[Date Prev][Date Next] [Chronological] [Thread] [Top]

PROBLEM: can't use SASL to authentication openldap client



Hi,

   I'm using openldap 2.4.19 to set up an ldap server with sasl, but I get some problems.

   I followed the instruction in http://www.openldap.org/doc/admin24/sasl.html to do the installation.

   1. I install cyrus-sasl-2.1.22 successfully, and use the Cyrus SASL sample_client and sample_server to test my SASL installation before attempting to make use of it with OpenLDAP Software.

  

   2. Then I install openldap with commands:

      #export CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include -I/usr/local/sasl2/include"

                            #export LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib -L/usr/local/sasl2/lib -L/usr/local/sasl2/lib/sasl2" 

                            # export LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib"

                            #./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap --enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd --enable-crypt --enable-modules  --enable-accesslog=yes

 

                            #make depend

                            #make

                            #make test

                            #make install

                            #cp /usr/local/openldap/var/openldap-data/DB_CONFIG.example  /usr/local/openldap/var/openldap-data/DB_CONFIG

                            there is no error while install.

                           

          3. Then I configure the slapd.conf to be like this:

                         include         /usr/local/openldap/schema/core.schema

                            include         /usr/local/openldap/schema/cosine.schema

                            include         /usr/local/openldap/schema/inetorgperson.schema

                            include         /usr/local/openldap/schema/openldap.schema

                            include         /usr/local/openldap/schema/nis.schema

                            pidfile         /usr/local/openldap/slapd.1.pid

                            argsfile        /usr/local/openldap/slapd.1.args

 

                            authz-policy to

 

 

                            sasl-regexp     "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth"

 

                            database      bdb

                            suffix          "dc=example,dc=com"

                            rootdn          "uid=111,cn=digest-md5,cn=auth"

                           

          4. Then I use ‘saslpasswd2 -c liji1’ to add a user and create /usr/lib/sasl2/slapd.conf with content:

                           pwcheck_method: auxprop

                            auxprop_plugin: sasldb

                            mech_list: plain login ntlm cram-md5 digest-md5

                           

          5. Then I start slapd with command ‘slapd -d 1’, and run ldapwhoami with command: ‘ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p 389’, but fails with reason: user not found: no secret in database. The log of slapd is:

          

          slap_listener_activate(7):

>>> slap_listener(ldap:///)

connection_get(12): got connid=1

connection_read(12): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 32 contents:

op tag 0x60, time 1276849696

ber_get_next

conn=1 op=0 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=1] Debug: DIGEST-MD5 server step 1

send_ldap_sasl: err=14 len=180

send_ldap_response: msgid=1 tag=97 err=14

ber_flush2: 233 bytes to sd 12

<== slap_sasl_bind: rc=14

connection_get(12): got connid=1

connection_read(12): checking for input on id=1

ber_get_next

ber_get_next: tag 0x30 len 296 contents:

op tag 0x60, time 1276849697

ber_get_next

conn=1 op=1 do_bind

ber_scanf fmt ({imt) ber:

ber_scanf fmt ({m) ber:

ber_scanf fmt (m) ber:

ber_scanf fmt (}}) ber:

>>> dnPrettyNormal: <>

<<< dnPrettyNormal: <>, <>

do_bind: dn () SASL mech DIGEST-MD5

SASL [conn=1] Debug: DIGEST-MD5 server step 2

slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth

>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>

<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>

==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN

==> rewrite_context_apply [depth=1] string='uid=liji1,cn=digest-md5,cn=auth'

==> rewrite_rule_apply rule='^uid=([^,]+),.*' string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)]

==> rewrite_context_apply [depth=1] res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'}

slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)

>>> dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>

<<< dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>

<==slap_sasl2dn: Converted SASL name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

SASL [conn=1] Failure: no secret in database

send_ldap_result: conn=1 op=1 p=3

send_ldap_response: msgid=2 tag=97 err=49

ber_flush2: 70 bytes to sd 12

<== slap_sasl_bind: rc=49

connection_get(12): got connid=1

connection_read(12): checking for input on id=1

ber_get_next

ber_get_next on fd 12 failed errno=0 (Success)

connection_close: conn=1 sd=12

 

 

         What am I doing wrong?

Thanks

liji