[Date Prev][Date Next] [Chronological] [Thread] [Top]

Pls help with the auth for the ROOTDN and SASL2. Maybe I've missed something?



Hi!

Could you please give me any advise how to set up the authentication of the
rootdn using SASL? I'd like to store the passwd into sasldb2....

I have Slackware 9.1
SASL 2.1.15 (with digest-md5,plain,cram-md5,otp,srp)
OpenLDAP 2.1.23
ldd slapd gives the right output (sasl libs are linked)

My slapd.conf:
#########################
allow           bind_v2
backend      bdb
database     bdb
pidfile         /var/run/slapd.pid
argsfile       /var/openldap/slapd.args
directory     /var/openldap/openldap-data
include       /etc/openldap/schema/core.schema
include       /etc/openldap/schema/misc.schema
include       /etc/openldap/schema/cosine.schema
include       /etc/openldap/schema/inetorgperson.schema
modulepath      /usr/libexec/openldap
moduleload      back_passwd.la
loglevel        -1
suffix          "dc=myorg dc=org"
sasl-regexp
                uid=(.*),cn=.*,cn=auth
                uid=$1,dc=myorg,dc=org
rootdn          "cn=ldapadm,dc=myorg,dc=org"
index           cn,sn,uid pres,eq,approx,sub
index           objectClass eq
access to attr=userPassword
    by self write
    by anonymous auth
    by dn.base="cn=ldapadm,dc=myorg,dc=org" write
    by * none
access to *
    by self write
    by dn.base="cn=ldapadm,dc=myorg,dc=org" write
    by * read

the entry for the sasldb2:
#########################
ldapadm@myhost: userPassword
ldapadm@myhost: cmusaslsecretSRP
ldapadm@myhost: cmusaslsecretOTP

the DN entry has been inserted with LDAP auth, whet all sasl related entries
have been remarked(slapd.conf with):
#########################
rootdn          "cn=ldapadm,dc=myorg,dc=org"
rootpw	   secret

the strat ldiff entry has been:
#########################
dn: dc=myorg, dc=org
objectclass: dcObject
objectClass: organization
dc: myorg
o: My Org
description: My Organization.

dn: cn=ldapadm,dc=myorg,dc=org
objectClass: InetOrgPerson
cn: ldapadm
uid: ldapadm
sn: ldapadm

after that the slapd has been restarted with the slapd.conf listed above (all
sasl entries, including sasl_regexp and all other...
trying to use ldapadd I receive the error:
#########################
ldapadm@myhost:/etc/openldap$ ldapadd -X 
 "uid=ldapadm,cn=auth,cn=digest-md5"\ -W -f
 /etc/openldap/orig/organization.ldiff
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
additional info: SASL(-14): authorization failure: unable authorization ID
ldapadm@myhost:/etc/openldap$

and the debug gives me a list of entries:
#########################
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({o) ber:
ber_scanf fmt (m) ber:

ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=323
SASL [conn=0] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=0]: authcid="ldapadm"
slap_sasl_getdn: id=ldapadm [len=7]
getdn: u:id converted to uid=ldapadm,cn=DIGEST-MD5,cn=auth

>>> dnNormalize: <uid=ldapadm,cn=DIGEST-MD5,cn=auth>

=> ldap_bv2dn(uid=ldapadm,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=ldapadm,cn=DIGEST-MD5,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldapadm,cn=digest-md5,cn=auth,272)=0
<<< dnNormalize: <uid=ldapadm,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=ldapadm,cn=digest-md5,cn=auth to a
DN
slap_sasl_regexp: converting SASL name uid=ldapadm,cn=digest-md5,cn=auth
slap_sasl_regexp: converted SASL name to uid=ldapadm,dc=myorg,dc=org
slap_parseURI: parsing uid=ldapadm,dc=myorg,dc=org
ldap_url_parse_ext(uid=ldapadm,dc=myorg,dc=org)

>>> dnNormalize: <uid=ldapadm,dc=myorg,dc=org>

=> ldap_bv2dn(uid=ldapadm,dc=myorg,dc=org,0)
<= ldap_bv2dn(uid=ldapadm,dc=myorg,dc=org,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldapadm,dc=myorg,dc=org,272)=0
<<< dnNormalize: <uid=ldapadm,dc=myorg,dc=org>
<==slap_sasl2dn: Converted SASL name to uid=ldapadm,dc=myorg,dc=org
getdn: dn:id converted to uid=ldapadm,dc=myorg,dc=org
SASL Canonicalize [conn=0]: authcDN="uid=ldapadm,dc=myorg,dc=org"
=> bdb_back_search
bdb_dn2entry_rw("uid=ldapadm,dc=myorg,dc=org")
=> bdb_dn2id_matched( "uid=ldapadm,dc=myorg,dc=org" )
<= bdb_dn2id_matched: id=0x00000001: matched dc=myorg,dc=org
entry_decode: "dc=myorg,dc=org"
<= entry_decode(dc=myorg,dc=org)
====> bdb_cache_return_entry_r( 1 ): created (0)
send_ldap_result: conn=0 op=0 p=3
send_ldap_result: err=10 matched="dc=myorg,dc=org" text=""
SASL Canonicalize [conn=0]: authzid="uid=ldapadm,cn=auth,cn=digest-md5"
slap_sasl_getdn: id=uid=ldapadm,cn=auth,cn=digest-md5 [len=33]
ldap_err2string
SASL [conn=0] Failure: Inappropriate authentication
SASL [conn=0] Failure: unable authorization ID
send_ldap_result: conn=0 op=2 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure:
unable authorization ID"
send_ldap_response: msgid=3 tag=97 err=50
ber_flush: 71 bytes to sd 12
connection_get(12)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=12 for close
connection_close: deferring conn=0 sd=12
<== slap_sasl_bind: rc=50
connection_resched: attempting closing conn=0 sd=12
connection_close: conn=0 sd=12


Thank you in advance.

Ilya