[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PROBLEM: can't use SASL to authentication openldap client



On 21/06/10 09:52 +0800, LI Ji D wrote:
3. Then I configure the slapd.conf to be like this:
   authz-policy to
   sasl-regexp     "^uid=([^,]+),.*" "uid=$1,cn=bjims31,cn=digest-md5,cn=auth"
   database      bdb
   suffix          "dc=example,dc=com"
   rootdn "uid=111,cn=digest-md5,cn=auth"

4. Then I use 'saslpasswd2 -c liji1' to add a user and create /usr/lib/sasl2/slapd.conf with content:

   pwcheck_method: auxprop
   auxprop_plugin: sasldb
   mech_list: plain login ntlm cram-md5 digest-md5

5. Then I start slapd with command 'slapd -d 1', and run
ldapwhoami with command: 'ldapwhoami -h localhost -U root -Y DIGEST-MD5 -p
389', but fails with reason: user not found: no secret in database.
The log of slapd is:

slap_sasl_getdn: u:id converted to uid=liji1,cn=DIGEST-MD5,cn=auth

dnNormalize: <uid=liji1,cn=DIGEST-MD5,cn=auth>

<<< dnNormalize: <uid=liji1,cn=digest-md5,cn=auth>

==>slap_sasl2dn: converting SASL name uid=liji1,cn=digest-md5,cn=auth to
a DN
slap_sasl_getdn: dn:id converted to
uid=liji1,cn=bjims31,cn=digest-md5,cn=auth

SASL [conn=1] Failure: no secret in database

It's not clear which user credentials are being retrieved from sasldb. Is
it uid=liji1,cn=digest-md5,cn=auth or liji1?

You could increase your cyrus debugging to get more information out of
syslog: Add an:

auth.debug...

to your syslog configuration, and add this to your
/usr/lib/sasl2/slapd.conf:

log_level: 7

--
Dan White