[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authenticating OpenLDAP with mysql?

To: OpenLDAP-software@OpenLDAP.org
Subject: Authenticating OpenLDAP with mysql?
From: Krishna Sivaramapuram <krishna@everyone.net>
Date: Thu, 17 Nov 2005 12:29:11 -0800
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

I've been trying to get OpenLDAP to authenticate user information with mysql without much success so far. This is my setup.pwcheck_method: auxprop mech_list: plain auxprop_plugin: sql sql_engine: mysql sql_hostnames: localhost sql_user: ro_agent sql_passwd: ro_agent sql_database: test sql_select: select users.userPassword from ucdata.users,Email.globalSettings wh ere users.clientId = globalSettings.clientId and users.loginName='%u' and global Settings.domain='%r' and globalSettings.nsvalid='1' log_level: 7

I'm using bdb for the OpenLDAP backend. I have all my user names and passwords (in plain text) stored in a table in mysql db. I followed the docs and configured SASL to use the auxprop_plugin: sql to do the authentication with mysql. Here is my /usr/local/lib/sasl2/slapd.conf

Now when I try using ldapadd,

/usr/local/ldap/bin/ldapadd -Y PLAIN -d -1 -U freeUser@c1.email.coolpets.net -X u:freeUser -D 'dc=enet' -f ~~/addressbooksample.ldif

I'm getting the following error and it looks like LDAP is now trying to do proxy authorization. I don't want proxy authorization at all... In fact, at one point I was getting Segmentation fault in slap_sasl_authorized() in saslauthz.c since authzDN->bv_val is null. So I commented out a debug line to get to this point.

How do I get OpenLDAP to not do SASL proxy authorization?

Krish

ber_get_next ldap_read: want=8, got=8 0000: 30 38 02 01 01 60 33 02 08...`3. ldap_read: want=50, got=50 0000: 01 03 04 07 64 63 3d 65 6e 65 74 a3 25 04 05 50 ....dc=enet.%..P 0010: 4c 41 49 4e 04 1c 75 3a 66 72 65 65 55 73 65 72 LAIN..u:freeUser 0020: 00 66 72 65 65 55 73 65 72 00 75 6e 69 74 74 65 .freeUser.unitte 0030: 73 74 st ber_get_next: tag 0x30 len 56 contents: ber_dump: buf=0x081e5058 ptr=0x081e5058 end=0x081e5090 len=56 0000: 02 01 01 60 33 02 01 03 04 07 64 63 3d 65 6e 65 ...`3.....dc=ene 0010: 74 a3 25 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 t.%..PLAIN..u:fr 0020: 65 65 55 73 65 72 00 66 72 65 65 55 73 65 72 00 eeUser.freeUser. 0030: 75 6e 69 74 74 65 73 74 unittest ber_get_next ldap_read: want=8 error=Resource temporarily unavailable ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable) daemon: select: listen=6 active_threads=0 tvp=NULL do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x081e5058 ptr=0x081e505b end=0x081e5090 len=53 0000: 60 33 02 01 03 04 07 64 63 3d 65 6e 65 74 a3 25 `3.....dc=enet.% 0010: 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 65 65 55 ..PLAIN..u:freeU 0020: 73 65 72 00 66 72 65 65 55 73 65 72 00 75 6e 69 ser.freeUser.uni 0030: 74 74 65 73 74 ttest ber_scanf fmt ({m) ber: ber_dump: buf=0x081e5058 ptr=0x081e5069 end=0x081e5090 len=39 0000: 00 25 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 65 .%..PLAIN..u:fre 0010: 65 55 73 65 72 00 66 72 65 65 55 73 65 72 00 75 eUser.freeUser.u 0020: 6e 69 74 74 65 73 74 nittest ber_scanf fmt (m) ber: ber_dump: buf=0x081e5058 ptr=0x081e5072 end=0x081e5090 len=30 0000: 00 1c 75 3a 66 72 65 65 55 73 65 72 00 66 72 65 ..u:freeUser.fre 0010: 65 55 73 65 72 00 75 6e 69 74 74 65 73 74 eUser.unittest ber_scanf fmt (}}) ber: ber_dump: buf=0x081e5058 ptr=0x081e5090 end=0x081e5090 len=0

>>> dnPrettyNormal: <dc=enet> => ldap_bv2dn(dc=enet,0) ldap_err2string <= ldap_bv2dn(dc=enet)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=enet)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(dc=enet)=0 Success <<< dnPrettyNormal: <dc=enet>, <dc=enet> do_sasl_bind: dn (dc=enet) mech PLAIN conn=6 op=0 BIND dn="dc=enet" method=163 ==> sasl_bind: dn="dc=enet" mech=PLAIN datalen=28 SASL Canonicalize [conn=6]: authcid="freeUser" slap_sasl_getdn: conn 6 id=freeUser [len=8] => ldap_dn2bv(16) ldap_err2string <= ldap_dn2bv(uid=freeUser,cn=PLAIN,cn=auth)=0 Success slap_sasl_getdn: u:id converted to uid=freeUser,cn=PLAIN,cn=auth >>> dnNormalize: <uid=freeUser,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth,0) ldap_err2string <= ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(uid=freeuser,cn=plain,cn=auth)=0 Success <<< dnNormalize: <uid=freeuser,cn=plain,cn=auth> ==>slap_sasl2dn: converting SASL name uid=freeuser,cn=plain,cn=auth to a DN slap_authz_regexp: converting SASL name uid=freeuser,cn=plain,cn=auth <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=6]: slapAuthcDN="uid=freeuser,cn=plain,cn=auth" SASL Canonicalize [conn=6]: authcid="freeUser" slap_sasl_getdn: conn 6 id=freeUser [len=8] => ldap_dn2bv(16) ldap_err2string <= ldap_dn2bv(uid=freeUser,cn=PLAIN,cn=auth)=0 Success slap_sasl_getdn: u:id converted to uid=freeUser,cn=PLAIN,cn=auth >>> dnNormalize: <uid=freeUser,cn=PLAIN,cn=auth> => ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth,0) ldap_err2string <= ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(uid=freeuser,cn=plain,cn=auth)=0 Success <<< dnNormalize: <uid=freeuser,cn=plain,cn=auth> ==>slap_sasl2dn: converting SASL name uid=freeuser,cn=plain,cn=auth to a DN slap_authz_regexp: converting SASL name uid=freeuser,cn=plain,cn=auth <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=6]: slapAuthcDN="uid=freeuser,cn=plain,cn=auth" SASL Canonicalize [conn=6]: authzid="u:freeUser" SASL proxy authorize [conn=6]: authcid="freeUser" authzid="u:freeUser" ==>slap_sasl_authorized: can become ? <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=6]: proxy authorization disallowed (48) SASL [conn=6] Failure: not authorized send_ldap_result: conn=6 op=0 p=3 send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized" send_ldap_response: msgid=1 tag=97 err=50 ber_flush: 62 bytes to sd 12 0000: 30 3c 02 01 01 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized ldap_write: want=62, written=62 0000: 30 3c 02 01 01 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA 0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori 0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure: 0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized conn=6 op=0 RESULT tag=97 err=50 text=SASL(-14): authorization failure: not authorized

Follow-Ups:
- Re: Authenticating OpenLDAP with mysql?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re[3]: openldap-server-2.2.29: multimaster support
Next by Date: Re[3]: openldap-server-2.2.29: multimaster support
Index(es):
- Chronological
- Thread