[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapdb broken with sasl-2.1.19? (somewhat cleared up)

To: Openldap-Users <openldap-software@OpenLDAP.org>
Subject: Re: ldapdb broken with sasl-2.1.19? (somewhat cleared up)
From: paul k <paul@subsignal.org>
Date: Wed, 11 Aug 2004 14:19:34 +0200
In-reply-to: <Pine.GSO.4.60.0408101655560.12366@pula.ypass.net>
References: <41193126.9090504@subsignal.org> <Pine.GSO.4.60.0408101655560.12366@pula.ypass.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707

Igor Brezac wrote:

How do you know the plugin is not working? Have you tested the plugin with the sample client and server software that comes with cyrus-sasl ($cyrus-sasl-src/sample)?

Hi Igor, Dieter thanks for your answers.

Well, I have to confess: I didn't tested but "trusted" the error message. Now after testing with ldapwhoami and postfix I can say it actually works as long as you do not use regexp's in saslAuthzTo: attribute (had same problem with 2.2.12+sasl-2.1.18)

those -1 logs show the problem:

autzTo errors:

Aug 11 13:41:29 holzkopp slapd[12690]: ==>slap_sasl_check_authz: does uid=pkoelle,ou=users,dc=holzkopp,dc=b17 match saslAuthzTo rule in cn=ldapadmin,ou=adminusers,dc=holzkopp,dc=b17? Aug 11 13:41:29 holzkopp slapd[12690]: => bdb_entry_get: ndn: "cn=ldapadmin,ou=adminusers,dc=holzkopp,dc=b17" Aug 11 13:41:29 holzkopp slapd[12690]: => bdb_entry_get: oc: "(null)", at: "saslAuthzTo" Aug 11 13:41:29 holzkopp slapd[12690]: bdb_dn2entry("cn=ldapadmin,ou=adminusers,dc=holzkopp,dc=b17") Aug 11 13:41:29 holzkopp slapd[12690]: bdb_entry_get: rc=0 Aug 11 13:41:29 holzkopp slapd[12690]: ===>slap_sasl_match: comparing DN uid=pkoelle,ou=users,dc=holzkopp,dc=b17 to rule uid=[^,]+,ou=users,dc=holzkopp,dc=b17 Aug 11 13:41:29 holzkopp slapd[12690]: slap_parseURI: parsing uid=[^,]+,ou=users,dc=holzkopp,dc=b17 Aug 11 13:41:29 holzkopp slapd[12690]: >>> dnNormalize: <uid=[^,]+,ou=users,dc=holzkopp,dc=b17> Aug 11 13:41:29 holzkopp slapd[12690]: <===slap_sasl_match: comparison returned 21 Aug 11 13:41:29 holzkopp slapd[12690]: <==slap_sasl_check_authz: saslAuthzTo check returning 48 Aug 11 13:41:29 holzkopp slapd[12690]: <== slap_sasl_authorized: return 48 Aug 11 13:41:29 holzkopp slapd[12690]: <= get_ctrls: n=1 rc=47 err="not authorized to assume identity"

or: Aug 11 13:59:58 holzkopp slapd[12594]: ===>slap_sasl_match: comparing DN uid=pkoelle,ou=users,dc=holzkopp,dc=b17 to rule uid=.*,ou=users,dc=holzkopp,dc=b17 Aug 11 13:59:58 holzkopp slapd[12594]: slap_parseURI: parsing uid=.*,ou=users,dc=holzkopp,dc=b17 Aug 11 13:59:58 holzkopp slapd[12594]: >>> dnNormalize: <uid=.*,ou=users,dc=holzkopp,dc=b17> Aug 11 13:59:58 holzkopp slapd[12594]: <<< dnNormalize: <uid=.*,ou=users,dc=holzkopp,dc=b17> Aug 11 13:59:58 holzkopp slapd[12594]: <===slap_sasl_match: comparison returned 48

success: Aug 11 13:51:00 holzkopp slapd[12593]: ===>slap_sasl_match: comparing DN uid=pko elle,ou=users,dc=holzkopp,dc=b17 to rule uid=[^,]+,ou=users,dc=holzkopp,dc=b17 Aug 11 13:51:00 holzkopp slapd[12593]: slap_parseURI: parsing uid=[^,]+,ou=users,dc=holzkopp,dc=b17 Aug 11 13:51:00 holzkopp slapd[12593]: >>> dnNormalize: <uid=[^,]+,ou=users,dc=holzkopp,dc=b17> Aug 11 13:51:00 holzkopp slapd[12593]: <===slap_sasl_match: comparison returned21 Aug 11 13:51:00 holzkopp slapd[12593]: ===>slap_sasl_match: comparing DN uid=pkoelle,ou=users,dc=holzkopp,dc=b17 to rule uid=pkoelle,ou=users,dc=holzkopp,dc=b17 Aug 11 13:51:00 holzkopp slapd[12593]: slap_parseURI: parsing uid=pkoelle,ou=users,dc=holzkopp,dc=b17 Aug 11 13:51:00 holzkopp slapd[12593]: >>> dnNormalize: <uid=pkoelle,ou=users,dc=holzkopp,dc=b17> Aug 11 13:51:00 holzkopp slapd[12593]: <<< dnNormalize: <uid=pkoelle,ou=users,dc=holzkopp,dc=b17> Aug 11 13:51:00 holzkopp slapd[12593]: <===slap_sasl_match: comparison returned 0

BTW: the log output from slapd is getting *really* useful. I cannot say if its me getting used to it or if it actually improved.

greetings
 Paul

Follow-Ups:
- Re: ldapdb broken with sasl-2.1.19? (somewhat cleared up)
  - From: Igor Brezac <igor@ipass.net>

References:
- ldapdb broken with sasl-2.1.19?
  - From: paul k <paul@subsignal.org>
- Re: ldapdb broken with sasl-2.1.19?
  - From: Igor Brezac <igor@ipass.net>

Prev by Date: Perl-Backend Proxy Problem
Next by Date: RE: openldap versions and silent exit
Index(es):
- Chronological
- Thread