[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: PROBLEM: can't use SASL to authentication openldap client



Hi,
I can understand the disadvantage of using sasldb, I just want to test
SASL with sasldb.
Is there anyway I can solve this issue? I can't find out which version
of db that sasldb is using.
Thanks for your response, It helps me a lot.

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Tuesday, August 10, 2010 2:26 PM
To: LI Ji D
Cc: Dan White; Dieter Kluenter; openldap-technical@openldap.org
Subject: Re: PROBLEM: can't use SASL to authentication openldap client

LI Ji D wrote:
> Hi,
>
> I add sasl-auxprops sasldb in openldap slapd.conf. And start slapd,
run
> /usr/local/openldap/bin/ldapsearch -U admin -b
ou=people,dc=example,dc=com.
> Gets the response as below:
>
> SASL/DIGEST-MD5 authentication started
>
> Please enter your password:
>
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> additional info: SASL(0): successful result
>
> that's because slapd program is stopped for some reason, here is the
log of slapd:

> <==slap_sasl2dn: Converted SASL name to
cn=admin,ou=people,dc=example,dc=com
>
> slap_sasl_getdn: dn:id converted to
cn=admin,ou=people,dc=example,dc=com
>
> Segmentation fault

Most likely your sasldb was compiled against a different version of
BerkeleyDB 
than slapd.

In general, using sasldb is a mistake. You cannot administer it
remotely, and 
it has no provisions for re-entrancy / thread-safety.

> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Tuesday, August 10, 2010 1:53 PM
> To: Dan White
> Cc: LI Ji D; Dieter Kluenter; openldap-technical@openldap.org
> Subject: Re: PROBLEM: can't use SASL to authentication openldap client
>
> Dan White wrote:
>
>>  On 09/08/10 14:52 -0700, Howard Chu wrote:
>
>> > Dan White wrote:
>
>> >> On 09/08/10 16:56 +0800, LI Ji D wrote:
>
>> >>> Hi,
>
>> >>> My problem is that I expect slapd to authenticate with the
password
> stored in sasldb. But it's not, it uses the password stored in
userpassword
> attribute of this user which is a item of openldap.
>
>> >>> So I want to know, how can slapd use password stored in sasldb to
do the
> sasl authentication.
>
>> >>
>
>> >> I attempted to do this as well and failed. Setting auxprop_plugin
to sasldb
>
>> >> did not provide the expected response. Regardless of whether I set
it to
>
>> >> slapd or sasldb, the server authenticates my digest-md5 sasl bind
using the
>
>> >> internal slapd plugin.
>
>> >>
>
>> >> I recommend you file a bug report.
>
>> >
>
>> > File the bug with the correct people. OpenLDAP doesn't do anything
in
>
>> > particular with SASL configuration. If you can't get the desired
behavior
>
>> > by setting the SASL config file, then file a bug against Cyrus
SASL.
>
>>
>
>>  It does! for auxprop_plugin, and auxprop_plugin only. After some
digging I
>
>>  found the insertion of a SASL_CB_GETOPT function which replaces
whatever
>
>>  auxprop_plugin value is found in the sasl config file with the
>
>>  sasl-auxprops openldap config option, or defaults to 'slapd' if no
>
>>  sasl-auxprops is defined.
>
>>
>
>>  It's perfectly documented in the slapd.conf man page... just never
occurred
>
>>  to me to look.
>
>>
>
>>  LI,
>
>>
>
>>  setting:
>
>>
>
>>  sasl-auxprops sasldb
>
>>
>
>>  within the openldap slapd.conf works for me.
>
> My mistake. This was added last year.
>
> http://www.openldap.org/its/index.cgi/Software Bugs?id=6147
>
> --
>
> -- Howard Chu
>
> CTO, Symas Corp. http://www.symas.com
>
> Director, Highland Sun http://highlandsun.com/hyc/
>
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/