[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DIGEST-MD5 returns 'user not found'



lemons_terry@emc.com wrote:
> Thanks, as ever, for the help, Kyle.
> 
> I started slapd in debug mode.  When I executed the command you
> suggested, I see:
> 
> ldap_err2string <= ldap_dn2bv(uid=root,cn=digest-md5,cn=auth)=0
> Success <<< dnNormalize: <uid=root,cn=digest-md5,cn=auth> 
> ==>slap_sasl2dn: converting SASL name uid=root,cn=digest-md5,cn=auth
> to a DN slap_sasl_regexp: converting SASL name
> uid=root,cn=digest-md5,cn=auth <==slap_sasl2dn: Converted SASL name
> to <nothing> SASL [conn=12] Failure: no secret in database
> 
> So, the good news is that "uid=root,cn=digest-md5,cn=auth" does look
> correct.  But I then see "Converted SASL name to <nothing>".  Here
> are the final lines in my /etc/openldap/slapd.conf:
> 
> # SASL options password-hash   {cleartext} authz-regexp
> uid=(.*),cn=tivo2.backup,cn=digest-md5,cn=auth uid=tlemons 
> authz-regexp    uid=(.*),cn=digest-md5,cn=auth uid=tlemons tivo2:~ #
> 
> I thought that the first authz-regexp line would have mapped any
> account to uid-tlemons, but this apparently didn't happen.
> 
> Also, when is the information in sasldb2 used?  It looks to me like
> it isn't, and that authentication is occurring against entries that
> should be in the LDAP database itself?

It is used as far as sasldb2 is populated as appropriate; please refer
to Cyrus SASL documentation for instructions about populating it.

As soon as you get to authz-regexp mapping, credential are being looked
up in the directory.  Is "uid=tlemons" a valid DN in your DIT?  I mean:
does it resolve to an existing entry?

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------