[Date Prev][Date Next] [Chronological] [Thread] [Top]
SASL digest-md5 Authentication and ACL

To: openldap-software@openldap.org
Subject: SASL digest-md5 Authentication and ACL
From: Oscar Plameras <oscarplameras@gmail.com>
Date: Sun, 8 Feb 2009 11:55:58 +1100
I'm running slapd 2.4.12 on fedora10.

I can't figure out where to continue looking after trying for 3 days.
When no ACL are inserted into slapd.conf in Test 1 Simple Bind with
SASL succeeds.
When I inserted ACL into slapd.conf in Test 2 Simple Bind with SASL fails.
Simple Bind without SASL succeeds in Test 1 and Test 2.

I have two test setups. Difference, test 1 has NO ACL and test 2 has ACL

Test No. 1
1.1. bare-bones slapd.conf
1.2. SASL
1.3.1 #ldapsearch -x -D "cn=Jose
Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL
1.3.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL


1.3.1 successcul
1.3.2 successful

Test No. 2
2.1.bare-bones slapd.conf
2.2. SASL
2.3. ACL
2.4.1 #ldapsearch -x -D "cn=Jose
Gonales,ou=people,dc=example,dc=com,dc=au" -w jsh0rt -LLL
2.4.2 #ldapsearch -Y digest-md5 -U jshort -w jsh0rt -LLL

Test 2.4.1 successful
Test 2.4.2 Not successful

with the following message
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)


Test 1 slapd.conf
include          /etc/openldap/schema/core.schema
include          /etc/openldap/schema/cosine.schema
include          /etc/openldap/schema/inetorgperson.schema
include          /etc/openldap/schema/nis.schema
#
pidfile          /var/run/openldap/slapd.pid
argsfile         /var/run/openldap/slapd.args
#
TLSCACertificateFile    /etc/CA/cacert.pem
TLSCertificateFile      /etc/pki/tls/newcert.pem
TLSCertificateKeyFile   /etc/pki/tls/newkey.pem
password-hash   {CLEARTEXT}
#
authz-regexp    "uid=([^,]*),cn=digest-md5,cn=auth"
               "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
authz-regexp    "uid=([^,]*),cn=cram-md5,cn=auth"
               "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
#
database         bdb
suffix           "dc=example,dc=com,dc=au"
rootdn           "cn=Manager,dc=example,dc=com,dc=au"
rootpw           secret
directory        /var/lib/ldap
database        monitor
#


Test 2 slapd.conf
include          /etc/openldap/schema/core.schema
include          /etc/openldap/schema/cosine.schema
include          /etc/openldap/schema/inetorgperson.schema
include          /etc/openldap/schema/nis.schema
#
pidfile          /var/run/openldap/slapd.pid
argsfile         /var/run/openldap/slapd.args
#
TLSCACertificateFile    /etc/CA/cacert.pem
TLSCertificateFile      /etc/pki/tls/newcert.pem
TLSCertificateKeyFile   /etc/pki/tls/newkey.pem
password-hash   {CLEARTEXT}
#
# ACL1
access to attrs=userpassword
 by self       write
 by anonymous  auth
 by group.exact="cn=admingroup,ou=groups,dc=example,dc=com,dc=au" write
 by *          none
# ACL2
access to attrs=carlicense,homepostaladdress,homephone
 by self       write
 by group.exact="cn=salesgroup,ou=groups,dc=example,dc=com,dc=au" write
 by *          none
# ACL3
access to *
 by self       write
 by group.exact="cn=itgroup,ou=groups,dc=example,dc=com,dc=au" write
 by users      read
 by *          none
 #
authz-regexp    "uid=([^,]*),cn=digest-md5,cn=auth"
               "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
authz-regexp    "uid=([^,]*),cn=cram-md5,cn=auth"
               "ldap:///ou=people,dc=example,dc=com,dc=au??sub?(uid=$1)"
#
database         bdb
suffix           "dc=example,dc=com,dc=au"
rootdn           "cn=Manager,dc=example,dc=com,dc=au"
rootpw           secret
directory        /var/lib/ldap
database        monitor

Here's my ldif

dn: dc=example,dc=com,dc=au
dc: example
description: Example, Pty Ltd.
objectClass: dcObject
objectClass: organization
o: Example, Inc.

dn: ou=people,dc=example,dc=com,dc=au
ou: people
description: All people in organisation
objectClass: organizationalUnit

dn: cn=John Short,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: John Short
cn: John R Short
cn: Johnny  Short
sn: short
uid: jshort
userPassword:: anNoMHJ0
carLicense: BCW-25F
homePhone: 029686822
mail: j.short@example.com.au
mail: jshort@example.com.au
mail: johnny.short@example.com.au
description:: TWFuYWdlciA=
ou: admingroup

dn: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: Jose Gonzales
cn: Jose G Gonzales
sn: Gonzales
uid: jgonzales
userPassword:: amcwbnpv
carLicense: SGO 124
homePhone: 555-111-2223
mail: j.gonzales@example.com.au
mail: jgonzales@example.com.au
mail: jose.gonzales@example.com.au
ou: salesgroup

dn: cn=Shanana Gonzales,ou=people,dc=example,dc=com,dc=au
objectClass: inetOrgPerson
cn: Shanana Gonzales
sn: gonzales
uid: sgonzales
userPassword:: c2cwbnpv
carLicense: SGO 125
homePhone: 555-111-2225
mail: s.gonzales@example.com.au
mail: sgonzales@example.com.au
mail: shanana.gonzales@example.com.au
ou: itgroup

dn: ou=groups,dc=example,dc=com,dc=au
objectClass: organizationalUnit
ou: groups
description:: Z3JvdXBzIA==

dn: cn=admingroup,ou=groups,dc=example,dc=com,dc=au
objectClass: groupOfNames
cn: admingroup
description: Administration
member: cn=John Short,ou=people,dc=example,dc=com,dc=au

dn: cn=salesgroup,ou=groups,dc=example,dc=com,dc=au
objectClass: groupOfNames
cn: salesgroup
description: Sales group
member: cn=Jose Gonzales,ou=people,dc=example,dc=com,dc=au
Prev by Date: Re: alias container?
Next by Date: Re: synrcrepl "be_modify failed (80)"
Index(es):
- Chronological
- Thread