[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PROBLEM: can't use SASL to authentication openldap client

LI Ji D wrote:

Hi,

I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd, run
/usr/local/openldap/bin/ldapsearch -U admin -b ou=people,dc=example,dc=com.
Gets the response as below:

SASL/DIGEST-MD5 authentication started

Please enter your password:

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

additional info: SASL(0): successful result

that's because slapd program is stopped for some reason, here is the log of slapd:



<==slap_sasl2dn: Converted SASL name to cn=admin,ou=people,dc=example,dc=com

slap_sasl_getdn: dn:id converted to cn=admin,ou=people,dc=example,dc=com

Segmentation fault
Most likely your sasldb was compiled against a different version of BerkeleyDB than slapd.
In general, using sasldb is a mistake. You cannot administer it remotely, and it has no provisions for re-entrancy / thread-safety. 


-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Tuesday, August 10, 2010 1:53 PM
To: Dan White
Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client

Dan White wrote:


 On 09/08/10 14:52 -0700, Howard Chu wrote:



> Dan White wrote:



>> On 09/08/10 16:56 +0800, LI Ji D wrote:



>>> Hi,



>>> My problem is that I expect slapd to authenticate with the password

stored in sasldb. But it's not, it uses the password stored in userpassword
attribute of this user which is a item of openldap.


>>> So I want to know, how can slapd use password stored in sasldb to do the

sasl authentication.


>>



>> I attempted to do this as well and failed. Setting auxprop_plugin to sasldb



>> did not provide the expected response. Regardless of whether I set it to



>> slapd or sasldb, the server authenticates my digest-md5 sasl bind using the



>> internal slapd plugin.



>>



>> I recommend you file a bug report.



>



> File the bug with the correct people. OpenLDAP doesn't do anything in



> particular with SASL configuration. If you can't get the desired behavior



> by setting the SASL config file, then file a bug against Cyrus SASL.







 It does! for auxprop_plugin, and auxprop_plugin only. After some digging I



 found the insertion of a SASL_CB_GETOPT function which replaces whatever



 auxprop_plugin value is found in the sasl config file with the



 sasl-auxprops openldap config option, or defaults to 'slapd' if no



 sasl-auxprops is defined.







 It's perfectly documented in the slapd.conf man page... just never occurred



 to me to look.







 LI,







 setting:







 sasl-auxprops sasldb







 within the openldap slapd.conf works for me.


My mistake. This was added last year.

http://www.openldap.org/its/index.cgi/Software Bugs?id=6147

--

-- Howard Chu

CTO, Symas Corp. http://www.symas.com

Director, Highland Sun http://highlandsun.com/hyc/

Chief Architect, OpenLDAP http://www.openldap.org/project/




--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/