[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: still "more results to return"
I have been running in circles.
I have removed user admin from the sasl2db and it has no effect on the
"more results to return" message when I do a ldapsearch (admin is still in the ldap server).
With nothing in the sasldb2 I can use the wrong password it returns
incorrect password response. I can use another ldap username/password
combination and get the same results ("more results to return" or
"incorrect password"). So it seems to me that both sasl and ldap are authenticating
but I'm still not receiving a result list from the ldap server. Also it seems the
documentation on setting up sasl digest-md5 and ldap is either inaccurate or out of
date.
Can someone please tell me the current steps for this?
The slapd.log looks like (-d 5)...
*******************************
Mar 16 16:27:36 doc1 slapd[2563]: ==>slap_sasl_authorized: can
uid=dennis,ou=people,dc=cpc become uid=dennis,ou=people,dc=cpc?
Mar 16 16:27:36 doc1 slapd[2563]: <== slap_sasl_authorized: return 0
Mar 16 16:27:36 doc1 slapd[2563]: SASL Authorize [conn=2]:
authorization allowed
Mar 16 16:27:36 doc1 slapd[2563]: send_ldap_sasl: err=0 len=40
Mar 16 16:27:36 doc1 slapd[2563]: send_ldap_response: msgid=3 tag=97
err=0
Mar 16 16:27:36 doc1 slapd[2563]: <== slap_sasl_bind: rc=0
Mar 16 16:27:36 doc1 slapd[2563]: do_bind: SASL/DIGEST-MD5 bind:
dn="uid=dennis,ou=people,dc=cpc" ssf=128
Mar 16 16:27:36 doc1 slapd[2563]: connection_get(11)
Mar 16 16:27:36 doc1 slapd[2563]: connection_get(11): got connid=2
Mar 16 16:27:36 doc1 slapd[2563]: connection_read(11): checking for
input on id=2
Mar 16 16:27:36 doc1 slapd[2563]: ber_get_next on fd 11 failed errno=0
(Success)
Mar 16 16:27:36 doc1 slapd[2563]: connection_read(11): input error=-2
id=2, closing.
Mar 16 16:27:36 doc1 slapd[2563]: connection_closing: readying conn=2
sd=11 for close
Mar 16 16:27:36 doc1 slapd[2563]: connection_close: conn=2 sd=11
**************************************
I have been looking everywhere and created a slapd.conf file in
/usr/lib/sasl2/ that looks like this.. (I can also rename this file and get
the same results - so it doesn't seem to matter to me).
pwcheck_method: auxprop
auxprop_plugin: slapd
mech_list: Digest-MD5
slapd_id: admin
slapd_pw: secret
slapd_uri: ldap://doc1.cpc.net.au
/etc/openldap/slap.conf looks like...
password-hash {CLEARTEXT}
sasl-host doc1.cpc.net.au
sasl-realm doc1.cpc.net.au
sasl-secprops noplain noanonymous maxssf=128
sasl-regexp uid=(.*),cn=doc1.cpc.net.au,cn=digest-md5,cn=auth
uid=$1,ou=people,dc=cpc
********************************
I used this search as instructed from another mail list I've trawled
through..
ldapsearch -H ldap://doc1.cpc.net.au -U dennis -X u:dennis -Y DIGEST-MD5
-s base '(objectclass=*)'userPassword -ZZ
with -d 5 it returns (last portion only)
ldap_parse_result
ber_scanf fmt ({iaa) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
sasl_client_step: 1
ldap_perror
ldap_sasl_interactive_bind_s: More results to return
I can provide more detail if requested.
Is this a normal response or is this unusual?
Dennis
On Wed, 2004-03-10 at 17:52, Dieter Kluenter wrote:
> Hi,
>
> dennis <dennis@utiba.com> writes:
>
> > Hi all,
> >
> > I am running RHEL 3ES (2.4.21-9.EL), openldap-2.1.25, cyrus-sasl-2.1.17.
> >
> > I have searched everywhere, broken and fixed sasl, read the howto's,
> > followed the directions. I still get "ldap_sasl_interactive_bind_s:
> > More results to return" every time I try a DIGEST-MD5 connection to my
> > ldap server. If I use -x everything is fine.
> >
> > When I do this from the http://www.tldp.org/HOWTO/LDAP-HOWTO/sasl.html
> > doco, ldapsearch -U admin@rdnt03 -b 'o=Ever' '(objectclass=*)' (changing
> > attributes to match my ldap server) I get this result:
> > "ldap_sasl_interactive_bind_s: No such object"
> >
> > When I do this: ldapsearch -U admin@doc1.cpc.net.au -b "dc=cpc"
> > '(objectclass=*)' -Y DIGEST-MD5
> >
> > I get this result:
> > SASL/DIGEST-MD5 authentication started
> > Please enter your password:
> > ldap_sasl_interactive_bind_s: More results to return
> >
> > Does anyone know what this means? Is this the expected result of
> > properly configured ldap and sasl server?
>
> It's probabely your sasl setup. when entering a user to sasldb, did you
> pass the realm flag and a sasl realm? Did you configure a sasl-realm
> in slapd.conf?
> You should try an authentication without realm, that is
> ldapsearch -U admin -Y DIGEST-MD5
>
> -Dieter
--
--
dennis <dennis@utiba.com>