[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL digest-md5 Authentication and ACL
I'm running slapd 2.4.12 on fedora10.
I can't figure out where to continue looking after trying for 3 days.
When no ACL are inserted into slapd.conf in Test 1 Simple Bind with
SASL succeeds.
When I inserted ACL into slapd.conf in Test 2 Simple Bind with SASL fails.
Simple Bind without SASL succeeds in Test 1 and Test 2.
I have two test setups. Difference, test 1 has NO ACL and test 2 has ACL
Test No. 1
1.1. bare-bones slapd.conf
1.2. SASL
1.3.1 #ldapsearch -x -D "cn=Jose
Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL
1.3.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL
1.3.1 successcul
1.3.2 successful
Test No. 2
2.1.bare-bones slapd.conf
2.2. SASL
2.3. ACL
2.4.1 #ldapsearch -x -D "cn=Jose
Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL
2.4.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL
Test 2.4.1 successful
Test 2.4.2 Not successful
with the following message
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
Test 1 slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#
TLSCACertificateFile /etc/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/newkey.pem
password-hash {CLEARTEXT}
#
authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
#
database bdb
suffix "dc=example,dc=com,dc=au"
rootdn "cn=Manager,dc=example,dc=com,dc=au"
rootpw secret
directory /var/lib/ldap
database monitor
#
Test 2 slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
#
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#
TLSCACertificateFile /etc/CA/cacert.pem
TLSCertificateFile /etc/pki/tls/newcert.pem
TLSCertificateKeyFile /etc/pki/tls/newkey.pem
password-hash {CLEARTEXT}
#
# ACL1
access to attrs=userpassword
by self write
by anonymous auth
by group.exact="cn=admingroup,ou=groups,dc=example,dc=com,dc=au" write
by * none
# ACL2
access to attrs=carlicense,homepostaladdress,homephone
by self write
by group.exact="cn=salesgroup,ou=groups,dc=example,dc=com,dc=au" write
by * none
# ACL3
access to *
by self write
by group.exact="cn=itgroup,ou=groups,dc=example,dc=com,dc=au" write
by users read
by * none
#
authz-regexp "uid=([^,]*),cn=digest-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
authz-regexp "uid=([^,]*),cn=cram-md5,cn=auth"
"ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
#
database bdb
suffix "dc=example,dc=com,dc=au"
rootdn "cn=Manager,dc=example,dc=com,dc=au"
rootpw secret
directory /var/lib/ldap
database monitor
Here's my ldif
dn: dc=example,dc=com,dc=au
dc: example
description: Example, Pty Ltd.
objectClass: dcObject
objectClass: organization
o: Example, Inc.
dn: ou=people,dc=example,dc=com,dc=au
ou: people
description: All people in organisation
objectClass: organizationalUnit
dn: cn=John Short,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: John Short
cn: John R Short
cn: Johnny Short
sn: short
uid: jshort
userPassword:: anNoMHJ0
carLicense: BCW-25F
homePhone: 029686822
mail: j.short@example.com.au
mail: jshort@example.com.au
mail: johnny.short@example.com.au
description:: TWFuYWdlciA=
ou: admingroup
dn: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: Jose Gonzales
cn: Jose G Gonzales
sn: Gonzales
uid: jgonzales
userPassword:: amcwbnpv
carLicense: SGO 124
homePhone: 555-111-2223
mail: j.gonzales@example.com.au
mail: jgonzales@example.com.au
mail: jose.gonzales@example.com.au
ou: salesgroup
dn: cn=Shanana Gonzales,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: Shanana Gonzales
sn: gonzales
uid: sgonzales
userPassword:: c2cwbnpv
carLicense: SGO 125
homePhone: 555-111-2225
mail: s.gonzales@example.com.au
mail: sgonzales@example.com.au
mail: shanana.gonzales@example.com.au
ou: itgroup
dn: ou=groups,dc=example,dc=com,dc=au
objectClass: organizationalUnit
ou: groups
description:: Z3JvdXBzIA==
dn: cn=admingroup,ou=groups,dc=example,dc=com,dc=au
objectClass: groupOfNames
cn: admingroup
description: Administration
member: cn=John Short,ou=people,dc=example,dc=com,dc=au
dn: cn=salesgroup,ou=groups,dc=example,dc=com,dc=au
objectClass: groupOfNames
cn: salesgroup
description: Sales group
member: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au