[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL and mail attribute help
Update:
I changed my slapd.conf as follows (just removed the cn=powell, which seemed
to be a problem, and ou=people from the ldap URL, which should not matter):
password-hash {CLEARTEXT}
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
ldap:///dc=example,dc=com??sub?(mail=$1)
I turned saslauthd off because experimentation made it apparent that
openldap uses the SASL libraries, but does not require the daemon.
My previously given simple bind using a filter of mail=pacifico@example.com
continues to work correctly (as shown previously, near the bottom of this
message).
Still, trying authenticating with the email address fails:
[pacifico@powell data]$ ldapsearch -U 'pacifico@example.com' -Y
DIGEST-MD5 -W 'mail=pacifico@example.com' 'cn'
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific)
error (80)
additional com: SASL(-13): user not found: no secret in
database
Examining the error output of slapd -d 7 (follows below, with lines numbered
for reference purposes) reveals that sasl-regexp has done its job perfectly
(lines 193-5 below), but the sought-after entry does not match the filter
(lines 236-240). I suppose lines 257-264 indicate a fallback to a sasldb
which would be expected to fail and apparently does, giving the same message
on line 264 as on 255.
Any suggestions? What am I missing?
-al
output of slapd -d 7: (I must apologize for the residual verbosity)
<snip>
181 do_sasl_bind: dn () mech DIGEST-MD5
182 ==> sasl_bind: dn="" mech=<continuing> datalen=270
183 SASL [conn=0] Debug: DIGEST-MD5 server step 2
184 SASL Canonicalize [conn=0]: authcid="pacifico@example.com"
185 slap_sasl_getdn: id=pacifico@example.com [len=20]
186 slap_sasl_getdn: u:id converted to
uid=pacifico@example.com,cn=DIGEST-MD5,cn=auth
187 >>> dnNormalize: <uid=pacifico@example.com,cn=DIGEST-MD5,cn=auth>
188 => ldap_bv2dn(uid=pacifico@example.com,cn=DIGEST-MD5,cn=auth,0)
189 <= ldap_bv2dn(uid=pacifico@example.com,cn=DIGEST-MD5,cn=auth,0)=0
190 => ldap_dn2bv(272)
191 <= ldap_dn2bv(uid=pacifico@example.com,cn=digest-md5,cn=auth,272)=0
192 <<< dnNormalize: <uid=pacifico@example.com,cn=digest-md5,cn=auth>
193 ==>slap_sasl2dn: converting SASL name
uid=pacifico@example.com,cn=digest-md5,cn=auth to a DN
194 slap_sasl_regexp: converting SASL name
uid=pacifico@example.com,cn=digest-md5,cn=auth
195 slap_sasl_regexp: converted SASL name to
ldap:///dc=example,dc=com??sub?(mail=pacifico@example.com)
196 slap_parseURI: parsing
ldap:///dc=example,dc=com??sub?(mail=pacifico@example.com)
197
ldap_url_parse_ext(ldap:///dc=example,dc=com??sub?(mail=pacifico@example.com
))
198 put_filter: "(mail=pacifico@example.com)"
199 put_filter: simple
200 put_simple_filter: "mail=pacifico@example.com"
201 ber_scanf fmt ({mm}) ber:
202 >>> dnNormalize: <dc=example,dc=com>
203 => ldap_bv2dn(dc=example,dc=com,0)
204 <= ldap_bv2dn(dc=example,dc=com,0)=0
205 => ldap_dn2bv(272)
206 <= ldap_dn2bv(dc=example,dc=com,272)=0
207 <<< dnNormalize: <dc=example,dc=com>
208 slap_sasl2dn: performing internal search (base=dc=example,dc=com,
scope=2)
209 => bdb_search
210 bdb_dn2entry("dc=example,dc=com")
211 => bdb_dn2id( "dc=example,dc=com" )
212 <= bdb_dn2id: got id=0x00000001
213 entry_decode: "dc=example,dc=com"
214 <= entry_decode(dc=example,dc=com)
215 search_candidates: base="dc=example,dc=com" (0x00000001) scope=2
216 => bdb_dn2idl( "dc=example,dc=com" )
217 => bdb_equality_candidates (objectClass)
218 <= bdb_equality_candidates: (objectClass) index_param failed (18)
219 => bdb_equality_candidates (mail)
220 => key_read
221 bdb_idl_fetch_key: [3ffb653f]
222 <= bdb_index_read 1 candidates
223 <= bdb_equality_candidates: id=1, first=4, last=4
224 bdb_search_candidates: id=-1 first=1 last=10
225 bdb_search: 1 does not match filter
226 entry_decode: "ou=people,dc=example,dc=com"
227 <= entry_decode(ou=people,dc=example,dc=com)
228 => bdb_dn2id( "ou=people,dc=example,dc=com" )
229 <= bdb_dn2id: got id=0x00000002
230 bdb_search: 2 does not match filter
231 entry_decode: "ou=clients,dc=example,dc=com"
232 <= entry_decode(ou=clients,dc=example,dc=com)
233 => bdb_dn2id( "ou=clients,dc=example,dc=com" )
234 <= bdb_dn2id: got id=0x00000003
235 bdb_search: 3 does not match filter
236 entry_decode: "cn=Al Pacifico,ou=People,dc=example,dc=com"
237 <= entry_decode(cn=Al Pacifico,ou=People,dc=example,dc=com)
238 => bdb_dn2id( "cn=al pacifico,ou=people,dc=example,dc=com" )
239 <= bdb_dn2id: got id=0x00000004
240 bdb_search: 4 does not match filter
241 entry_decode: "cn=ldapsync,dc=example,dc=com"
242 <= entry_decode(cn=ldapsync,dc=example,dc=com)
243 => bdb_dn2id( "cn=ldapsync,dc=example,dc=com" )
244 <= bdb_dn2id: got id=0x00000006
245 entry_decode: "ou=groups,dc=example,dc=com"
246 <= entry_decode(ou=groups,dc=example,dc=com)
247 => bdb_dn2id( "ou=groups,dc=example,dc=com" )
248 <= bdb_dn2id: got id=0x00000007
249 bdb_search: 7 does not match filter
250 entry_decode: "cn=administrators,ou=groups,dc=example,dc=com"
251 <= entry_decode(cn=administrators,ou=groups,dc=example,dc=com)
252 => bdb_dn2id( "cn=administrators,ou=groups,dc=example,dc=com" )
253 <= bdb_dn2id: got id=0x0000000a
254 bdb_search: 10 does not match filter
255 send_ldap_result: conn=0 op=0 p=3
256 send_ldap_result: err=0 matched="" text=""
257 <==slap_sasl2dn: Converted SASL name to <nothing>
258 SASL Canonicalize [conn=0]:
slapAuthcDN="uid=pacifico@example.com,cn=digest-md5,cn=auth"
259 SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No
such file or directory
260 SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No
such file or directory
261 SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No
such file or directory
262 SASL Canonicalize [conn=0]: authzid="pacifico@example.com"
263 SASL [conn=0] Failure: no secret in database
264 send_ldap_result: conn=0 op=1 p=3
265 send_ldap_result: err=80 matched="" text="SASL(-13): user not found:
no secret in database"
266 send_ldap_response: msgid=2 tag=97 err=80
<snip>
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Al Pacifico
Sent: Wednesday, June 01, 2005 12:30 PM
To: OpenLDAP-software@OpenLDAP.org
Subject: RE: SASL and mail attribute help
Michael and Hallvard-
Thank you for your responses! The reinforcement regarding the context of uid
was essential.
However, I'm still having troubles...
My slapd.conf contains:
password-hash {CLEARTEXT}
sasl-regexp
uid=(.*),cn=powell,cn=DIGEST-MD5,cn=auth
ldap:///ou=people,dc=example,dc=com??sub?(mail=$1)
My realm should be my fully-qualified domain name, correct?
[pacifico@powell data]$ hostname --fqdn
powell
A simple bind finds an entry without problem:
[pacifico@powell data]$ ldapsearch -x -D 'cn=Al
Pacifico,ou=people,dc=example,dc=com' -W 'mail=pacifico@example.com' 'cn'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: mail=pacifico@example.com
# requesting: cn
#
# Al Pacifico, People, example.com
dn: cn=Al Pacifico,ou=People,dc=example,dc=com
cn: Al Pacifico
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Now, authenticating with email address:
[pacifico@powell data]$ ldapsearch -U 'pacifico@example.com' -Y
DIGEST-MD5 -W 'mail=pacifico@example.com' 'cn'
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific)
error (80)
additional com: SASL(-13): user not found: no secret in
database
Additional information:
1. Substituting -D for -U seems to halt earlier in the process.
2. Adding the -D option and argument from the simple bind example
produces the same result.
3. Adding the -v flag provides no additional useful information.
4. I've confirmed saslauthd is running on my machine and the error
message implies it is running as well.
I suspect I've omitted something SASL-related from my slapd.conf or made
some simple error in the sasl-regexp. Suggestions?
Thanks.
-al
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Michael Ströder
Sent: Wednesday, June 01, 2005 10:15 AM
To: Al Pacifico
Cc: OpenLDAP-software@OpenLDAP.org
Subject: Re: SASL and mail attribute help
Michael Ströder wrote:
> Al Pacifico wrote:
>
>>The examples at OpenLDAP show use of the uid attribute, which is not
present
>>for all entries in my directory. I'm not sure how to map to the correct
>>authentication request DN.
>
>
> Simply fill the attribute uid of all entries by assigning each user who
> has to bind to OpenLDAP a unique user name.
> Or use another unique attribute like 'employeeNumber'.
Sorry, got you wrong.
What you're probably after is (example not tested!):
sasl-regexp
"uid=([a-zA-Z0-9]+),cn=(digest-md5|cram-md5|ntlm|plain|login|gssapi),cn=auth
"
"ldap:///dc=stroeder,dc=com??sub?(mail=$1)"
Note 'mail=$' in the LDAP URL.
Ciao, Michael