[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP/SASL working only with unhashed passwords



Hi all,

after spending several days fighting with OpenLDAP2.3/SASL setup I'm
finally at point where both sample-client/server and ldapwhoami work
for a user who's got his password stored in cleartext in LDAP's
userPassword field. I'm using TLS and both PLAIN and DIGEST-MD5 work.
However, for a user with his password stored as SSHA has in LDAP's
userPassword neither of those work.

It seems that DIGEST-MD5 can only work if both sides have access to the
cleartext password, right? Thus, it was expected that DIGEST-MD5 can't
work.

But I'm out of clues with PLAIN (over TLS, using a self-signed
certificate) as why it doesn't work for a user who's password is in
SSHA. The users are testusers I entered, the ldif file used was 1:1,
only the uids and passwords were different. I am still missing some
basic principle of SASL or what's going on here?

The reason I'm writing to the OpenLDAP mailing list is that with the
user failing to authenticate slapd is logging errors that are not
present with the ok'd user.

ldapwhoami says:

root@localhost:~# ldapwhoami -U qwe -Y PLAIN -ZZ
SASL/PLAIN authentication started
Please enter your password: 
SASL username: qwe
SASL SSF: 0
dn:uid=qwe,ou=people,dc=intra
Result: Success (0)
root@localhost:~# ldapwhoami -U dq -Y PLAIN -ZZ
SASL/PLAIN authentication started
Please enter your password: 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: Password
verification failed
root@localhost:~# 

And the server says in the latter case:

do_sasl_bind: dn () mech PLAIN
==> sasl_bind: dn="" mech=PLAIN datalen=6
SASL Canonicalize [conn=1]: authcid="dq"
slap_sasl_getdn: conn 1 id=dq [len=2]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=dq,cn=PLAIN,cn=auth)=0 
slap_sasl_getdn: u:id converted to uid=dq,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=dq,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,cn=plain,cn=auth)=0 
<<< dnNormalize: <uid=dq,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=dq,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=dq,cn=plain,cn=auth
slap_authz_regexp: converted SASL name to uid=dq,ou=People,dc=intra
slap_parseURI: parsing uid=dq,ou=People,dc=intra
ldap_url_parse_ext(uid=dq,ou=People,dc=intra)
>>> dnNormalize: <uid=dq,ou=People,dc=intra>
=> ldap_bv2dn(uid=dq,ou=People,dc=intra,0)
<= ldap_bv2dn(uid=dq,ou=People,dc=intra)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,ou=people,dc=intra)=0 
<<< dnNormalize: <uid=dq,ou=people,dc=intra>
<==slap_sasl2dn: Converted SASL name to uid=dq,ou=people,dc=intra
slap_sasl_getdn: dn:id converted to uid=dq,ou=people,dc=intra
SASL Canonicalize [conn=1]: slapAuthcDN="uid=dq,ou=people,dc=intra"
SASL Canonicalize [conn=1]: authcid="dq"
slap_sasl_getdn: conn 1 id=dq [len=2]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=dq,cn=PLAIN,cn=auth)=0 
slap_sasl_getdn: u:id converted to uid=dq,cn=PLAIN,cn=auth
>>> dnNormalize: <uid=dq,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=dq,cn=PLAIN,cn=auth)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,cn=plain,cn=auth)=0 
<<< dnNormalize: <uid=dq,cn=plain,cn=auth>
==>slap_sasl2dn: converting SASL name uid=dq,cn=plain,cn=auth to a DN
slap_authz_regexp: converting SASL name uid=dq,cn=plain,cn=auth
slap_authz_regexp: converted SASL name to uid=dq,ou=People,dc=intra
slap_parseURI: parsing uid=dq,ou=People,dc=intra
ldap_url_parse_ext(uid=dq,ou=People,dc=intra)
>>> dnNormalize: <uid=dq,ou=People,dc=intra>
=> ldap_bv2dn(uid=dq,ou=People,dc=intra,0)
<= ldap_bv2dn(uid=dq,ou=People,dc=intra)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=dq,ou=people,dc=intra)=0 
<<< dnNormalize: <uid=dq,ou=people,dc=intra>
<==slap_sasl2dn: Converted SASL name to uid=dq,ou=people,dc=intra
slap_sasl_getdn: dn:id converted to uid=dq,ou=people,dc=intra
SASL Canonicalize [conn=1]: slapAuthcDN="uid=dq,ou=people,dc=intra"
=> bdb_search
bdb_dn2entry("uid=dq,ou=people,dc=intra")
=> bdb_dn2id("uid=dq,ou=people,dc=intra")
<= bdb_dn2id: got id=0x0000007b
entry_decode: "uid=dq,ou=People,dc=intra"
<= entry_decode(uid=dq,ou=People,dc=intra)
base_candidates: base: "uid=dq,ou=people,dc=intra" (0x0000007b)
=> test_filter
    PRESENT
=> access_allowed: auth access to "uid=dq,ou=People,dc=intra"
"objectClass" requested
=> acl_get: [2] attr objectClass
=> acl_mask: access to entry "uid=dq,ou=People,dc=intra", attr
"objectClass" requested
=> acl_mask: to all values by "", (=0) 
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: auth access granted by read(=rscxd)
<= test_filter 6
=> access_allowed: auth access to "uid=dq,ou=People,dc=intra"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> acl_mask: access to entry "uid=dq,ou=People,dc=intra", attr
"userPassword" requested
=> acl_mask: to all values by "", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: *
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type undefined
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=0 matched="" text=""
SASL [conn=1] Failure: Password verification failed
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=49 matched="" text="SASL(-13): user not found:
Password verification failed"
send_ldap_response: msgid=2 tag=97 err=49

So why I'm seeing "str2ad(cmusaslsecretPLAIN): attribute type
undefined" with a user who's password is stored as SSHA?

Any hints would be highly appreciated, I've really read the docs,
experimented with different configs, and slow I've been stumbling along
but this seems to be just too hard to grok.

Thanks!




      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ