Hi, I'm using openldap
2.4.19 to set up an ldap server with sasl, but I get some problems. I followed the
instruction in http://www.openldap.org/doc/admin24/sasl.html to do the
installation. 1. I install
cyrus-sasl-2.1.22 successfully, and use the Cyrus SASL sample_client and
sample_server to test my SASL installation before attempting to make use of it
with OpenLDAP Software. 2. Then I install
openldap with commands:
#export CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include
-I/usr/local/sasl2/include"
#export LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib -L/usr/local/sasl2/lib
-L/usr/local/sasl2/lib/sasl2"
# export LD_LIBRARY_PATH="/usr/local/BerkeleyDB.4.8/lib"
#./configure --prefix=/usr/local/openldap --sysconfdir=/etc/openldap
--enable-passwd --enable-wrappers --disable-ipv6 --enable-spasswd
--enable-crypt --enable-modules --enable-accesslog=yes
#make depend
#make
#make test
#make install
#cp /usr/local/openldap/var/openldap-data/DB_CONFIG.example
/usr/local/openldap/var/openldap-data/DB_CONFIG
there is no error while install.
3. Then I configure the slapd.conf to be like this:
include /usr/local/openldap/schema/core.schema
include
/usr/local/openldap/schema/cosine.schema
include
/usr/local/openldap/schema/inetorgperson.schema
include /usr/local/openldap/schema/openldap.schema
include
/usr/local/openldap/schema/nis.schema
pidfile
/usr/local/openldap/slapd.1.pid
argsfile /usr/local/openldap/slapd.1.args
authz-policy to
sasl-regexp "^uid=([^,]+),.*"
"uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
database bdb
suffix
"dc=example,dc=com"
rootdn
"uid=111,cn=digest-md5,cn=auth"
4. Then I use ‘saslpasswd2 -c liji1’ to add a user and create
/usr/lib/sasl2/slapd.conf with content:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login ntlm cram-md5 digest-md5
5. Then I start slapd with command ‘slapd -d 1’, and run
ldapwhoami with command: ‘ldapwhoami -h localhost -U root -Y DIGEST-MD5
-p 389’, but fails with reason: user not found: no secret in database.
The log of slapd is:
slap_listener_activate(7): >>> slap_listener(ldap:///) connection_get(12): got connid=1 connection_read(12): checking for
input on id=1 ber_get_next ber_get_next: tag 0x30 len 32
contents: op tag 0x60, time 1276849696 ber_get_next conn=1 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (}}) ber: >>> dnPrettyNormal: <> <<< dnPrettyNormal:
<>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=1] Debug: DIGEST-MD5
server step 1 send_ldap_sasl: err=14 len=180 send_ldap_response: msgid=1 tag=97
err=14 ber_flush2: 233 bytes to sd 12 <== slap_sasl_bind: rc=14 connection_get(12): got connid=1 connection_read(12): checking for
input on id=1 ber_get_next ber_get_next: tag 0x30 len 296
contents: op tag 0x60, time 1276849697 ber_get_next conn=1 op=1 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: ber_scanf fmt (}}) ber: >>> dnPrettyNormal: <> <<< dnPrettyNormal:
<>, <> do_bind: dn () SASL mech DIGEST-MD5 SASL [conn=1] Debug: DIGEST-MD5
server step 2 slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth >>> dnNormalize:
<uid=liji1,cn=DIGEST-MD5,cn=auth> <<< dnNormalize:
<uid=liji1,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL
name uid=liji1,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply
[depth=1] string='uid=liji1,cn=digest-md5,cn=auth' ==> rewrite_rule_apply
rule='^uid=([^,]+),.*' string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply
[depth=1] res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'} slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth) >>> dnNormalize:
<uid=liji1,cn=bjims31,cn=digest-md5,cn=auth> <<< dnNormalize:
<uid=liji1,cn=bjims31,cn=digest-md5,cn=auth> <==slap_sasl2dn: Converted SASL
name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth SASL [conn=1] Failure: no secret in
database send_ldap_result: conn=1 op=1 p=3 send_ldap_response: msgid=2 tag=97
err=49 ber_flush2: 70 bytes to sd 12 <== slap_sasl_bind: rc=49 connection_get(12): got connid=1 connection_read(12): checking for
input on id=1 ber_get_next ber_get_next on fd 12 failed errno=0
(Success) connection_close: conn=1 sd=12 What am I doing wrong? Thanks liji |