[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication fail | sasl
Hi,
>>>>> "Hagen" == Hagen Paul Pfeifer <hagen@jauu.net> writes:
Hagen> Hello, it concerns the following problem:
Hagen> If I remove the following entry from slapd.conf
Hagen> access to * by * read
Hagen> and I do a
Hagen> ldapsearch -b "dc=0xdef,dc=net" -D
Hagen> "uid=pfeifer,ou=users,dc=0xdef,dc=net" "objectclass=*" -Y
Hagen> digest-md5
Hagen> ldapsearch returns:
Hagen> SASL/DIGEST-MD5 authentication started Please enter your
Hagen> password: ldap_sasl_interactive_bind_s: Internal
Hagen> (implementation specific) error (80) additional info:
Hagen> SASL(-13): user not found: no secret in database
Hagen> But when I added "access to * by * read
Hagen> sasl mechanism is working!
Hagen> Now I think sasl haven't the accurate access rights to
Hagen> access the users ldap userPassword entry ("no secret in
Hagen> database"), because when there is a worldwide read acces
Hagen> the mechanisn is ok!?
Hagen> Here are my sldapd.conf entries for access stuff:
Hagen> suffix "dc=0xdef,dc=net" rootdn "cn=admin,dc=0xdef,dc=net"
Hagen> rootpw {SSHA}yVT8vzdssH5+5QlO7RRicsSufwAmCx7v saslRegex
Hagen> uid=(.*),cn=digest-md5,cn=auth
Hagen> uid=$1,cn=users,dc=0xdef,dc=net
Hagen> access to dn.base="" by * read
Hagen> access to attribute=userPassword
Hagen> by dn="cn=root,dc=0xdef,dc=net" write by
Hagen> anonymous auth by self write by * none
Hagen> access to dn.subtree="uid=(.*),ou=users,dc=0xdef,dc=net"
Hagen> by dn="uid=(.*),ou=users,dc=0xdef,dc=net" write
Hagen> by anonymous auth by * none
Your searchstring starts at dc=0xdef,dc=net but you have no access to
this subtree, not even for auth purposes.See man slapd.access(5) and
http://www.openldap.org/faq/data/cache/1005.html for examples.
Run slapd in loglevel 128 mode to watch authentication procedures.
-Dieter
--
Dieter Klünter | Systemberatung
Tel.: +49.40.64861967
Fax : +49.40.64891521
http://www.avci.de