[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL EXTERNAL problem



Dear All,

I want to run an ldap server using TLS and the SASL EXTERNAL mechanism.
The relevant parts of slapd.conf look like:

TLSCipherSuite          HIGH:MEDIUM:+SSLv3
TLSCertificateFile /export/home/ron/test/ssl/hostcert.pem
TLSCertificateKeyFile /export/home/ron/test/ssl/hostkey.pem
TLSCACertificateFile /export/home/ron/test/ssl/16da7552.0
TLSVerifyClient demand

access to *
        by dn="cn=Manager,ou=sara.nl,dc=test,dc=org" write
        by
dn.base="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid" read
        by
dn.base="CN=mu2.matrix.sara.nl,OU=sara.nl,O=hosts,O=dutchgrid" read
        by * none

But when I do a:

ldapsearch -LLL -Y EXTERNAL -H ldaps://localhost:10123 -s sub -b
"ou=sara.nl,dc=test,dc=org" "objectclass=*"

I get only:

SASL/EXTERNAL authentication started
SASL username: CN=mu2.matrix.foo.org,OU=foo.org,O=hosts,O=grid
SASL SSF: 0

and that's it. I don't use sasl-regexp. What is wrong here?

In the server log I see:

SASL Canonicalize [conn=0]:
authcid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
slap_sasl_getdn: id=cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid
[len=52]
==>slap_sasl2dn: converting SASL name
cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid to a DN
slap_sasl_regexp: converting SASL name
cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]:
slapAuthcDN="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
SASL proxy authorize [conn=0]:
authcid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
authzid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
conn=0 op=0 BIND
authcid="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid"
SASL Authorize [conn=0]:  proxy authorization allowed
.
.
.
<== slap_sasl_bind: rc=0
conn=0 op=0 BIND
dn="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid" mech=EXTERNAL
ssf=0
do_bind: SASL/EXTERNAL bind:
dn="cn=mu2.matrix.sara.nl,ou=sara.nl,o=hosts,o=dutchgrid" ssf=0

It looks to me that the autentication bit is OK or am I wrong? What am I
doing wrong here?

Best regards,

Ron Trompert
<ron@sara.nl>