(objectclass=person))"
put_filter: "(&(uid=testj)(objectclass=person))"
put_filter: AND
put_filter_list "(uid=testj)(objectclass=person)"
put_filter: "(uid=testj)"
put_filter: simple
put_simple_filter: "uid=testj"
put_filter: "(objectclass=person)"
put_filter: simple
put_simple_filter: "objectclass=person"
begin get_filter
AND
begin get_filter_list
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
end get_filter_list
end get_filter 0

dnNormalize: <ou=person,dc=enc,dc=edu>

=> ldap_bv2dn(ou=person,dc=enc,dc=edu,0)
<= ldap_bv2dn(ou=person,dc=enc,dc=edu,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=person,dc=enc,dc=edu,272)=0
<<< dnNormalize: <ou=person,dc=enc,dc=edu>
slap_sasl2dn: performing internal search (base=ou=person,dc=enc,dc=edu, scope=2)
=> bdb_back_search
bdb_dn2entry_rw("ou=person,dc=enc,dc=edu")
=> bdb_dn2id_matched( "ou=person,dc=enc,dc=edu" )
====> bdb_cache_find_entry_dn2id("dc=enc,dc=edu"): 1 (1 tries)
====> bdb_cache_find_entry_id( 1 ) "dc=enc,dc=edu" (found) (1 tries)
====> bdb_cache_return_entry_r( 1 ): returned (0)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=10 matched="dc=enc,dc=edu" text=""
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=testj,cn=plain,cn=auth"
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Could not open db
SASL [conn=0] Failure: Password verification failed
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=80 matched="" text="SASL(-13): user not found: Password ve
rification failed"
send_ldap_response: msgid=2 tag=97 err=80
ber_flush: 69 bytes to sd 13
<== slap_sasl_bind: rc=80


--
-------------------------------------------------------------------------
 Charles N. Owens                                Email: owensc@enc.edu
                                            http://www.enc.edu/~owensc
 Senior Technology Officer
 Information Technology Services              Eastern Nazarene College
-------------------------------------------------------------------------

Follow-Ups:
- RE: sasl_regexp: won't work with internal search URL
  - From: "Howard Chu" <hyc@highlandsun.com>
- [Resolved!] Re: sasl_regexp: won't work with internal search URL
  - From: Charles Owens <owensc@enc.edu>

Prev by Date: ACL's for ACI use
Next by Date: SOLVED: ACL's for ACI use
Index(es):
- Chronological
- Thread