[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP session authentication



Hi Dan,

> A work around is to create a '.ldaprc' file in your home directory with the
> contents:
> 
> SASL_MECH PLAIN

This change has no effect...

I am running 2.4.23 that I built from source.  Both ldapsearch and
ldapwhoami are linked against libsasl2.  If there's some configuration
that I'm missing, I'm not aware of it...

> Is that /usr/lib/sasl2/slapd.conf or /usr/local/sasl2/slapd.conf (should be
> the former)?

Yes, that was a typo, sorry about that (it's the former).

> the 'uid=erik,cn=plain,cn=auth' is your derived authenticated identity
> based on SASL authentication. Thunderbird will need to perform a SASL
> bind using a username of 'erik' and your password. You cannot perform
> simple authentication using that DN unless that DN actually exists in your
> tree.

What DN would I use for simple authentication?  Maybe Thunderbird cannot
perform a SASL BIND?

It seems that Thunderbird and ldapwhoami (with the -D option) are doing
the same kind of Bind:

# ldapwhoami -H ldaps://localhost/ -D 'uid=erik,cn=plain,cn=auth' -W
Oct  6 11:28:14 starfish slapd[17086]: conn=1000 fd=13 ACCEPT from
IP=127.0.0.1:44395 (IP=0.0.0.0:636)
Oct  6 11:28:14 starfish slapd[17086]: conn=1000 fd=13 TLS established
tls_ssf=256 ssf=256
Oct  6 11:28:14 starfish slapd[17086]: conn=1000 op=0 BIND
dn="uid=erik,cn=plain,cn=auth" method=128
Oct  6 11:28:14 starfish slapd[17086]: conn=1000 op=0 RESULT tag=97
err=49 text=
Oct  6 11:28:14 starfish slapd[17086]: conn=1000 fd=13 closed
(connection lost)

And from Thunderbird:
Oct  6 11:26:17 starfish slapd[17042]: conn=1010 fd=13 ACCEPT from
IP=1.2.3.4:49964 (IP=0.0.0.0:636)
Oct  6 11:26:17 starfish slapd[17042]: conn=1010 fd=13 TLS established
tls_ssf=256 ssf=256
Oct  6 11:26:17 starfish slapd[17042]: conn=1010 op=0 BIND
dn="uid=erik,cn=plain,cn=auth" method=128
Oct  6 11:26:17 starfish slapd[17042]: conn=1010 op=0 RESULT tag=97
err=49 text=

The ldapwhoami command works with the -U option:

root@starfish:/home/erik/ldif# ldapwhoami -U erik -H ldaps://localhost/
SASL/PLAIN authentication started
Please enter your password:
SASL username: erik
SASL SSF: 0
dn:uid=erik,cn=plain,cn=auth

The debug output is as follows:

Oct  6 11:32:55 starfish slapd[17086]: conn=1001 fd=13 ACCEPT from
IP=127.0.0.1:41416 (IP=0.0.0.0:636)
Oct  6 11:32:55 starfish slapd[17086]: conn=1001 fd=13 TLS established
tls_ssf=256 ssf=256
Oct  6 11:32:55 starfish slapd[17086]: conn=1001 op=0 SRCH base=""
scope=0 deref=0 filter="(objectClass=*)"
Oct  6 11:32:55 starfish slapd[17086]: conn=1001 op=0 SRCH
attr=supportedSASLMechanisms
Oct  6 11:32:55 starfish slapd[17086]: conn=1001 op=0 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=1 BIND dn="" method=163
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=1 BIND
authcid="erik" authzid="erik"
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=1 BIND
dn="uid=erik,cn=plain,cn=auth" mech=PLAIN sasl_ssf=0 ssf=256
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=1 RESULT tag=97
err=0 text=
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=2 EXT
oid=1.3.6.1.4.1.4203.1.11.3
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=2 WHOAMI
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=2 RESULT oid= err=0
text=
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 op=3 UNBIND
Oct  6 11:32:56 starfish slapd[17086]: conn=1001 fd=13 closed

> See chapter 15 of the OpenLDAP Software 2.4 Administrator's Guide for a
> discussion of mapping authentication identities to DNs.

I have read the Adminstrator's guide, but it is still not clear to me...
I'm not sure why I need to map anything, actually.  I do not use LDAP as
an authentication server at all.  I only want to provide authenticated
access to the LDAP database -- and I want that authentication to come
from a password in /etc/shadow.

I'm not sure why the "-U erik" form works and the "-D
'uid=erik,cn=plain,cn=auth'" form does work.

Thanks again for your help and for bearing with me.

Regards,

Erik