Ammar T. Al-Sayegh wrote:
Hi All,
I just installed openldap-2.2.17 with LDAP auxprop plugin for SASL-enabled servers. However, authentication is not going through successfully. Following is the debug message where I think it's failing:
slap_auxprop: str2ad(cmusaslsecretDIGEST-MD5): attribute type undefined send_ldap_result: conn=0 op=0 p=3 SASL [conn=0] Failure: client response doesn't match what we generated
I'm assuming that auxprop is trying to look for the password in the ldap directory, but it's not trying to match it with userPassword, but with cmusaslsecretDIGEST-MD5, which is a non-existent property. Is this what is happening? How can I correct this problem? Is there a way to force it to compare with userPassword?
It checks for both. You can just ignore the reference to cmusaslsecret* unless you really want to use it. In Cyrus SASL 2, mechanism-specific passwords are deperecated anyway and really only needed for the OTP mech.
Your problem here is simply that the value computed from userPassword doesn't match what the user typed in. Remember that Cyrus and the ldapdb plugin only works if the userPassword is stored in plain text, not in any hashed format.
Issue resolved using the following mapping rule in slapd.conf:
sasl-regexp uid=(.*),cn=DIGEST-MD5,cn=auth uid=$1,ou=People,dc=mydomain,dc=com
Just thought of mentioning it here in case other people fall into the same problem again, which is neither well-documented nor it is intuitive to resolve.
-ammar