[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL authentication against OpenLDAP

To: OpenLDAP-software@OpenLDAP.org
Subject: SASL authentication against OpenLDAP
From: Bryan Ray <bryan@bryanray.org.uk>
Date: Fri, 06 Aug 2004 15:02:38 +0100
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040421

Hi, I am having a touble getting SASL to play ball with openldap, and would be grateful for any help in finding a solution.

I have been following 'http://www.openldap.org/doc/admin22/sasl.html' with the aim of allowing my ldap tools (ldapsearch,ldapmodify,etc) to authenticate using details held in the ldap server. I wish to use the Digest-MD5 mechanism.

I have configured the server following 'LDAP System Administration - Gerald Carter' and filled in the SASL details from the url above as best as I can, but when trying to connect with SASL I get the following:

#ldapsearch -U bryan -b "dc=bryanray,dc=org,dc=uk" "(objectclass=*)"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
   additional info: SASL(-13): user not found: no secret in database

This implies to me that SASL is using the /etc/sasldb database, or I have made an error in my regular expressions, but do not know how to proceed from here. Thanks for any help.

Bryan

My configuration:

-------------------------------------------------------------------------

/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema

loglevel        488
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

# SASL Authentication sasl-host milkyway.bryanray.org.uk sasl-realm milkyway sasl-regexp uid=(.*),cn=milkyway.*,cn=digest-md5,cn=auth ldap:///dc=bryanray,dc=org,dc=uk??sub?(uid=$1) sasl-regexp uid=(.*),cn=digest-md5,cn=auth ldap:///dc=bryanray,dc=org,dc=uk??sub?(&(uid=$1)(objectclass=posixAccount)) #sasl-secprops none,noanonymous

# TLS/SSL
TLSCipherSuite          HIGH
TLSCertificateFile      /etc/openldap/ssl/slapd-cert.pem
TLSCertificateKeyFile   /etc/openldap/ssl/slapd-key.pem

# Default password hash format
password-hash           {CLEARTEXT}

#######################################################################
# ldbm database definitions
#######################################################################

database        bdb
suffix          "dc=bryanray,dc=org,dc=uk"
rootdn          "cn=admin,dc=bryanray,dc=org,dc=uk"
rootpw          {SHA}****************************

directory       /var/ldap/bryanray.org.uk
# Indices to maintain - should be more here...
index   objectClass     eq

-------------------------------------------------------------------------

Where the domain name from the machine is:
#dnsdomainname
bryanray.org.uk
#hostname
milkyway
#sasldblistusers2
admin@milkyway:userPassword

-------------------------------------------------------------------------

The directory contains:
dn: dc=bryanray,dc=org,dc=uk
objectClass: dcObject
objectClass: organization
o: BryanRay.org.uk
dc: bryanray
structuralObjectClass: organization
entryUUID: efd2c588-7763-1028-9aaf-8f7488bec364
creatorsName: cn=admin,dc=bryanray,dc=org,dc=uk
modifiersName: cn=admin,dc=bryanray,dc=org,dc=uk
createTimestamp: 20040731173645Z
modifyTimestamp: 20040731173645Z
entryCSN: 20040731173645Z#000001#00#000000

dn: cn=admin,dc=bryanray,dc=org,dc=uk
objectClass: organizationalRole
cn: admin
structuralObjectClass: organizationalRole
entryUUID: efd753b4-7763-1028-9ab0-8f7488bec364
creatorsName: cn=admin,dc=bryanray,dc=org,dc=uk
modifiersName: cn=admin,dc=bryanray,dc=org,dc=uk
createTimestamp: 20040731173645Z
modifyTimestamp: 20040731173645Z
entryCSN: 20040731173645Z#000002#00#000000

dn: ou=people,dc=bryanray,dc=org,dc=uk
ou: people
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f4d00dde-7763-1028-89ac-f4015d8834eb
creatorsName: cn=admin,dc=bryanray,dc=org,dc=uk
modifiersName: cn=admin,dc=bryanray,dc=org,dc=uk
createTimestamp: 20040731173653Z
modifyTimestamp: 20040731173653Z
entryCSN: 20040731173653Z#000001#00#000000

dn: uid=bryan,ou=people,dc=bryanray,dc=org,dc=uk
uid: bryan
cn: Bryan Ray
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/bryan
sn: Ray
objectClass: posixAccount
objectClass: inetOrgPerson
structuralObjectClass: inetOrgPerson
entryUUID: 4d17cbdc-7802-1028-98e3-ddb999058336
creatorsName: cn=admin,dc=bryanray,dc=org,dc=uk
createTimestamp: 20040801123022Z
userPassword:: ****************
entryCSN: 20040806112924Z#000001#00#000000
modifiersName: cn=admin,dc=bryanray,dc=org,dc=uk
modifyTimestamp: 20040806112924Z

-------------------------------------------------------------------------

SASL was compiled with the following options:
--with-ldap --disable-otp

OpenLDAP was compiled with the following options: --with-cyrus-sasl --with-tls --with-wrappers --enable-spasswd --enable-dynamic

Follow-Ups:
- Re: SASL authentication against OpenLDAP
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: memberNisNetgroup limit
Next by Date: Re: memberNisNetgroup limit
Index(es):
- Chronological
- Thread