[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: upgraded and all goes down...
On Thu, 18 Dec 2003, Alexander Lunyov wrote:
> Hello Alexander,
>
> Wednesday, December 17, 2003, 9:57:14 PM, you wrote:
>
> HC>> Please update to the current OpenLDAP release (at least 2.1.25). Among other
> HC>> important bug fixes, the ldapsasl README file has also been updated with more
> HC>> usage notes.
>
> AL> I wanted to, but there is still 2.1.23 port in FreeBSD port
> AL> collection (it's this week cvsup). I think, i'll do this port by
> AL> myself and take a look if it will work. Also i'll have to change
> AL> ldapdb-auxprop port (it's my own port for my comfort while
> AL> installing auxprop plugin) because SASL is already 2.1.17 now, and
> AL> old ldapdb-auxprop port based on 2.1.15 distfile of SASL
>
> All is ruined. I've upgraded to cyrus-sasl-2.1.17,
> openldap-2.1.25 and cyrus-imapd-2.1.16, compiled auxprop
> plugin and... it's not working. Ldapdb plugin is not working.
> Nor fresh compiled from openldap-2.1.25 contribs, nor the old
> one from 2.1.23. I don't know how to take it all back.
> Tomorrow everything have to be OK. This message is a S.O.S.,
> i think.
>
> Details:
>
> When i'm trying to ldapwhoami or ldapsearch with DIGEST-MD5
> auth - all is fine. Even proxy is works fine:
>
> From the beginning: 'lan' is a user, 'cyradm' - is a proxy
> user for plugin auth.
>
> In /usr/local/lib/sasl2/Cyrus.conf:
> =========================================
> auxprop_plugin: ldapdb
> #pwcheck_method: auxprop
> ldapdb_uri: ldap:///
> ldapdb_id: cyradm
> ldapdb_pw: password
> ldapdb_mech: DIGEST-MD5
> mech_list: plain login digest-md5 cram-md5
> =========================================
>
> In /usr/local/lib/sasl2/slapd.conf:
> =========================================
> auxprop_plugin: slapd
> =========================================
>
> In /usr/local/etc/openldap/slapd.conf:
> =========================================
> [skipped]
> sasl-regexp uid=(.*),cn=.*,cn=auth
> ldap:///ou=users,dc=domain,dc=ru??sub?(uid=$1)
>
If you want to know glory details, see
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=2871;selectid=2871
The following should fix your problem:
Add sasl-regexp:
sasl-regexp uid=(.*),cn=auth
ldap:///ou=users,dc=domain,dc=ru??sub?(uid=$1)
or
modify the existing one:
sasl-regexp uid=(.*),cn=.*
ldap:///ou=users,dc=domain,dc=ru??sub?(uid=$1)
> sasl-authz-policy to
> password-hash {CLEARTEXT}
> [skipped]
> =========================================
>
> In 'cyradm' LDIF:
> =========================================
> dn: uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru
> mail: cyradm-mail
> uid: cyradm
> objectClass: personAccount
> sn: cyradm
> cn: cyradm
> userPassword: password
> saslAuthzTo: uid=.*,node=.*,ou=users,dc=domain,dc=ru
> =========================================
>
> But proxy auth is working.
>
> =========================================
> # ldapwhoami -U cyradm -X u:lan -Y DIGEST-MD5 -H ldap:///
> SASL/DIGEST-MD5 authentication started
> Please enter your password: {here i'm typing password for user 'cyradm'}
> SASL username: u:lan
> SASL SSF: 128
> SASL installing layers
> dn:uid=lan,node=33(10),ou=users,dc=domain,dc=ru
> =========================================
>
> But when i'm trying to test ldapdb plugin with 'imtest' utility -
> it fails. And with any mail program - fails. I don't know why, but
> it fails. Now i'm thinking that i shouldn't upgrade at all... But
> now all is done, and i have to work it out.
>
> Log file (simple) when cyrus-imapd fails to authorize user:
>
> =========================================
> conn=12 op=1 BIND dn="uid=cyradm,node=33(10),ou=users,dc=startatom,dc=ru" mech=DIGEST-MD5 ssf=128
> conn=12 op=2 RESULT tag=120 err=47 text=not authorized to assume identity
> =========================================
>
> I've never seen such error before.
> In a full log (loglevel 769):
>
> =========================================
> conn=2 fd=9 ACCEPT from IP=127.0.0.1:4997 (IP=0.0.0.0:389)
> connection_get(9): got connid=2
> connection_read(9): checking for input on id=2
> ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
> do_bind
> >>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> do_sasl_bind: dn () mech DIGEST-MD5
> conn=2 op=0 BIND dn="" method=163
> SASL [conn=2] Debug: DIGEST-MD5 server step 1
> send_ldap_sasl: err=14 len=192
> send_ldap_response: msgid=1 tag=97 err=14
> <== slap_sasl_bind: rc=14
> connection_get(9): got connid=2
> connection_read(9): checking for input on id=2
> ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
> do_bind
> >>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> do_sasl_bind: dn () mech DIGEST-MD5
> conn=2 op=1 BIND dn="" method=163
> SASL [conn=2] Debug: DIGEST-MD5 server step 2
> getdn: u:id converted to uid=cyradm,cn=DIGEST-MD5,cn=auth
> >>> dnNormalize: <uid=cyradm,cn=DIGEST-MD5,cn=auth>
> <<< dnNormalize: <uid=cyradm,cn=digest-md5,cn=auth>
> ==>slap_sasl2dn: converting SASL name uid=cyradm,cn=digest-md5,cn=auth to a DN
> slap_sasl_regexp: converting SASL name uid=cyradm,cn=digest-md5,cn=auth
> slap_sasl_regexp: converted SASL name to ldap:///ou=users,dc=domain,dc=ru??sub?(uid=cyradm)
> slap_parseURI: parsing ldap:///ou=users,dc=domain,dc=ru??sub?(uid=cyradm)
> >>> dnNormalize: <ou=users,dc=domain,dc=ru>
> <<< dnNormalize: <ou=users,dc=domain,dc=ru>
> slap_sasl2dn: performing internal search (base=ou=users,dc=domain,dc=ru, scope=2)
> => ldbm_back_search
> dn2entry_r: dn: "ou=users,dc=domain,dc=ru"
> => dn2id( "ou=users,dc=domain,dc=ru" )
> ====> cache_find_entry_dn2id("ou=users,dc=domain,dc=ru"): 3 (1 tries)
> <= dn2id 3 (in cache)
> => id2entry_r( 3 )
> ====> cache_find_entry_id( 3 ) "ou=users,dc=domain,dc=ru" (found) (1 tries)
> <= id2entry_r( 3 ) 0x8125980 (cache)
> search_candidates: base="ou=users,dc=domain,dc=ru" s=2 d=0
> => filter_candidates
> => list_candidates 0xa0
> => filter_candidates
> => dn2idl( "@ou=users,dc=domain,dc=ru" )
> => ldbm_cache_open( "dn2id.dbb", 73, 600 )
> <= ldbm_cache_open (cache 0)
> <= filter_candidates 197
> => filter_candidates
> => list_candidates 0xa1
> => filter_candidates
> => equality_candidates
> => ldbm_cache_open( "objectClass.dbb", 73, 600 )
> <= ldbm_cache_open (cache 3)
> => key_read
> <= index_read 0 candidates
> <= equality_candidates NULL
> <= equality_candidates 0
> <= filter_candidates 0
> => filter_candidates
> => equality_candidates
> <= equality_candidates: index_param returned=18
> <= filter_candidates 244
> <= list_candidates 244
> <= filter_candidates 244
> <= list_candidates 197
> <= filter_candidates 197
> ====> cache_return_entry_r( 3 ): returned (0)
> => id2entry_r( 3 )
> ====> cache_find_entry_id( 3 ) "ou=users,dc=domain,dc=ru" (found) (1 tries)
> <= id2entry_r( 3 ) 0x8125980 (cache)
> => string_expand: pattern: cn=replica,dc=domain,dc=ru
> => string_expand: expanded: cn=replica,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> => string_expand: pattern: cn=usermaster,dc=domain,dc=ru
> => string_expand: expanded: cn=usermaster,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> ldbm_search: candidate entry 3 does not match filter
> ====> cache_return_entry_r( 3 ): returned (0)
> => id2entry_r( 9 )
> ====> cache_find_entry_id( 9 ) "node=33(10),ou=users,dc=domain,dc=ru" (found) (1 tries)
> <= id2entry_r( 9 ) 0x8125b00 (cache)
> => string_expand: pattern: cn=replica,dc=domain,dc=ru
> => string_expand: expanded: cn=replica,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> => string_expand: pattern: cn=usermaster,dc=domain,dc=ru
> => string_expand: expanded: cn=usermaster,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> ldbm_search: candidate entry 9 does not match filter
> ====> cache_return_entry_r( 9 ): returned (0)
> => id2entry_r( 10 )
> ====> cache_find_entry_id( 10 ) "uid=lan,node=33(10),ou=users,dc=domain,dc=ru" (found) (1 tries)
> <= id2entry_r( 10 ) 0x8125c00 (cache)
> => string_expand: pattern: cn=replica,dc=domain,dc=ru
> => string_expand: expanded: cn=replica,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> => string_expand: pattern: cn=usermaster,dc=domain,dc=ru
> => string_expand: expanded: cn=usermaster,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> ldbm_search: candidate entry 10 does not match filter
> ====> cache_return_entry_r( 10 ): returned (0)
> => id2entry_r( 11 )
>
> [skip - same blocks of log, nothing interesting]
>
> ====> cache_return_entry_r( 243 ): returned (0)
> <==slap_sasl2dn: Converted SASL name to uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru
> getdn: dn:id converted to uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru
> => ldbm_back_search
> dn2entry_r: dn: "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru"
> => dn2id( "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru" )
> ====> cache_find_entry_dn2id("uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru"): 175 (1 tries)
> <= dn2id 175 (in cache)
> => id2entry_r( 175 )
> ====> cache_find_entry_id( 175 ) "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru" (found) (1 tries)
> <= id2entry_r( 175 ) 0x8a6b6c0 (cache)
> base_candidates: base: "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru"
> ====> cache_return_entry_r( 175 ): returned (0)
> => id2entry_r( 175 )
> ====> cache_find_entry_id( 175 ) "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru" (found) (1 tries)
> <= id2entry_r( 175 ) 0x8a6b6c0 (cache)
> => string_expand: pattern: cn=replica,dc=domain,dc=ru
> => string_expand: expanded: cn=replica,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> => string_expand: pattern: cn=usermaster,dc=domain,dc=ru
> => string_expand: expanded: cn=usermaster,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> => string_expand: pattern: cn=usermaster,dc=domain,dc=ru
> => string_expand: expanded: cn=usermaster,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> => string_expand: pattern: cn=replica,dc=domain,dc=ru
> => string_expand: expanded: cn=replica,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> => string_expand: pattern: cn=admin,dc=domain,dc=ru
> => string_expand: expanded: cn=admin,dc=domain,dc=ru
> => regex_matches: string:
> => regex_matches: rc: 1 no matches
> slap_auxprop: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined
> ====> cache_return_entry_r( 175 ): returned (0)
> conn=2 op=1 BIND authcid="cyradm"
> SASL Authorize [conn=2]: authorization allowed
>
> OK, here it's all right. But then...
>
> send_ldap_sasl: err=0 len=40
> send_ldap_response: msgid=2 tag=97 err=0
> <== slap_sasl_bind: rc=0
> conn=2 op=1 BIND dn="uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru" mech=DIGEST-MD5 ssf=128
> do_bind: SASL/DIGEST-MD5 bind: dn="uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru" ssf=128
> connection_get(9): got connid=2
> connection_read(9): checking for input on id=2
> ber_get_next on fd 9 failed errno=35 (Resource temporarily unavailable)
> do_extended
> => get_ctrls
> => get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical)
> getdn: u:id converted to uid=root,cn=auth
> >>> dnNormalize: <uid=root,cn=auth>
> <<< dnNormalize: <uid=root,cn=auth>
>
> And now, where this 'uid=root,cn=auth' comes from?! So, after that
>
> ==>slap_sasl2dn: converting SASL name uid=root,cn=auth to a DN
> slap_sasl_regexp: converting SASL name uid=root,cn=auth
> <==slap_sasl2dn: Converted SASL name to <nothing>
> parseProxyAuthz: conn=2 "uid=root,cn=auth"
> ==>slap_sasl_authorized: can uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru become uid=root,cn=auth?
> ==>slap_sasl_check_authz: does uid=root,cn=auth match saslAuthzTo rule in uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru?
> dn2entry_r: dn: "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru"
> => dn2id( "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru" )
> ====> cache_find_entry_dn2id("uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru"): 175 (1 tries)
> <= dn2id 175 (in cache)
> => id2entry_r( 175 )
> ====> cache_find_entry_id( 175 ) "uid=cyradm,node=33(10),ou=users,dc=domain,dc=ru" (found) (1 tries)
> <= id2entry_r( 175 ) 0x8a6b6c0 (cache)
> ====> cache_return_entry_r( 175 ): returned (0)
> ldbm_back_attribute: rc=0 nvals=1
> ===>slap_sasl_match: comparing DN uid=root,cn=auth to rule uid=.*,node=.*,ou=users,dc=domain,dc=ru
> slap_parseURI: parsing uid=.*,node=.*,ou=users,dc=domain,dc=ru
> >>> dnNormalize: <uid=.*,node=.*,ou=users,dc=domain,dc=ru>
> <<< dnNormalize: <uid=.*,node=.*,ou=users,dc=domain,dc=ru>
> <===slap_sasl_match: comparison returned 48
> <==slap_sasl_check_authz: saslAuthzTo check returning 48
> <== slap_sasl_authorized: return 48
> <= get_ctrls: n=1 rc=47 err="not authorized to assume identity"
> send_ldap_result: conn=2 op=2 p=3
> send_ldap_response: msgid=3 tag=120 err=47
> conn=2 op=2 RESULT tag=120 err=47 text=not authorized to assume identity
> do_extended: get_ctrls failed
> connection_get(9): got connid=2
> connection_read(9): checking for input on id=2
> ber_get_next on fd 9 failed errno=0 (Undefined error: 0)
> connection_read(9): input error=-2 id=2, closing.
> connection_closing: readying conn=2 sd=9 for close
> connection_close: deferring conn=2 sd=9
> do_unbind
> conn=2 op=3 UNBIND
> connection_resched: attempting closing conn=2 sd=9
> connection_close: conn=2 sd=9
> conn=2 fd=9 closed
> =========================================
>
>
>
--
Igor