[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PROBLEM: can't use SASL to authentication openldap client



Hi White,
	1. I expect user credentials of liji1 to be retrieved from sasldb, I create user liji1 with command: saslpasswd2 -c liji1, and follow administrator guide, The DIGEST-MD5 mechanism produces authentication IDs of the form:
	uid=<username>,cn=<realm>,cn=digest-md5,cn=auth
so I think ldap would use uid=liji1,cn=digest-md5,cn=auth to retrieve from sasldb.

	2. I have added auth.debug and log_level: 7, and rerun the test, got some logs as below:
	Syslog:
		
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 fd=12 ACCEPT from IP=127.0.0.1:59928 (IP=0.0.0.0:389)
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SRCH attr=supportedSASLMechanisms
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 BIND dn="" method=163
Jun 22 10:17:17 bjims31 slapd[19846]: conn=0 op=1 RESULT tag=97 err=14 text=SASL(0): successful result: security flags do not match required
Jun 22 10:17:17 bjims31 ldapwhoami: DIGEST-MD5 client step 2
Jun 22 10:17:20 bjims31 ldapwhoami: DIGEST-MD5 client step 2
Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 BIND dn="" method=163
Jun 22 10:17:20 bjims31 slapd[19846]: SASL [conn=0] Failure: no secret in database 
Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 op=2 RESULT tag=97 err=49 text=SASL(-13): user not found: no secret in database
Jun 22 10:17:20 bjims31 slapd[19846]: conn=0 fd=12 closed (connection lost)



Slapd log :
slap_listener_activate(7): 
>>> slap_listener(ldap:///)
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 70 contents:
op tag 0x63, time 1277173037
ber_get_next
conn=0 op=0 do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
ber_scanf fmt (m) ber:
ber_scanf fmt ({M}}) ber:
=> send_search_entry: conn 0 dn=""
ber_flush2: 82 bytes to sd 12
<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=101 err=0
ber_flush2: 22 bytes to sd 12
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 32 contents:
op tag 0x60, time 1277173037
ber_get_next
conn=0 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=180
send_ldap_response: msgid=2 tag=97 err=14
ber_flush2: 269 bytes to sd 12
<== slap_sasl_bind: rc=14
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 296 contents:
op tag 0x60, time 1277173040
ber_get_next
conn=0 op=2 do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (}}) ber:
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: dn () SASL mech DIGEST-MD5
SASL [conn=0] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=liji1,cn=digest-md5,cn=auth'
==> rewrite_rule_apply rule='^uid=([^,]+),.*' string='uid=liji1,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'uid=liji1,cn=bjims31,cn=digest-md5,cn=auth'}
slap_parseURI: parsing uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=liji1,cn=bjims31,cn=digest-md5,cn=auth)
>>> dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<<< dnNormalize: <uid=liji1,cn=bjims31,cn=digest-md5,cn=auth>
<==slap_sasl2dn: Converted SASL name to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
SASL [conn=0] Failure: no secret in database
send_ldap_result: conn=0 op=2 p=3
send_ldap_response: msgid=3 tag=97 err=49
ber_flush2: 70 bytes to sd 12
<== slap_sasl_bind: rc=49
connection_get(12): got connid=0
connection_read(12): checking for input on id=0
ber_get_next
ber_get_next on fd 12 failed errno=0 (Success)
connection_close: conn=0 sd=12





-----Original Message-----
From: Dan White [mailto:dwhite@olp.net] 
Sent: Tuesday, June 22, 2010 1:06 AM
To: LI Ji D
Cc: openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client

On 21/06/10 09:52 +0800, LI Ji D wrote:
> 3. Then I configure the slapd.conf to be like this:
   
>    authz-policy to
>    sasl-regexp     "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
>    database      bdb
>    suffix          "dc=example,dc=com"
>    rootdn "uid=111,cn=digest-md5,cn=auth"
>
> 4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content:
>
>    pwcheck_method: auxprop
>    auxprop_plugin: sasldb
>    mech_list: plain login ntlm cram-md5 digest-md5
>
> 5. Then I start slapd with command 'slapd -d 1', and run
>ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p
>389', but fails with reason: user not found: no secret in database.
> The log of slapd is:
>
>slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth
>
>>>> dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>
>
><<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>
>
>==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to
>a DN
  
>slap_sasl_getdn: dn:id converted to
>uid=liji1,cn=bjims31,cn=digest-md5,cn=auth
>
>SASL [conn=1] Failure: no secret in database

It's not clear which user credentials are being retrieved from sasldb. Is
it uid=liji1,cn=digest-md5,cn=auth or liji1?

You could increase your cyrus debugging to get more information out of
syslog: Add an:

auth.debug...

to your syslog configuration, and add this to your
/usr/lib/sasl2/slapd.conf:

log_level: 7

-- 
Dan White