[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: sasl UID mapping
> -----Original Message-----
> From: Paul Jakma [mailto:paul@clubi.ie]
> On Sat, 17 Jan 2004, Howard Chu wrote:
> > Pulling out my handy crystal ball, I see that your ACLs prevent
> > this from succeeding.
>
> Ok, so the sasl-regexp itself looks sane. With what DN does slapd
> bind to itself for sasl-regexp lookups? (i wouldnt have thought ACLs
> applied to slapd itself).
slapd doesn't bind to itself, internal searches don't need to bind. But all
authentication attempts are performed as anonymous. That means all the
relevant information that is needed to perform an authentication must grant
auth access to anonymous.
> > But seriously, turn up debugging, then look at the sequence of
> > events in the actual SASL name mapping. It will tell you what it's
> > doing.
>
> I tried, but I dont see anything to do with ACLs and sasl-regexp
> lookups, eg:
You haven't set a very useful debug level for chasing problems. It's OK for
history logging of server activity, but not for troubleshooting. Try debug
level 7 (lucky number) instead.
> Jan 18 02:06:37 hibernia slapd[6197]: conn=0 op=3 BIND
> dn="cn=paul,cn=jakma.org,cn=GSSAPI,cn=auth" method=163
> Jan 18 02:06:37 hibernia slapd[6194]: daemon: select: listen=6
> active_threads=1 tvp=NULL
> Jan 18 02:06:37 hibernia slapd[6197]: SASL [conn=0] Error: unable to
> open Berkeley db /etc/sasldb2: Permission denied
> The /etc/sasldb2 entry is intriguing, but the mech is GSSAPI which
> shouldnt have any business opening that file really.
True, that's Cyrus SASL for you. By default it loads all installed plugins,
and calls all of them for name lookups, whether you need them or not. You can
de-install the plugins you're not using, or edit the lib/sasl2/slapd.conf to
configure an explicit list of plugins to use. But that is not germane to the
topic at hand.
> > We can't see what it's doing from out here, and asking people to
> > guess blindly is not productive.
> Not asking anyone to guess, just asking "i have xyz but cant foo", if
> the answer is "xyz is completely wrong" then that is constructive. :)
> if no conclusion can be drawn, i can always post further info.
It would be nice if you posted a useful log from the beginning. Whenever you
want to say "it doesn't do foo" the first question is always going to be
"well, what *does* it do?" Since your log doesn't have anything interesting
in it to answer that question, there are two possibilities:
a) we the developers are idiots, and didn't put any useful logging into
the code
b) there is useful logging available, but you haven't enabled it
If you believe (a) then there's not much point in going any further. If (b)
then you should RTFM and find out what's really going on before posting.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support