[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
sasl - cmusaslsecretDIGEST-MD5 - encrypted passwords in ldap
hi
i try to store md5 encryted passwords in ldap using the objectclass
cmuSaslUser.
slapd searches the attribute cmusaslsecretDIGEST-MD5, but the bind fails.
what is the syntax for the hash stored in the cmusaslsecretDIGEST-MD5
attribute of the objectClass cmuSaslUser?
my object:
dn: uid=immy,ou=people,o=sgv,dc=sgv
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
objectClass: top
objectClass: cmuSaslUser
~~ snip ~
uid: immy
userPassword: {MD5}xxxxxxxxxxxxxxxxxxxxx
cmusaslsecretCRAM-MD5: ???
cmusaslsecretDIGEST-MD5: ???
cmusaslsecretOTP: ???
cmusaslsecretSRP: ???
ldapsearch -U immy uid=immy
/var/log/messages:
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on 1 descriptors
Jun 28 11:20:08 probe26 slapd[27483]: daemon: new connection on 14
Jun 28 11:20:08 probe26 slapd[27483]: conn=56 fd=14 ACCEPT from
IP=100.9.0.200:34958 (IP=:: 389)
Jun 28 11:20:08 probe26 slapd[27483]: daemon: added 14r
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on:
Jun 28 11:20:08 probe26 slapd[27483]:
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on 1 descriptors
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on:
Jun 28 11:20:08 probe26 slapd[27483]: 14r
Jun 28 11:20:08 probe26 slapd[27483]:
Jun 28 11:20:08 probe26 slapd[27483]: daemon: read activity on 14
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14)
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14): got connid=56
Jun 28 11:20:08 probe26 slapd[27483]: connection_read(14): checking for
input on id=56
Jun 28 11:20:08 probe26 slapd[27483]: ber_get_next on fd 14 failed
errno=11 (Resource temporarily unavailable)
Jun 28 11:20:08 probe26 slapd[27659]: do_search
Jun 28 11:20:08 probe26 slapd[27659]: >>> dnPrettyNormal: <>
Jun 28 11:20:08 probe26 slapd[27659]: <<< dnPrettyNormal: <>, <>
Jun 28 11:20:08 probe26 slapd[27659]: SRCH "" 0 0
Jun 28 11:20:08 probe26 slapd[27659]: 0 0 0
Jun 28 11:20:08 probe26 slapd[27659]: begin get_filter
Jun 28 11:20:08 probe26 slapd[27659]: PRESENT
Jun 28 11:20:08 probe26 slapd[27659]: end get_filter 0
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27659]: filter: (objectClass=*)
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27659]: attrs:
Jun 28 11:20:08 probe26 slapd[27659]: supportedSASLMechanisms
Jun 28 11:20:08 probe26 slapd[27659]:
Jun 28 11:20:08 probe26 slapd[27659]: conn=56 op=0 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Jun 28 11:20:08 probe26 slapd[27659]: conn=56 op=0 SRCH
attr=supportedSASLMechanisms
Jun 28 11:20:08 probe26 slapd[27659]: => test_filter
Jun 28 11:20:08 probe26 slapd[27659]: PRESENT
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: search access
to "" "objectClass" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_get: [1] attr objectClass
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: access to entry "",
attr "objectClass" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: to all values by "", (=n)
Jun 28 11:20:08 probe26 slapd[27659]: <= check a_dn_pat: *
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] applying
write(=wrscx) (stop)
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] mask: write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: search access
granted by write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: <= test_filter 6
Jun 28 11:20:08 probe26 slapd[27659]: => send_search_entry: dn=""
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: read access to
"" "entry" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_get: [1] attr entry
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: access to entry "",
attr "entry" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: to all values by "", (=n)
Jun 28 11:20:08 probe26 slapd[27659]: <= check a_dn_pat: *
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] applying
write(=wrscx) (stop)
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] mask: write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: read access
granted by write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: read access to
"" "supportedSASLMechanisms" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_get: [1] attr
supportedSASLMechanisms
Jun 28 11:20:08 probe26 slapd[27659]: access_allowed: no res from state
(supportedSASLMechanisms)
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: access to entry "",
attr "supportedSASLMechanisms" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: to value by "", (=n)
Jun 28 11:20:08 probe26 slapd[27659]: <= check a_dn_pat: *
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] applying
write(=wrscx) (stop)
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] mask: write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: read access
granted by write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: conn=56 op=0 ENTRY dn=""
Jun 28 11:20:08 probe26 slapd[27659]: <= send_search_entry
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_result: conn=56 op=0 p=3
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_result: err=0 matched=""
text=""
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_response: msgid=1
tag=101 err=0
Jun 28 11:20:08 probe26 slapd[27659]: conn=56 op=0 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on 1 descriptors
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on:
Jun 28 11:20:08 probe26 slapd[27483]: 14r
Jun 28 11:20:08 probe26 slapd[27483]:
Jun 28 11:20:08 probe26 slapd[27483]: daemon: read activity on 14
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14)
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14): got connid=56
Jun 28 11:20:08 probe26 slapd[27483]: connection_read(14): checking for
input on id=56
Jun 28 11:20:08 probe26 slapd[27483]: ber_get_next on fd 14 failed
errno=11 (Resource temporarily unavailable)
Jun 28 11:20:08 probe26 slapd[27485]: do_bind
Jun 28 11:20:08 probe26 slapd[27485]: >>> dnPrettyNormal: <>
Jun 28 11:20:08 probe26 slapd[27485]: <<< dnPrettyNormal: <>, <>
Jun 28 11:20:08 probe26 slapd[27485]: do_sasl_bind: dn () mech DIGEST-MD5
Jun 28 11:20:08 probe26 slapd[27485]: conn=56 op=1 BIND dn="" method=163
Jun 28 11:20:08 probe26 slapd[27485]: ==> sasl_bind: dn=""
mech=DIGEST-MD5 datalen=0
Jun 28 11:20:08 probe26 slapd[27485]: SASL [conn=56] Debug: DIGEST-MD5
server step 1
Jun 28 11:20:08 probe26 slapd[27485]: send_ldap_sasl: err=14 len=180
Jun 28 11:20:08 probe26 slapd[27485]: send_ldap_response: msgid=2 tag=97
err=14
Jun 28 11:20:08 probe26 slapd[27485]: <== slap_sasl_bind: rc=14
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on 1 descriptors
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on:
Jun 28 11:20:08 probe26 slapd[27483]: 14r
Jun 28 11:20:08 probe26 slapd[27483]:
Jun 28 11:20:08 probe26 slapd[27483]: daemon: read activity on 14
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14)
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14): got connid=56
Jun 28 11:20:08 probe26 slapd[27483]: connection_read(14): checking for
input on id=56
Jun 28 11:20:08 probe26 slapd[27483]: ber_get_next on fd 14 failed
errno=11 (Resource temporarily unavailable)
Jun 28 11:20:08 probe26 slapd[27659]: do_bind
Jun 28 11:20:08 probe26 slapd[27659]: >>> dnPrettyNormal: <>
Jun 28 11:20:08 probe26 slapd[27659]: <<< dnPrettyNormal: <>, <>
Jun 28 11:20:08 probe26 slapd[27659]: do_sasl_bind: dn () mech DIGEST-MD5
Jun 28 11:20:08 probe26 slapd[27659]: conn=56 op=2 BIND dn="" method=163
Jun 28 11:20:08 probe26 slapd[27659]: ==> sasl_bind: dn=""
mech=<continuing> datalen=260
Jun 28 11:20:08 probe26 slapd[27659]: SASL [conn=56] Debug: DIGEST-MD5
server step 2
Jun 28 11:20:08 probe26 slapd[27659]: SASL Canonicalize [conn=56]:
authcid="immy"
Jun 28 11:20:08 probe26 slapd[27659]: slap_sasl_getdn: id=immy [len=4]
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27659]: slap_sasl_getdn: u:id converted to
uid=immy,cn=probe26,cn=DIGEST-MD5,cn=auth
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27659]: >>> dnNormalize:
<uid=immy,cn=probe26,cn=DIGEST-MD5,cn=auth>
Jun 28 11:20:08 probe26 slapd[27659]: <<< dnNormalize:
<uid=immy,cn=probe26,cn=digest-md5,cn=auth>
Jun 28 11:20:08 probe26 slapd[27659]: ==>slap_sasl2dn: converting SASL
name uid=immy,cn=probe26,cn=digest-md5,cn=auth to a DN
Jun 28 11:20:08 probe26 slapd[27659]: slap_sasl_regexp: converting SASL
name uid=immy,cn=probe26,cn=digest-md5,cn=auth
Jun 28 11:20:08 probe26 slapd[27659]: slap_sasl_regexp: converted SASL
name to uid=immy,ou=people,o=sgv,dc=sgv
Jun 28 11:20:08 probe26 slapd[27659]: slap_parseURI: parsing
uid=immy,ou=people,o=sgv,dc=sgv
Jun 28 11:20:08 probe26 slapd[27659]: >>> dnNormalize:
<uid=immy,ou=people,o=sgv,dc=sgv>
Jun 28 11:20:08 probe26 slapd[27659]: <<< dnNormalize:
<uid=immy,ou=people,o=sgv,dc=sgv>
Jun 28 11:20:08 probe26 slapd[27659]: <==slap_sasl2dn: Converted SASL
name to uid=immy,ou=people,o=sgv,dc=sgv
Jun 28 11:20:08 probe26 slapd[27659]: getdn: dn:id converted to
uid=immy,ou=people,o=sgv,dc=sgv
Jun 28 11:20:08 probe26 slapd[27659]: SASL Canonicalize [conn=56]:
slapAuthcDN="uid=immy,ou=people,o=sgv,dc=sgv"
Jun 28 11:20:08 probe26 slapd[27659]: => bdb_search
Jun 28 11:20:08 probe26 slapd[27659]:
bdb_dn2entry("uid=immy,ou=people,o=sgv,dc=sgv")
Jun 28 11:20:08 probe26 slapd[27659]: base_candidates: base:
"uid=immy,ou=people,o=sgv,dc=sgv" (0x00000069)
Jun 28 11:20:08 probe26 slapd[27659]: => test_filter
Jun 28 11:20:08 probe26 slapd[27659]: PRESENT
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: auth access to
"uid=immy,ou=people,o=sgv,dc=sgv" "objectClass" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_get: [1] attr objectClass
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: access to entry
"uid=immy,ou=people,o=sgv,dc=sgv", attr "objectClass" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: to all values by "", (=n)
Jun 28 11:20:08 probe26 slapd[27659]: <= check a_dn_pat: *
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] applying
write(=wrscx) (stop)
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] mask: write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: auth access
granted by write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: <= test_filter 6
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: auth access to
"uid=immy,ou=people,o=sgv,dc=sgv" "cmusaslsecretDIGEST-MD5" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_get: [1] attr
cmusaslsecretDIGEST-MD5
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: access to entry
"uid=immy,ou=people,o=sgv,dc=sgv", attr "cmusaslsecretDIGEST-MD5" requested
Jun 28 11:20:08 probe26 slapd[27659]: => acl_mask: to all values by "", (=n)
Jun 28 11:20:08 probe26 slapd[27659]: <= check a_dn_pat: *
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] applying
write(=wrscx) (stop)
Jun 28 11:20:08 probe26 slapd[27659]: <= acl_mask: [1] mask: write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: => access_allowed: auth access
granted by write(=wrscx)
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_result: conn=56 op=0 p=3
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_result: err=0 matched=""
text=""
Jun 28 11:20:08 probe26 slapd[27659]: SASL Canonicalize [conn=56]:
authzid="immy"
Jun 28 11:20:08 probe26 slapd[27659]: SASL [conn=56] Failure: client
response doesn't match what we generated
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_result: conn=56 op=2 p=3
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_result: err=49
matched="" text="SASL(-13): authentication failure: client response
doesn't match what we generated"
Jun 28 11:20:08 probe26 slapd[27659]: send_ldap_response: msgid=3 tag=97
err=49
Jun 28 11:20:08 probe26 slapd[27659]: conn=56 op=2 RESULT tag=97 err=49
text=SASL(-13): authentication failure: client response doesn't match
what we generated
Jun 28 11:20:08 probe26 slapd[27659]: <== slap_sasl_bind: rc=49
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on 1 descriptors
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on:
Jun 28 11:20:08 probe26 slapd[27483]: 14r
Jun 28 11:20:08 probe26 slapd[27483]:
Jun 28 11:20:08 probe26 slapd[27483]: daemon: read activity on 14
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14)
Jun 28 11:20:08 probe26 slapd[27483]: connection_get(14): got connid=56
Jun 28 11:20:08 probe26 slapd[27483]: connection_read(14): checking for
input on id=56
Jun 28 11:20:08 probe26 slapd[27483]: ber_get_next on fd 14 failed
errno=0 (Success)
Jun 28 11:20:08 probe26 slapd[27483]: connection_read(14): input
error=-2 id=56, closing.
Jun 28 11:20:08 probe26 slapd[27483]: connection_closing: readying
conn=56 sd=14 for close
Jun 28 11:20:08 probe26 slapd[27483]: connection_close: conn=56 sd=14
Jun 28 11:20:08 probe26 slapd[27483]: daemon: removing 14
Jun 28 11:20:08 probe26 slapd[27483]: conn=56 fd=14 closed
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=8
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27483]: daemon: activity on 1 descriptors
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 28 11:20:08 probe26 slapd[27483]: daemon: select: listen=8
active_threads=0 tvp=NULL