Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??

[Dan White <dwhite@olp.net>]

On 14/02/11 23:47 +0900, Hiroyuki Sato wrote:
> Does anybody succeed to setup SASL(digest-md5) authentication with
> mysql database and latest openldap-server??
>
> I'm not sure, why this configuration does not work correctly.
> and It seems that LDAP server compare dn and input password in ldap
> authentication. (see log below)
>
> My Environment
>  OS: Ubuntu 10.10
>  OpenLDAP : 2.4.24 (build myself)
>
> 1, slapd.conf
>
>  sasl-realm mydomain.com
>  sasl-auxprops sql
>
>  sasl-regexp
>    uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
>    uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com

This isn't matching what's showing up in your logs. slapd is internally
canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.

> 2, /usr/lib/sasl2/slapd.conf
>
>  pwcheck_method: auxprop
>  mech_list: DIGEST-MD5
>  log_level: 7
>  auxprop_plugin: sql
>  sql_verbose: yes
>  sql_engine: mysql
>  sql_hostnames: database.server.add.ress
>  sql_user: username
>  sql_passwd: password
>  sql_database: db_name
>  sql_select: select password from sasl_test where username = '%u@%r'
>
>  ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5  -U
>   ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
>   -LLL '(objectclass=*)' Password:
>  ldap_sasl_interactive_bind_s: Insufficient access (50)
>
> 5, log
>
>    <= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0
>    slap_sasl_getdn: u:id converted to
> uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth


>    slap_sasl_getdn: dn:id converted to
> uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com

You want the 'uid' part of your rule to be a bit more restrictive, such as
uid=([^,]+) so that is doesn't end up matching a longer string
accidentally.

--
Dan White