[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Authenticating OpenLDAP with mysql?
I've been trying to get OpenLDAP to authenticate user information with
mysql without much success so far. This is my setup.pwcheck_method: auxprop
mech_list: plain
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_user: ro_agent
sql_passwd: ro_agent
sql_database: test
sql_select: select users.userPassword from
ucdata.users,Email.globalSettings wh
ere users.clientId = globalSettings.clientId and users.loginName='%u'
and global
Settings.domain='%r' and globalSettings.nsvalid='1'
log_level: 7
I'm using bdb for the OpenLDAP backend. I have all my user names and
passwords (in plain text) stored in a table in mysql db. I followed the
docs and configured SASL to use the auxprop_plugin: sql to do the
authentication with mysql. Here is my /usr/local/lib/sasl2/slapd.conf
Now when I try using ldapadd,
/usr/local/ldap/bin/ldapadd -Y PLAIN -d -1 -U
freeUser@c1.email.coolpets.net -X u:freeUser -D 'dc=enet' -f
~~/addressbooksample.ldif
I'm getting the following error and it looks like LDAP is now trying to
do proxy authorization. I don't want proxy authorization at all... In
fact, at one point I was getting Segmentation fault in
slap_sasl_authorized() in saslauthz.c since authzDN->bv_val is null. So
I commented out a debug line to get to this point.
How do I get OpenLDAP to not do SASL proxy authorization?
Krish
ber_get_next
ldap_read: want=8, got=8
0000: 30 38 02 01 01 60 33 02
08...`3.
ldap_read: want=50, got=50
0000: 01 03 04 07 64 63 3d 65 6e 65 74 a3 25 04 05 50
....dc=enet.%..P
0010: 4c 41 49 4e 04 1c 75 3a 66 72 65 65 55 73 65 72
LAIN..u:freeUser
0020: 00 66 72 65 65 55 73 65 72 00 75 6e 69 74 74 65
.freeUser.unitte
0030: 73 74
st
ber_get_next: tag 0x30 len 56 contents:
ber_dump: buf=0x081e5058 ptr=0x081e5058 end=0x081e5090 len=56
0000: 02 01 01 60 33 02 01 03 04 07 64 63 3d 65 6e 65
...`3.....dc=ene
0010: 74 a3 25 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72
t.%..PLAIN..u:fr
0020: 65 65 55 73 65 72 00 66 72 65 65 55 73 65 72 00
eeUser.freeUser.
0030: 75 6e 69 74 74 65 73 74
unittest
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 12 failed errno=11 (Resource temporarily unavailable)
daemon: select: listen=6 active_threads=0 tvp=NULL
do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x081e5058 ptr=0x081e505b end=0x081e5090 len=53
0000: 60 33 02 01 03 04 07 64 63 3d 65 6e 65 74 a3 25
`3.....dc=enet.%
0010: 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 65 65 55
..PLAIN..u:freeU
0020: 73 65 72 00 66 72 65 65 55 73 65 72 00 75 6e 69
ser.freeUser.uni
0030: 74 74 65 73 74
ttest
ber_scanf fmt ({m) ber:
ber_dump: buf=0x081e5058 ptr=0x081e5069 end=0x081e5090 len=39
0000: 00 25 04 05 50 4c 41 49 4e 04 1c 75 3a 66 72 65
.%..PLAIN..u:fre
0010: 65 55 73 65 72 00 66 72 65 65 55 73 65 72 00 75
eUser.freeUser.u
0020: 6e 69 74 74 65 73 74
nittest
ber_scanf fmt (m) ber:
ber_dump: buf=0x081e5058 ptr=0x081e5072 end=0x081e5090 len=30
0000: 00 1c 75 3a 66 72 65 65 55 73 65 72 00 66 72 65
..u:freeUser.fre
0010: 65 55 73 65 72 00 75 6e 69 74 74 65 73 74
eUser.unittest
ber_scanf fmt (}}) ber:
ber_dump: buf=0x081e5058 ptr=0x081e5090 end=0x081e5090 len=0
>>> dnPrettyNormal: <dc=enet>
=> ldap_bv2dn(dc=enet,0)
ldap_err2string
<= ldap_bv2dn(dc=enet)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=enet)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(dc=enet)=0 Success
<<< dnPrettyNormal: <dc=enet>, <dc=enet>
do_sasl_bind: dn (dc=enet) mech PLAIN
conn=6 op=0 BIND dn="dc=enet" method=163
==> sasl_bind: dn="dc=enet" mech=PLAIN datalen=28
SASL Canonicalize [conn=6]: authcid="freeUser"
slap_sasl_getdn: conn 6 id=freeUser [len=8]
=> ldap_dn2bv(16)
ldap_err2string
<= ldap_dn2bv(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
slap_sasl_getdn: u:id converted to uid=freeUser,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=freeUser,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth,0)
ldap_err2string
<= ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=freeuser,cn=plain,cn=auth)=0 Success
<<< dnNormalize: <uid=freeuser,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=freeuser,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=freeuser,cn=plain,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=6]: slapAuthcDN="uid=freeuser,cn=plain,cn=auth"
SASL Canonicalize [conn=6]: authcid="freeUser"
slap_sasl_getdn: conn 6 id=freeUser [len=8]
=> ldap_dn2bv(16)
ldap_err2string
<= ldap_dn2bv(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
slap_sasl_getdn: u:id converted to uid=freeUser,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=freeUser,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth,0)
ldap_err2string
<= ldap_bv2dn(uid=freeUser,cn=PLAIN,cn=auth)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=freeuser,cn=plain,cn=auth)=0 Success
<<< dnNormalize: <uid=freeuser,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=freeuser,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=freeuser,cn=plain,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=6]: slapAuthcDN="uid=freeuser,cn=plain,cn=auth"
SASL Canonicalize [conn=6]: authzid="u:freeUser"
SASL proxy authorize [conn=6]: authcid="freeUser" authzid="u:freeUser"
==>slap_sasl_authorized: can become ?
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=6]: proxy authorization disallowed (48)
SASL [conn=6] Failure: not authorized
send_ldap_result: conn=6 op=0 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization
failure: not authorized"
send_ldap_response: msgid=1 tag=97 err=50
ber_flush: 62 bytes to sd 12
0000: 30 3c 02 01 01 61 37 0a 01 32 04 00 04 30 53 41
0<...a7..2...0SA
0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14):
authori
0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation
failure:
0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not
authorized
ldap_write: want=62, written=62
0000: 30 3c 02 01 01 61 37 0a 01 32 04 00 04 30 53 41
0<...a7..2...0SA
0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14):
authori
0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation
failure:
0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not
authorized
conn=6 op=0 RESULT tag=97 err=50 text=SASL(-14): authorization failure:
not authorized