[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authenticating OpenLDAP with mysql?



I've been trying to get OpenLDAP to authenticate user information with mysql without much success so far. This is my setup.pwcheck_method: auxprop
mech_list: plain
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_user: ro_agent
sql_passwd: ro_agent
sql_database: test
sql_select: select users.userPassword from ucdata.users,Email.globalSettings wh
ere users.clientId = globalSettings.clientId and users.loginName='%u' and global
Settings.domain='%r' and globalSettings.nsvalid='1'
log_level: 7


I'm using bdb for the OpenLDAP backend. I have all my user names and passwords (in plain text) stored in a table in mysql db. I followed the docs and configured SASL to use the auxprop_plugin: sql to do the authentication with mysql. Here is my /usr/local/lib/sasl2/slapd.conf



Now when I try using ldapadd,

/usr/local/ldap/bin/ldapadd -Y PLAIN -d -1 -U freeUser@c1.email.coolpets.net -X u:freeUser -D 'dc=enet' -f ~~/addressbooksample.ldif

I'm getting the following error and it looks like LDAP is now trying to do proxy authorization. I don't want proxy authorization at all... In fact, at one point I was getting Segmentation fault in slap_sasl_authorized() in saslauthz.c since authzDN->bv_val is null. So I commented out a debug line to get to this point.

How do I get OpenLDAP to not do SASL proxy authorization?

Krish

ber_get_next
ldap_read: want=8, got=8
0000: 30 38 02 01 01 60 33 02 08...`3. ldap_read: want=50, got=50
0000: 01 03 04 07 64 63 3d 65 6e 65 74 a3 25 04 05 50 ....dc=enet.%..P 0010: 4c 41 49 4e 04 1c 75 3a 66 72 65 65 55 73 65 72 LAIN..u:freeUser 0020: 00 66 72 65 65 55 73 65 72 00 75 6e 69 74 74 65 .freeUser.unitte 0030: 73 74 st ber_get_next: tag 0x30 len 56 contents:
ber_dump: buf=0x081e5058 ptr=0x081e5058 end=0x081e5090 len=56
0000: 02 01 01 60 33 02 01 03 04 07 64 63 3d 65 6e 65 ...`3.....dc=ene 0010: 74 a3 25 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 t.%..PLAIN..u:fr 0020: 65 65 55 73 65 72 00 66 72 65 65 55 73 65 72 00 eeUser.freeUser. 0030: 75 6e 69 74 74 65 73 74 unittest ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
daemon: select: listen=6 active_threads=0 tvp=NULL
do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x081e5058 ptr=0x081e505b end=0x081e5090 len=53
0000: 60 33 02 01 03 04 07 64 63 3d 65 6e 65 74 a3 25 `3.....dc=enet.% 0010: 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 65 65 55 ..PLAIN..u:freeU 0020: 73 65 72 00 66 72 65 65 55 73 65 72 00 75 6e 69 ser.freeUser.uni 0030: 74 74 65 73 74 ttest ber_scanf fmt ({m) ber:
ber_dump: buf=0x081e5058 ptr=0x081e5069 end=0x081e5090 len=39
0000: 00 25 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 65 .%..PLAIN..u:fre 0010: 65 55 73 65 72 00 66 72 65 65 55 73 65 72 00 75 eUser.freeUser.u 0020: 6e 69 74 74 65 73 74 nittest ber_scanf fmt (m) ber:
ber_dump: buf=0x081e5058 ptr=0x081e5072 end=0x081e5090 len=30
0000: 00 1c 75 3a 66 72 65 65 55 73 65 72 00 66 72 65 ..u:freeUser.fre 0010: 65 55 73 65 72 00 75 6e 69 74 74 65 73 74 eUser.unittest ber_scanf fmt (}}) ber:
ber_dump: buf=0x081e5058 ptr=0x081e5090 end=0x081e5090 len=0


>>> dnPrettyNormal: <dc=enet>
=> ldap_bv2dn(dc=enet,0)
ldap_err2string
<= ldap_bv2dn(dc=enet)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=enet)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=enet)=0 Success
<<< dnPrettyNormal: <dc=enet>, <dc=enet>
do_sasl_bind: dn (dc=enet) mech PLAIN
conn=6 op=0 BIND dn="dc=enet" method=163
==> sasl_bind: dn="dc=enet" mech=PLAIN datalen=28
SASL Canonicalize [conn=6]: authcid="freeUser"
slap_sasl_getdn: conn 6 id=freeUser [len=8]
=> ldap_dn2bv(16)
ldap_err2string
<= ldap_dn2bv(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
slap_sasl_getdn: u:id converted to uid=freeUser,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=freeUser,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth,0)
ldap_err2string
<= ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=freeuser,cn=plain,cn=auth)=0 Success
<<< dnNormalize: <uid=freeuser,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=freeuser,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=freeuser,cn=plain,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=6]: slapAuthcDN="uid=freeuser,cn=plain,cn=auth"
SASL Canonicalize [conn=6]: authcid="freeUser"
slap_sasl_getdn: conn 6 id=freeUser [len=8]
=> ldap_dn2bv(16)
ldap_err2string
<= ldap_dn2bv(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
slap_sasl_getdn: u:id converted to uid=freeUser,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=freeUser,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth,0)
ldap_err2string
<= ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=freeuser,cn=plain,cn=auth)=0 Success
<<< dnNormalize: <uid=freeuser,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=freeuser,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=freeuser,cn=plain,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=6]: slapAuthcDN="uid=freeuser,cn=plain,cn=auth"
SASL Canonicalize [conn=6]: authzid="u:freeUser"
SASL proxy authorize [conn=6]: authcid="freeUser" authzid="u:freeUser"
==>slap_sasl_authorized: can become ?
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=6]: proxy authorization disallowed (48)
SASL [conn=6] Failure: not authorized
send_ldap_result: conn=6 op=0 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized"
send_ldap_response: msgid=1 tag=97 err=50
ber_flush: 62 bytes to sd 12
0000: 30 3c 02 01 01 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized ldap_write: want=62, written=62
0000: 30 3c 02 01 01 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized conn=6 op=0 RESULT tag=97 err=50 text=SASL(-14): authorization failure: not authorized