[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl proxy authentication failure



Hi,

I'm trying to setup sasl proxy authentication on a test database, but
something not obvious for me is leading my test to SASL(-13):
authentication failure: client response doesn't match what we generated

- test setup : OpenLDAP 2.3.37 ( built with sasl2 ) + Cyrus
SASL 2.1.22 ( with plain, digest-md5 and ldapdb auxprop support ).

- relevant part of slapd.conf used :
...
authz-policy to

authz-regexp uid=([^,]+),cn=external,cn=auth
  ldap:///o=test??sub?(cn=$1)
authz-regexp uid=([^,]+),cn=digest-md5,cn=auth
  ldap:///o=test??sub?(cn=$1)
authz-regexp uid=([^,]+),cn=plain,cn=auth
  ldap:///o=test??sub?(cn=$1)

password-hash {CLEARTEXT}

database bdb
suffix    "o=test"
access to dn.subtree="o=test" attrs=userPassword
  by group.base="cn=admins,o=test" =wrscx
  by self =wrcx
  by * =x
access to dn.subtree="o=test" attrs=authzFrom,authzTo
  by group.base="cn=admins,o=test" =wrscx
  by * =x
access to dn.subtree="o=test"
  by group.base="cn=admins,o=test" =wrscx
  by * =rscx
...


- some entries : dn: cn=proxy,o=test objectClass: top objectClass: organizationalPerson objectClass: simpleSecurityObject cn: proxy sn: proxy userPassword: proxy authzTo: dn.regex: cn=[^,]+,ou=peoples,o=test

dn: cn=testman,ou=peoples,o=test
objectClass: top
objectClass: inetOrgPerson
objectClass: person
cn: testman
sn: testman
userPassword: testman

Sasl authentication seems to work using digest-md5 mech :

shell$ ldapwhoami -U proxy -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password: [proxy]
SASL username: proxy
SASL SSF: 128
SASL installing layers
dn:cn=proxy,o=test
Result: Success (0)

shell$ ldapwhoami -U testman -Y DIGEST-MD5
SASL/DIGEST-MD5 authentication started
Please enter your password: [testman]
SASL username: testman
SASL SSF: 128
SASL installing layers
dn:cn=testman,ou=peoples,o=test
Result: Success (0)

but when trying to test proxying, I get :

shell$ ldapwhoami -U proxy -Y DIGEST-MD5 -X u:testman
SASL/DIGEST-MD5 authentication started
Please enter your password: [testman]
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: client
        response doesn't match what we generated

I get the same result using plain mech :

shell$ ldapwhoami -U proxy -Y PLAIN -X u:testman
SASL/PLAIN authentication started
Please enter your password: [testman]
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: Password
        verification failed

What can cause these authentication failures ?

--
Pierre-Francois Laurand