[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cmusaslsecretPLAIN attribute

To: openldap-software@OpenLDAP.org
Subject: Re: cmusaslsecretPLAIN attribute
From: John Burian <john@burian.org>
Date: Tue, 03 Jul 2007 15:06:38 -0400
In-reply-to: <87r6npmjjr.fsf@magenta.l4b.de>
References: <468A3B46.9000502@burian.org> <87r6npmjjr.fsf@magenta.l4b.de>
User-agent: Thunderbird 1.5.0.12 (Macintosh/20070509)

Dieter Kluenter wrote:

From your remarks on CA and certificate a assume that you want to use
TLS, while your ldapwhoami seems to indicate that you want to make use
of PLAIN mechanism, which is disabled by default, unless you
provide a secure transport method, that is either TLS or local socket.
Unless you provide more information on the parameters used, no advice
can be given.

-Dieter

Correct, I want to be using SASL/PLAIN over TLS. The following works:

$ ldapwhoami -x -W -D 'uid=burianj,ou=people,dc=cqcb'
Enter LDAP Password:
dn:uid=burianj,ou=People,dc=cqcb
Result: Success (0)

The same command without '-x -W', or ldapwhoami with no args, does not work:

$ ldapwhoami -D 'uid=burianj,ou=people,dc=cqcb' SASL/PLAIN authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: Password verification failed

All three eventually lookup the same DN, according to the logs:

slapd[5028]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested

Config files and sample logs follow.

John

/etc/openldap/slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
TLSCipherSuite HIGH
TLSCACertificateFile /etc/openldap/cacerts/cqcb-ca.pem
TLSCertificateFile /etc/pki/tls/certs/cqcb-cert.pem
TLSCertificateKeyFile /etc/pki/tls/certs/cqcb-key.pem
TLSVerifyClient never
security ssf=128
password-hash {SSHA}
sasl-secprops none  # an attempt to allow PLAIN auth
access to attrs=userPassword
 by self write
 by dn="uid=root,ou=People,dc=cqcb" write
 by * auth
access to *
 by * read
authz-regexp uid=([^,]*),cn=plain,cn=auth uid=$1,ou=People,dc=cqcb
database        bdb
suffix          "dc=cqcb"
rootdn          "cn=admin,dc=cqcb"
rootpw {SSHA}xxxx
directory       /var/lib/ldap

/etc/openldap/ldap.conf:

BASE dc=cqcb
URI ldaps://Hodgkin.ccri.net
TLS_CACERT /etc/openldap/cacerts/cqcb-ca.pem

Log of successful lookup:

Jul 3 12:31:39 Hodgkin slapd[5028]: do_bind Jul 3 12:31:39 Hodgkin slapd[5028]: >>> dnPrettyNormal: <uid=burianj,ou=people,dc=cqcb> Jul 3 12:31:39 Hodgkin slapd[5028]: <<< dnPrettyNormal: <uid=burianj,ou=people,dc=cqcb>, <uid=burianj,ou=people,dc=cqcb> Jul 3 12:31:39 Hodgkin slapd[5028]: do_bind: version=3 dn="uid=burianj,ou=people,dc=cqcb" method=128 Jul 3 12:31:39 Hodgkin slapd[5028]: conn=4 op=0 BIND dn="uid=burianj,ou=people,dc=cqcb" method=128 Jul 3 12:31:39 Hodgkin slapd[5028]: ==> bdb_bind: dn: uid=burianj,ou=people,dc=cqcb Jul 3 12:31:39 Hodgkin slapd[5028]: bdb_dn2entry("uid=burianj,ou=people,dc=cqcb") Jul 3 12:31:39 Hodgkin slapd[5028]: => access_allowed: auth access to "uid=burianj,ou=People,dc=cqcb" "userPassword" requested Jul 3 12:31:39 Hodgkin slapd[5028]: => acl_get: [1] attr userPassword Jul 3 12:31:39 Hodgkin slapd[5028]: access_allowed: no res from state (userPassword) Jul 3 12:31:39 Hodgkin slapd[5028]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 12:31:39 Hodgkin slapd[5028]: => acl_mask: to value by "", (=0) Jul 3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: self Jul 3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 12:31:39 Hodgkin slapd[5028]: <= check a_dn_pat: * Jul 3 12:31:39 Hodgkin slapd[5028]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 12:31:39 Hodgkin slapd[5028]: <= acl_mask: [3] mask: auth(=xd) Jul 3 12:31:39 Hodgkin slapd[5028]: => access_allowed: auth access granted by auth(=xd) Jul 3 12:31:39 Hodgkin slapd[5028]: conn=4 op=0 BIND dn="uid=burianj,ou=People,dc=cqcb" mech=SIMPLE ssf=0 Jul 3 12:31:39 Hodgkin slapd[5028]: do_bind: v3 bind: "uid=burianj,ou=people,dc=cqcb" to "uid=burianj,ou=People,dc=cqcb" Jul 3 12:31:39 Hodgkin slapd[5028]: send_ldap_result: conn=4 op=0 p=3 Jul 3 12:31:39 Hodgkin slapd[5028]: send_ldap_result: err=0 matched="" text="" Jul 3 12:31:39 Hodgkin slapd[5028]: send_ldap_response: msgid=1 tag=97 err=0

Log of failed lookup:

Jul 3 14:49:57 Hodgkin slapd[5635]: do_sasl_bind: dn () mech PLAIN Jul 3 14:49:57 Hodgkin slapd[5635]: conn=0 op=1 BIND dn="" method=163 Jul 3 14:49:57 Hodgkin slapd[5635]: ==> sasl_bind: dn="" mech=PLAIN datalen=23 Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: authcid="burianj" Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: conn 0 id=burianj [len=7] Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: u:id converted to uid=burianj,cn=PLAIN,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,cn=PLAIN,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,cn=plain,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: ==>slap_sasl2dn: converting SASL name uid=burianj,cn=plain,cn=auth to a DN Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converting SASL name uid=burianj,cn=plain,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converted SASL name to uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_parseURI: parsing uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,ou=People,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,ou=people,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <==slap_sasl2dn: Converted SASL name to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: dn:id converted to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=burianj,ou=people,dc=cqcb" Jul 3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: authcid="burianj" Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: conn 0 id=burianj [len=7] Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: u:id converted to uid=burianj,cn=PLAIN,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,cn=PLAIN,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,cn=plain,cn=auth> Jul 3 14:49:57 Hodgkin slapd[5635]: ==>slap_sasl2dn: converting SASL name uid=burianj,cn=plain,cn=auth to a DN Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converting SASL name uid=burianj,cn=plain,cn=auth Jul 3 14:49:57 Hodgkin slapd[5635]: slap_authz_regexp: converted SASL name to uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_parseURI: parsing uid=burianj,ou=People,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: >>> dnNormalize: <uid=burianj,ou=People,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <<< dnNormalize: <uid=burianj,ou=people,dc=cqcb> Jul 3 14:49:57 Hodgkin slapd[5635]: <==slap_sasl2dn: Converted SASL name to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: slap_sasl_getdn: dn:id converted to uid=burianj,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: SASL Canonicalize [conn=0]: slapAuthcDN="uid=burianj,ou=people,dc=cqcb" Jul 3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory Jul 3 14:49:57 Hodgkin last message repeated 2 times Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_search Jul 3 14:49:57 Hodgkin slapd[5635]: bdb_dn2entry("uid=burianj,ou=people,dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x00000001 Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("ou=people,dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x00000008 Jul 3 14:49:57 Hodgkin slapd[5635]: => bdb_dn2id("uid=burianj,ou=people,dc=cqcb") Jul 3 14:49:57 Hodgkin slapd[5635]: <= bdb_dn2id: got id=0x0000000d Jul 3 14:49:57 Hodgkin slapd[5635]: entry_decode: "uid=burianj,ou=People,dc=cqcb" Jul 3 14:49:57 Hodgkin slapd[5635]: <= entry_decode(uid=burianj,ou=People,dc=cqcb) Jul 3 14:49:57 Hodgkin slapd[5635]: base_candidates: base: "uid=burianj,ou=people,dc=cqcb" (0x0000000d) Jul 3 14:49:57 Hodgkin slapd[5635]: => test_filter Jul 3 14:49:57 Hodgkin slapd[5635]: PRESENT Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access to "uid=burianj,ou=People,dc=cqcb" "objectClass" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_get: [2] attr objectClass Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "objectClass" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: to all values by "", (=0) Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: * Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [1] applying read(=rscxd) (stop) Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [1] mask: read(=rscxd) Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access granted by read(=rscxd) Jul 3 14:49:57 Hodgkin slapd[5635]: <= test_filter 6 Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access to "uid=burianj,ou=People,dc=cqcb" "userPassword" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_get: [1] attr userPassword Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: access to entry "uid=burianj,ou=People,dc=cqcb", attr "userPassword" requested Jul 3 14:49:57 Hodgkin slapd[5635]: => acl_mask: to all values by "", (=0) Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: self Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: uid=root,ou=people,dc=cqcb Jul 3 14:49:57 Hodgkin slapd[5635]: <= check a_dn_pat: * Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [3] applying auth(=xd) (stop) Jul 3 14:49:57 Hodgkin slapd[5635]: <= acl_mask: [3] mask: auth(=xd) Jul 3 14:49:57 Hodgkin slapd[5635]: => access_allowed: auth access granted by auth(=xd) Jul 3 14:49:57 Hodgkin slapd[5635]: slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: conn=0 op=1 p=3 Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: err=0 matched="" text="" Jul 3 14:49:57 Hodgkin slapd[5635]: SASL [conn=0] Failure: Password verification failed Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: conn=0 op=1 p=3 Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_result: err=49 matched="" text="SASL(-13): user not found: Password verification failed" Jul 3 14:49:57 Hodgkin slapd[5635]: send_ldap_response: msgid=2 tag=97 err=49

Follow-Ups:
- Re: cmusaslsecretPLAIN attribute
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: cmusaslsecretPLAIN attribute
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- cmusaslsecretPLAIN attribute
  - From: John Burian <john@burian.org>
- Re: cmusaslsecretPLAIN attribute
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: cmusaslsecretPLAIN attribute
Next by Date: Re: cmusaslsecretPLAIN attribute
Index(es):
- Chronological
- Thread