[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
- To: Dan White <dwhite@olp.net>
- Subject: Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
- From: Hiroyuki Sato <hiroysato@gmail.com>
- Date: Wed, 16 Feb 2011 20:32:44 +0900
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ogy5PAELn+C9z1QjsdKtIYlN/SiZjzKh8rWPbUGo5JU=; b=J9lGOYs4wWelp26guOwPg8cmRMWfGXqjGMkRe1ckXQ+WvFzl1Q+DN4Nb0o7Ae6K53n bDyPup0UUlVQ5db4rbbMa8VjPSxaequvBoynSHgfQdjZU+Xdk98FPJgBcCWA71kIwPh1 Y4QIGdn/Xaaan2KAxV1Wzt/xRNbthVhFcdL98=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=s/wMS1TYEZiL5Bm54UlNVlQKNuwbutu+l8iPHIk+OLsd6cOkRHCLLf2preDi5fAiPy 5+QmJk5Z2axeqIJblWGpzNfNXO5OpSJlgFuYlPleCja+c7Ny69lIRJWgFnLix4JWiV4L Wpl0LyyDBCIO19eCMpb1ngjRqcn+IQs2mSDEM=
- In-reply-to: <20110214194400.GG5057@dan.olp.net>
- References: <AANLkTi=DGG7mgHSus-2s4QSPL=PLqnjLC_PAd_6fYyF_@mail.gmail.com> <20110214194400.GG5057@dan.olp.net>
Thank you Dan.
I simplified test environment. (see below)
* Problem summary
Does anybody succeed to setup SASL(digest-md5) authentication with
mysql database and latest openldap-server??
I'm not sure, why this configuration does not work correctly.
and It seems that LDAP server compare dn and input password in ldap
authentication. (see log below)
To: Dan
>> sasl-regexp
>> uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
>> uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
>
> This isn't matching what's showing up in your logs. slapd is internally
> canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
Is this true??
I tested again. It seems that c=<realm> will set ``sasl-realm'' value.
> You want the 'uid' part of your rule to be a bit more restrictive, such as
> uid=([^,]+) so that is doesn't end up matching a longer string
> accidentally.
I changed uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
case1
# sasl-realm mydomain.com
sasl-regexp
uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
uid=$1,ou=users,dc=mydomain,dc=com
result
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=290
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1000]: authcid="ldap_user"
slap_sasl_getdn: conn 1000 id=ldap_user [len=9]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=ldap_user,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=ldap_user,cn=DIGEST-MD5,cn=auth>
note: realm does not set.
case2
config
# sasl-realm mydomain.com
sasl-regexp
uid=([^,]+),cn=mydomain,dc=com,cn=digest-md5,cn=auth
uid=$1,ou=users,dc=mydomain,dc=com
result
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=290
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1000]: authcid="ldap_user"
slap_sasl_getdn: conn 1000 id=ldap_user [len=9]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0
note: realm does not set.
case3
config
sasl-realm mydomain.com
sasl-regexp
uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth
uid=$1,ou=users,dc=mydomain,dc=com
result
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=282
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1000]: authcid="ldap_user"
slap_sasl_getdn: conn 1000 id=ldap_user [len=9]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0
slap_sasl_getdn: u:id converted to
uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth>
note: realm set to 'cn=mydomain.com'.
case4
config
# sasl-realm mydomain.com
sasl-regexp
uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth
uid=$1,ou=users,dc=mydomain,dc=com
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=290
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1000]: authcid="ldap_user"
slap_sasl_getdn: conn 1000 id=ldap_user [len=9]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=ldap_user,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=ldap_user,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=ldap_user,cn=DIGEST-MD5,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,cn=digest-md5,cn=auth)=0
<<< dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=ldap_user,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1]
string='uid=ldap_user,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+),cn=mydomain.cn=com,cn=digest-md5,cn=auth'
string='uid=ldap_user,cn=digest-md5,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=ldap_user,cn=digest-md5,cn=auth'}
[rw] authid: "uid=ldap_user,cn=digest-md5,cn=auth" ->
"uid=ldap_user,cn=digest-md5,cn=auth"
slap_parseURI: parsing uid=ldap_user,cn=digest-md5,cn=auth
ldap_url_parse_ext(uid=ldap_user,cn=digest-md5,cn=auth)
>>> dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth>
=> ldap_bv2dn(uid=ldap_user,cn=digest-md5,cn=auth,0)
<= ldap_bv2dn(uid=ldap_user,cn=digest-md5,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,cn=digest-md5,cn=auth)=0
<<< dnNormalize: <uid=ldap_user,cn=digest-md5,cn=auth>
<==slap_sasl2dn: Converted SASL name to
uid=ldap_user,cn=digest-md5,cn=auth
slap_sasl_getdn: dn:id converted to uid=ldap_user,cn=digest-md5,cn=auth
SASL Canonicalize [conn=1000]:
slapAuthcDN="uid=ldap_user,cn=digest-md5,cn=auth"
SASL Canonicalize [conn=1000]: authzid="ldap_user"
--
Hiroyuki Sato
0, Environment
OS: ubuntu 10.10
OpenLDAP: 2.4.24
1, slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
database bdb
suffix "dc=mydomain,dc=com"
rootdn "cn=Manager,dc=mydomain,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq
loglevel -1
####################################################
#
# SASL config
#
####################################################
sasl-realm mydomain.com
sasl-regexp
uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth
uid=$1,ou=users,dc=mydomain,dc=com
sasl-auxprops sql
2, ldif
dn: dc=mydomain,dc=com
objectClass: dcObject
objectClass: organization
o: mydomain
dc: mydomain
dn: ou=users,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=mydomain,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=ldap_user,ou=users,dc=mydomain,dc=com
uid: ldap_user
cn: ldap_user
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
gecos: ldap_user
homeDirectory: /home/ldap_user
userPassword:: KioqKioqKio=
3, /usr/lib/sasl2/slapd.conf
pwcheck_method: auxprop
mech_list: DIGEST-MD5
log_level: 7
auxprop_plugin: sql
sql_verbose: yes
sql_engine: mysql
sql_hostnames: host.addre.ss
sql_user: username
sql_passwd: password
sql_database: database
sql_select: select password from sasl_test where username = '%u@%r'
4, mysql
Create Table: CREATE TABLE `sasl_test` (
`username` varchar(255) NOT NULL,
`password` varchar(255) NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8
mysql> select * from sasl_test \G
*************************** 1. row ***************************
username: ldap_user@mydomain.com
password: password1
5, client requeest
ldapsearch -R mydomain.com -h 192.168.10.36 -Y digest-md5 -U
ldap_user -b 'dc=mydomain,dc=com' -LLL '(objectclass=*)'
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
6, complete log
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
daemon: epoll: listen=8 active_threads=0 tvp=NULL
>>> slap_listener(ldap:///)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: listen=7, new connection on 12
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
daemon: added 12r (active) listener=(nil)
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
conn=1000 fd=12 ACCEPT from IP=192.168.10.53:53531 (IP=0.0.0.0:389)
connection_get(12)
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
0000: 30 18 02 01 01 60 13 02 0....`..
ldap_read: want=18, got=18
0000: 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 54 2d 4d ........DIGEST-M
0010: 44 35 D5
ber_get_next: tag 0x30 len 24 contents:
ber_dump: buf=0xa1e2798 ptr=0xa1e2798 end=0xa1e27b0 len=24
0000: 02 01 01 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 ...`..........DI
0010: 47 45 53 54 2d 4d 44 35 GEST-MD5
op tag 0x60, time 1297854079
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
conn=1000 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0xa1e2798 ptr=0xa1e279b end=0xa1e27b0 len=21
0000: 60 13 02 01 03 04 00 a3 0c 04 0a 44 49 47 45 53 `..........DIGES
0010: 54 2d 4d 44 35 T-MD5
ber_scanf fmt ({m) ber:
ber_dump: buf=0xa1e2798 ptr=0xa1e27a2 end=0xa1e27b0 len=14
0000: 00 0c 04 0a 44 49 47 45 53 54 2d 4d 44 35 ....DIGEST-MD5
ber_scanf fmt (}}) ber:
ber_dump: buf=0xa1e2798 ptr=0xa1e27b0 end=0xa1e27b0 len=0
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=1000 op=0 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=DIGEST-MD5 datalen=0
SASL [conn=1000] Debug: DIGEST-MD5 server step 1
send_ldap_sasl: err=14 len=176
send_ldap_response: msgid=1 tag=97 err=14
ber_flush2: 223 bytes to sd 12
0000: 30 81 dc 02 01 01 61 81 d6 0a 01 0e 04 00 04 1c 0.....a.........
0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success
0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b0 6e ful result: ...n
0030: 6f 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b once="hKPuEoyimK
0040: 2f 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d /dlBIVj/T5YxTI6m
0050: 2f 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 /NTuwqcwDs6eq/mW
0060: 49 3d 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d I=",realm="mydom
0070: 61 69 6e 2e 63 6f 6d 22 2c 71 6f 70 3d 22 61 75 ain.com",qop="au
0080: 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 th,auth-int,auth
0090: 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 -conf",cipher="r
00a0: 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 c4-40,rc4-56,rc4
00b0: 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 36 2c 63 ",maxbuf=65536,c
00c0: 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 61 6c 67 harset=utf-8,alg
00d0: 6f 72 69 74 68 6d 3d 6d 64 35 2d 73 65 73 73 orithm=md5-sess
ldap_write: want=223, written=223
0000: 30 81 dc 02 01 01 61 81 d6 0a 01 0e 04 00 04 1c 0.....a.........
0010: 53 41 53 4c 28 30 29 3a 20 73 75 63 63 65 73 73 SASL(0): success
0020: 66 75 6c 20 72 65 73 75 6c 74 3a 20 87 81 b0 6e ful result: ...n
0030: 6f 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b once="hKPuEoyimK
0040: 2f 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d /dlBIVj/T5YxTI6m
0050: 2f 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 /NTuwqcwDs6eq/mW
0060: 49 3d 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d I=",realm="mydom
0070: 61 69 6e 2e 63 6f 6d 22 2c 71 6f 70 3d 22 61 75 ain.com",qop="au
0080: 74 68 2c 61 75 74 68 2d 69 6e 74 2c 61 75 74 68 th,auth-int,auth
0090: 2d 63 6f 6e 66 22 2c 63 69 70 68 65 72 3d 22 72 -conf",cipher="r
00a0: 63 34 2d 34 30 2c 72 63 34 2d 35 36 2c 72 63 34 c4-40,rc4-56,rc4
00b0: 22 2c 6d 61 78 62 75 66 3d 36 35 35 33 36 2c 63 ",maxbuf=65536,c
00c0: 68 61 72 73 65 74 3d 75 74 66 2d 38 2c 61 6c 67 harset=utf-8,alg
00d0: 6f 72 69 74 68 6d 3d 6d 64 35 2d 73 65 73 73 orithm=md5-sess
conn=1000 op=0 RESULT tag=97 err=14 text=SASL(0): successful result:
<== slap_sasl_bind: rc=14
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
connection_get(12)
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=8
0000: 30 82 01 3a 02 01 02 60 0..:...`
ldap_read: want=310, got=310
0000: 82 01 33 02 01 03 04 00 a3 82 01 2a 04 0a 44 49 ..3........*..DI
0010: 47 45 53 54 2d 4d 44 35 04 82 01 1a 75 73 65 72 GEST-MD5....user
0020: 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 22 name="ldap_user"
0030: 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d 61 69 6e ,realm="mydomain
0040: 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d 22 68 4b 50 .com",nonce="hKP
0050: 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 56 6a 2f 54 uEoyimK/dlBIVj/T
0060: 35 59 78 54 49 36 6d 2f 4e 54 75 77 71 63 77 44 5YxTI6m/NTuwqcwD
0070: 73 36 65 71 2f 6d 57 49 3d 22 2c 63 6e 6f 6e 63 s6eq/mWI=",cnonc
0080: 65 3d 22 30 71 62 32 35 50 4b 31 4c 30 65 33 68 e="0qb25PK1L0e3h
0090: 78 79 37 35 34 41 35 44 5a 70 32 52 56 72 69 57 xy754A5DZp2RVriW
00a0: 4d 52 46 41 46 72 6c 67 32 65 56 73 74 41 3d 22 MRFAFrlg2eVstA="
00b0: 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f 70 ,nc=00000001,qop
00c0: 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 65 =auth-conf,ciphe
00d0: 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 36 37 r=rc4,maxbuf=167
00e0: 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 72 69 77215,digest-uri
00f0: 3d 22 6c 64 61 70 2f 70 78 65 30 31 2e 61 72 63 ="ldap/pxe01.arc
0100: 68 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 73 hsystem.com",res
0110: 70 6f 6e 73 65 3d 30 35 65 63 64 32 66 32 31 37 ponse=05ecd2f217
0120: 35 38 34 30 35 61 30 64 34 34 62 37 65 38 37 35 58405a0d44b7e875
0130: 66 63 35 39 32 63 fc592c
ber_get_next: tag 0x30 len 314 contents:
ber_dump: buf=0xa1e4780 ptr=0xa1e4780 end=0xa1e48ba len=314
0000: 02 01 02 60 82 01 33 02 01 03 04 00 a3 82 01 2a ...`..3........*
0010: 04 0a 44 49 47 45 53 54 2d 4d 44 35 04 82 01 1a ..DIGEST-MD5....
0020: 75 73 65 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 username="ldap_u
0030: 73 65 72 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f ser",realm="mydo
0040: 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d main.com",nonce=
0050: 22 68 4b 50 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 "hKPuEoyimK/dlBI
0060: 56 6a 2f 54 35 59 78 54 49 36 6d 2f 4e 54 75 77 Vj/T5YxTI6m/NTuw
0070: 71 63 77 44 73 36 65 71 2f 6d 57 49 3d 22 2c 63 qcwDs6eq/mWI=",c
0080: 6e 6f 6e 63 65 3d 22 30 71 62 32 35 50 4b 31 4c nonce="0qb25PK1L
0090: 30 65 33 68 78 79 37 35 34 41 35 44 5a 70 32 52 0e3hxy754A5DZp2R
00a0: 56 72 69 57 4d 52 46 41 46 72 6c 67 32 65 56 73 VriWMRFAFrlg2eVs
00b0: 74 41 3d 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 tA=",nc=00000001
00c0: 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 ,qop=auth-conf,c
00d0: 69 70 68 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 ipher=rc4,maxbuf
00e0: 3d 31 36 37 37 37 32 31 35 2c 64 69 67 65 73 74 =16777215,digest
00f0: 2d 75 72 69 3d 22 6c 64 61 70 2f 70 78 65 30 31 -uri="ldap/pxe01
0100: 2e 61 72 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 .archsystem.com"
0110: 2c 72 65 73 70 6f 6e 73 65 3d 30 35 65 63 64 32 ,response=05ecd2
0120: 66 32 31 37 35 38 34 30 35 61 30 64 34 34 62 37 f21758405a0d44b7
0130: 65 38 37 35 66 63 35 39 32 63 e875fc592c
op tag 0x60, time 1297854089
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
conn=1000 op=1 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0xa1e4780 ptr=0xa1e4783 end=0xa1e48ba len=311
0000: 60 82 01 33 02 01 03 04 00 a3 82 01 2a 04 0a 44 `..3........*..D
0010: 49 47 45 53 54 2d 4d 44 35 04 82 01 1a 75 73 65 IGEST-MD5....use
0020: 72 6e 61 6d 65 3d 22 6c 64 61 70 5f 75 73 65 72 rname="ldap_user
0030: 22 2c 72 65 61 6c 6d 3d 22 6d 79 64 6f 6d 61 69 ",realm="mydomai
0040: 6e 2e 63 6f 6d 22 2c 6e 6f 6e 63 65 3d 22 68 4b n.com",nonce="hK
0050: 50 75 45 6f 79 69 6d 4b 2f 64 6c 42 49 56 6a 2f PuEoyimK/dlBIVj/
0060: 54 35 59 78 54 49 36 6d 2f 4e 54 75 77 71 63 77 T5YxTI6m/NTuwqcw
0070: 44 73 36 65 71 2f 6d 57 49 3d 22 2c 63 6e 6f 6e Ds6eq/mWI=",cnon
0080: 63 65 3d 22 30 71 62 32 35 50 4b 31 4c 30 65 33 ce="0qb25PK1L0e3
0090: 68 78 79 37 35 34 41 35 44 5a 70 32 52 56 72 69 hxy754A5DZp2RVri
00a0: 57 4d 52 46 41 46 72 6c 67 32 65 56 73 74 41 3d WMRFAFrlg2eVstA=
00b0: 22 2c 6e 63 3d 30 30 30 30 30 30 30 31 2c 71 6f ",nc=00000001,qo
00c0: 70 3d 61 75 74 68 2d 63 6f 6e 66 2c 63 69 70 68 p=auth-conf,ciph
00d0: 65 72 3d 72 63 34 2c 6d 61 78 62 75 66 3d 31 36 er=rc4,maxbuf=16
00e0: 37 37 37 32 31 35 2c 64 69 67 65 73 74 2d 75 72 777215,digest-ur
00f0: 69 3d 22 6c 64 61 70 2f 70 78 65 30 31 2e 61 72 i="ldap/pxe01.ar
0100: 63 68 73 79 73 74 65 6d 2e 63 6f 6d 22 2c 72 65 chsystem.com",re
0110: 73 70 6f 6e 73 65 3d 30 35 65 63 64 32 66 32 31 sponse=05ecd2f21
0120: 37 35 38 34 30 35 61 30 64 34 34 62 37 65 38 37 758405a0d44b7e87
0130: 35 66 63 35 39 32 63 5fc592c
ber_scanf fmt ({m) ber:
ber_dump: buf=0xa1e4780 ptr=0xa1e478c end=0xa1e48ba len=302
0000: 00 82 01 2a 04 0a 44 49 47 45 53 54 2d 4d 44 35 ...*..DIGEST-MD5
0010: 04 82 01 1a 75 73 65 72 6e 61 6d 65 3d 22 6c 64 ....username="ld
0020: 61 70 5f 75 73 65 72 22 2c 72 65 61 6c 6d 3d 22 ap_user",realm="
0030: 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f mydomain.com",no
0040: 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b 2f nce="hKPuEoyimK/
0050: 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d 2f dlBIVj/T5YxTI6m/
0060: 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 49 NTuwqcwDs6eq/mWI
0070: 3d 22 2c 63 6e 6f 6e 63 65 3d 22 30 71 62 32 35 =",cnonce="0qb25
0080: 50 4b 31 4c 30 65 33 68 78 79 37 35 34 41 35 44 PK1L0e3hxy754A5D
0090: 5a 70 32 52 56 72 69 57 4d 52 46 41 46 72 6c 67 Zp2RVriWMRFAFrlg
00a0: 32 65 56 73 74 41 3d 22 2c 6e 63 3d 30 30 30 30 2eVstA=",nc=0000
00b0: 30 30 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 0001,qop=auth-co
00c0: 6e 66 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 nf,cipher=rc4,ma
00d0: 78 62 75 66 3d 31 36 37 37 37 32 31 35 2c 64 69 xbuf=16777215,di
00e0: 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 gest-uri="ldap/p
00f0: 78 65 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e xe01.archsystem.
0100: 63 6f 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 30 35 com",response=05
0110: 65 63 64 32 66 32 31 37 35 38 34 30 35 61 30 64 ecd2f21758405a0d
0120: 34 34 62 37 65 38 37 35 66 63 35 39 32 63 44b7e875fc592c
ber_scanf fmt (m) ber:
ber_dump: buf=0xa1e4780 ptr=0xa1e479c end=0xa1e48ba len=286
0000: 00 82 01 1a 75 73 65 72 6e 61 6d 65 3d 22 6c 64 ....username="ld
0010: 61 70 5f 75 73 65 72 22 2c 72 65 61 6c 6d 3d 22 ap_user",realm="
0020: 6d 79 64 6f 6d 61 69 6e 2e 63 6f 6d 22 2c 6e 6f mydomain.com",no
0030: 6e 63 65 3d 22 68 4b 50 75 45 6f 79 69 6d 4b 2f nce="hKPuEoyimK/
0040: 64 6c 42 49 56 6a 2f 54 35 59 78 54 49 36 6d 2f dlBIVj/T5YxTI6m/
0050: 4e 54 75 77 71 63 77 44 73 36 65 71 2f 6d 57 49 NTuwqcwDs6eq/mWI
0060: 3d 22 2c 63 6e 6f 6e 63 65 3d 22 30 71 62 32 35 =",cnonce="0qb25
0070: 50 4b 31 4c 30 65 33 68 78 79 37 35 34 41 35 44 PK1L0e3hxy754A5D
0080: 5a 70 32 52 56 72 69 57 4d 52 46 41 46 72 6c 67 Zp2RVriWMRFAFrlg
0090: 32 65 56 73 74 41 3d 22 2c 6e 63 3d 30 30 30 30 2eVstA=",nc=0000
00a0: 30 30 30 31 2c 71 6f 70 3d 61 75 74 68 2d 63 6f 0001,qop=auth-co
00b0: 6e 66 2c 63 69 70 68 65 72 3d 72 63 34 2c 6d 61 nf,cipher=rc4,ma
00c0: 78 62 75 66 3d 31 36 37 37 37 32 31 35 2c 64 69 xbuf=16777215,di
00d0: 67 65 73 74 2d 75 72 69 3d 22 6c 64 61 70 2f 70 gest-uri="ldap/p
00e0: 78 65 30 31 2e 61 72 63 68 73 79 73 74 65 6d 2e xe01.archsystem.
00f0: 63 6f 6d 22 2c 72 65 73 70 6f 6e 73 65 3d 30 35 com",response=05
0100: 65 63 64 32 66 32 31 37 35 38 34 30 35 61 30 64 ecd2f21758405a0d
0110: 34 34 62 37 65 38 37 35 66 63 35 39 32 63 44b7e875fc592c
ber_scanf fmt (}}) ber:
ber_dump: buf=0xa1e4780 ptr=0xa1e48ba end=0xa1e48ba len=0
>>> dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
conn=1000 op=1 BIND dn="" method=163
do_bind: dn () SASL mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=282
SASL [conn=1000] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=1000]: authcid="ldap_user"
slap_sasl_getdn: conn 1000 id=ldap_user [len=9]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0
slap_sasl_getdn: u:id converted to
uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=ldap_user,cn=mydomain.com,cn=DIGEST-MD5,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth)=0
<<< dnNormalize: <uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth to a DN
==> rewrite_context_apply [depth=1]
string='uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth'
==> rewrite_rule_apply
rule='uid=([^,]+),cn=mydomain.com,cn=digest-md5,cn=auth'
string='uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth' [1
pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'uid=ldap_user,ou=users,dc=mydomain,dc=com'}
[rw] authid: "uid=ldap_user,cn=mydomain.com,cn=digest-md5,cn=auth"
-> "uid=ldap_user,ou=users,dc=mydomain,dc=com"
slap_parseURI: parsing uid=ldap_user,ou=users,dc=mydomain,dc=com
ldap_url_parse_ext(uid=ldap_user,ou=users,dc=mydomain,dc=com)
>>> dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
=> ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com,0)
<= ldap_bv2dn(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=ldap_user,ou=users,dc=mydomain,dc=com)=0
<<< dnNormalize: <uid=ldap_user,ou=users,dc=mydomain,dc=com>
<==slap_sasl2dn: Converted SASL name to
uid=ldap_user,ou=users,dc=mydomain,dc=com
slap_sasl_getdn: dn:id converted to uid=ldap_user,ou=users,dc=mydomain,dc=com
SASL Canonicalize [conn=1000]:
slapAuthcDN="uid=ldap_user,ou=users,dc=mydomain,dc=com"
SASL Canonicalize [conn=1000]: authzid="ldap_user"
SASL proxy authorize [conn=1000]: authcid="ldap_user@mydomain.com"
authzid="ldap_user@mydomain.com"
==>slap_sasl_authorized: can
uid=ldap_user,ou=users,dc=mydomain,dc=com become password1?
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=1000]: proxy authorization disallowed (48)
SASL [conn=1000] Failure: not authorized
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization
failure: not authorized"
send_ldap_response: msgid=2 tag=97 err=50
ber_flush2: 62 bytes to sd 12
0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA
0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori
0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure:
0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized
ldap_write: want=62, written=62
0000: 30 3c 02 01 02 61 37 0a 01 32 04 00 04 30 53 41 0<...a7..2...0SA
0010: 53 4c 28 2d 31 34 29 3a 20 61 75 74 68 6f 72 69 SL(-14): authori
0020: 7a 61 74 69 6f 6e 20 66 61 69 6c 75 72 65 3a 20 zation failure:
0030: 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 not authorized
conn=1000 op=1 RESULT tag=97 err=50 text=SASL(-14): authorization
failure: not authorized
<== slap_sasl_bind: rc=50
daemon: activity on 1 descriptor
daemon: activity on: 12r
daemon: read active on 12
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
connection_get(12)
connection_get(12): got connid=1000
connection_read(12): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 12 failed errno=0 (Success)
connection_read(12): input error=-2 id=1000, closing.
connection_closing: readying conn=1000 sd=12 for close
connection_close: conn=1000 sd=12
daemon: removing 12
conn=1000 fd=12 closed (connection lost)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
2011/2/15 Dan White <dwhite@olp.net>:
> On 14/02/11 23:47 +0900, Hiroyuki Sato wrote:
>>
>> Does anybody succeed to setup SASL(digest-md5) authentication with
>> mysql database and latest openldap-server??
>>
>> I'm not sure, why this configuration does not work correctly.
>> and It seems that LDAP server compare dn and input password in ldap
>> authentication. (see log below)
>>
>> My Environment
>> OS: Ubuntu 10.10
>> OpenLDAP : 2.4.24 (build myself)
>>
>> 1, slapd.conf
>>
>> sasl-realm mydomain.com
>> sasl-auxprops sql
>>
>> sasl-regexp
>> uid=(.*),cn=mydomain.com,cn=digest-md5,cn=auth
>> uid=$1,ou=users,ou=mydomain.com,dc=test,dc=mydomain,dc=com
>
> This isn't matching what's showing up in your logs. slapd is internally
> canonicalizing the realm as 'cn=mydomain,dc=com' and not 'cn=mydomain.com'.
>
>> 2, /usr/lib/sasl2/slapd.conf
>>
>> pwcheck_method: auxprop
>> mech_list: DIGEST-MD5
>> log_level: 7
>> auxprop_plugin: sql
>> sql_verbose: yes
>> sql_engine: mysql
>> sql_hostnames: database.server.add.ress
>> sql_user: username
>> sql_passwd: password
>> sql_database: db_name
>> sql_select: select password from sasl_test where username = '%u@%r'
>>
>> ldapsearch -R mydomain.com -h server_add.ress -Y digest-md5 -U
>> ldapuser -b 'ou=users,ou=mydomain.com,dc=test,dc=test,dc=mydomain,dc=com'
>> -LLL '(objectclass=*)' Password:
>> ldap_sasl_interactive_bind_s: Insufficient access (50)
>>
>> 5, log
>>
>> <= ldap_dn2bv(uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth)=0
>> slap_sasl_getdn: u:id converted to
>> uid=ldap_user,cn=mydomain,dc=com,cn=DIGEST-MD5,cn=auth
>
>
>> slap_sasl_getdn: dn:id converted to
>> uid=ldap_user,ou=users,ou=mydomain,dc=com,dc=test,dc=mydomain,dc=com
>
> You want the 'uid' part of your rule to be a bit more restrictive, such as
> uid=([^,]+) so that is doesn't end up matching a longer string
> accidentally.
I changed slap
>
> --
> Dan White
>