[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: DIGEST-MD5 returns 'user not found'
lemons_terry@emc.com wrote:
> Thanks, as ever, for the help, Kyle.
>
> I started slapd in debug mode. When I executed the command you
> suggested, I see:
>
> ldap_err2string <= ldap_dn2bv(uid=root,cn=digest-md5,cn=auth)=0
> Success <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth>
> ==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth
> to a DN slap_sasl_regexp: converting SASL name
> uid=root,cn=digest-md5,cn=auth <==slap_sasl2dn: Converted SASL name
> to <nothing> SASL [conn=12] Failure: no secret in database
>
> So, the good news is that "uid=root,cn=digest-md5,cn=auth" does look
> correct. But I then see "Converted SASL name to <nothing>". Here
> are the final lines in my /etc/openldap/slapd.conf:
>
> # SASL options password-hash {cleartext} authz-regexp
> uid=(.*),cn=tivo2.backup,cn=digest-md5,cn=auth uid=tlemons
> authz-regexp uid=(.*),cn=digest-md5,cn=auth uid=tlemons tivo2:~ #
>
> I thought that the first authz-regexp line would have mapped any
> account to uid-tlemons, but this apparently didn't happen.
>
> Also, when is the information in sasldb2 used? It looks to me like
> it isn't, and that authentication is occurring against entries that
> should be in the LDAP database itself?
It is used as far as sasldb2 is populated as appropriate; please refer
to Cyrus SASL documentation for instructions about populating it.
As soon as you get to authz-regexp mapping, credential are being looked
up in the directory. Is "uid=tlemons" a valid DN in your DIT? I mean:
does it resolve to an existing entry?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------