[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple Bind pass-through to SASL/PLAIN



Okay, here's the log from a SASL/PLAIN bind working.

Mar 10 16:28:51 kdc1 slapd[2367]: daemon: read active on 21
Mar 10 16:28:51 kdc1 slapd[2367]: connection_get(21)
Mar 10 16:28:51 kdc1 slapd[2367]: connection_get(21): got connid=41
Mar 10 16:28:51 kdc1 slapd[2367]: connection_read(21): checking for input on id=41
Mar 10 16:28:51 kdc1 slapd[2367]: do_bind
Mar 10 16:28:51 kdc1 slapd[2367]: >>> dnPrettyNormal: <uid=zschtest,cn=MARS.ASU.EDU,cn=auth> Mar 10 16:28:51 kdc1 slapd[2367]: <<< dnPrettyNormal: <uid=zschtest,cn=MARS.ASU.EDU,cn=auth> <uid=zschtest,cn=mars.asu.edu,cn=auth> Mar 10 16:28:51 kdc1 slapd[2367]: do_sasl_bind: dn (uid=zschtest,cn=MARS.ASU.EDU,cn=auth) mech PLAIN Mar 10 16:28:51 kdc1 slapd[2367]: ==> sasl_bind: dn="uid=zschtest,cn=MARS.ASU.EDU,cn=auth" mech=PLAIN datalen=20 Mar 10 16:28:51 kdc1 slapd[2367]: SASL Canonicalize [conn=41]: authcid="zschtest" Mar 10 16:28:51 kdc1 slapd[2367]: slap_sasl_getdn: conn 41 id=zschtest [len=8] Mar 10 16:28:51 kdc1 slapd[2367]: slap_sasl_getdn: u:id converted to uid=zschtest,cn=MARS.ASU.EDU,cn=PLAIN,cn=auth Mar 10 16:28:51 kdc1 slapd[2367]: >>> dnNormalize: <uid=zschtest,cn=MARS.ASU.EDU,cn=PLAIN,cn=auth> Mar 10 16:28:51 kdc1 slapd[2367]: <<< dnNormalize: <uid=zschtest,cn=mars.asu.edu,cn=plain,cn=auth> Mar 10 16:28:51 kdc1 slapd[2367]: ==>slap_sasl2dn: converting SASL name uid=zschtest,cn=mars.asu.edu,cn=plain,cn=auth to a DN Mar 10 16:28:51 kdc1 slapd[2367]: slap_authz_regexp: converting SASL name uid=zschtest,cn=mars.asu.edu,cn=plain,cn=auth Mar 10 16:28:51 kdc1 slapd[2367]: slap_authz_regexp: converted SASL name to ldap:///ou=people,o=mars??sub?(&(uid=zschtest)(objectClass=marsPerson)) Mar 10 16:28:51 kdc1 slapd[2367]: slap_parseURI: parsing ldap:///ou=people,o=mars??sub?(&(uid=zschtest)(objectClass=marsPerson)) Mar 10 16:28:51 kdc1 slapd[2367]: str2filter "(&(uid=zschtest)(objectClass=marsPerson))"
Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter
Mar 10 16:28:51 kdc1 slapd[2367]: AND
Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter_list
Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter
Mar 10 16:28:51 kdc1 slapd[2367]: EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter 0
Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter
Mar 10 16:28:51 kdc1 slapd[2367]: EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter 0
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter_list
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter 0
Mar 10 16:28:51 kdc1 slapd[2367]: >>> dnNormalize: <ou=people,o=mars>
Mar 10 16:28:51 kdc1 slapd[2367]: <<< dnNormalize: <ou=people,o=mars>
Mar 10 16:28:51 kdc1 slapd[2367]: slap_sasl2dn: performing internal search (base=ou=people,o=mars, scope=2)
Mar 10 16:28:51 kdc1 slapd[2367]: => hdb_search
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_dn2entry("ou=people,o=mars")
Mar 10 16:28:51 kdc1 slapd[2367]: search_candidates: base="ou=people,o=mars" (0x00000002) scope=2
Mar 10 16:28:51 kdc1 slapd[2367]: => hdb_dn2idl("ou=people,o=mars")
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       AND
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_list_candidates 0xa0
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       OR
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_list_candidates 0xa1
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_equality_candidates (objectClass)
Mar 10 16:28:51 kdc1 slapd[2367]: => key_read
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_idl_fetch_key: [b49d1940]
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_index_read: failed (-30989)
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_equality_candidates: id=0, first=0, last=0 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=0 first=0 last=0
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       AND
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_list_candidates 0xa0
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_equality_candidates (uid)
Mar 10 16:28:51 kdc1 slapd[2367]: => key_read
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_idl_fetch_key: [7598d43a]
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_index_read 1 candidates
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_equality_candidates: id=1, first=5721, last=5721 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1 first=5721 last=5721
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_equality_candidates (objectClass)
Mar 10 16:28:51 kdc1 slapd[2367]: => key_read
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_idl_fetch_key: [13f0c171]
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_index_read 2932 candidates
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_equality_candidates: id=2932, first=3, last=5776 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=2932 first=3 last=5776 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_list_candidates: id=1 first=5721 last=5721 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1 first=5721 last=5721 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_list_candidates: id=1 first=5721 last=5721 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1 first=5721 last=5721 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_list_candidates: id=1 first=5721 last=5721 Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1 first=5721 last=5721 Mar 10 16:28:51 kdc1 slapd[2367]: bdb_search_candidates: id=1 first=5721 last=5721
Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter
Mar 10 16:28:51 kdc1 slapd[2367]:     AND
Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter_and
Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter
Mar 10 16:28:51 kdc1 slapd[2367]:     EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access to "cn=Zach Schimke - TEST,ou=people,o=mars" "uid" requested
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [1] o=new
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [2] ou=rooms,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [3] ou=acl,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [4] ou=groups,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [5] ou=people,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] matched
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] attr uid
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: access to entry "cn=Zach Schimke - TEST,ou=people,o=mars", attr "uid" requested
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: to value by "", (=0)
Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: ou=admins,ou=people,o=mars Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: cn=mars admin,ou=role,ou=people,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: *
Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] applying read(=rscxd) (stop)
Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] mask: read(=rscxd)
Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access granted by read(=rscxd)
Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter 6
Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter
Mar 10 16:28:51 kdc1 slapd[2367]:     EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access to "cn=Zach Schimke - TEST,ou=people,o=mars" "objectClass" requested
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [1] o=new
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [2] ou=rooms,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [3] ou=acl,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [4] ou=groups,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [5] ou=people,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] matched
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] attr objectClass
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: access to entry "cn=Zach Schimke - TEST,ou=people,o=mars", attr "objectClass" requested
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: to value by "", (=0)
Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: ou=admins,ou=people,o=mars Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: cn=mars admin,ou=role,ou=people,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: *
Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] applying read(=rscxd) (stop)
Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] mask: read(=rscxd)
Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access granted by read(=rscxd)
Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter 6
Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter_and 6
Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter 6
Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_result: conn=41 op=0 p=3
Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_result: err=0 matched="" text="" Mar 10 16:28:51 kdc1 slapd[2367]: <==slap_sasl2dn: Converted SASL name to cn=zach schimke - test,ou=people,o=mars Mar 10 16:28:51 kdc1 slapd[2367]: slap_sasl_getdn: dn:id converted to cn=zach schimke - test,ou=people,o=mars Mar 10 16:28:51 kdc1 slapd[2367]: SASL Canonicalize [conn=41]: slapAuthcDN="cn=zach schimke - test,ou=people,o=mars" Mar 10 16:28:51 kdc1 slapd[2367]: SASL [conn=41] Error: unable to open Berkeley db /etc/sasldb2: No such file or directory Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=10 active_threads=0 tvp=NULL
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on 1 descriptor
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on:
Mar 10 16:28:51 kdc1 slapd[2367]:
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=7 active_threads=0 tvp=NULL Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=8 active_threads=0 tvp=NULL Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=9 active_threads=0 tvp=NULL Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=10 active_threads=0 tvp=NULL Mar 10 16:28:51 kdc1 slapd[2367]: SASL Canonicalize [conn=41]: authzid="zschtest" Mar 10 16:28:51 kdc1 slapd[2367]: SASL proxy authorize [conn=41]: authcid="zschtest@MARS.ASU.EDU" authzid="zschtest@MARS.ASU.EDU" Mar 10 16:28:51 kdc1 slapd[2367]: SASL Authorize [conn=41]: proxy authorization allowed authzDN=""
Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_sasl: err=0 len=-1
Mar 10 16:28:51 kdc1 slapd[2367]: do_bind: SASL/PLAIN bind: dn="cn=zach schimke - test,ou=people,o=mars" ssf=0
Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_response: msgid=1 tag=97 err=0
Mar 10 16:28:51 kdc1 slapd[2367]: <== slap_sasl_bind: rc=0
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on 1 descriptor
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on:
Mar 10 16:28:51 kdc1 slapd[2367]:  21r




Zach Schimke
Mars Space Flight Facility


On 3/10/2011 4:03 PM, Dan White wrote:
Without seeing any output from your SASL/PLAIN bind, I suspect that
saslauthd may not be working with your slapd installation.

If that's the case, double check the permissions on your saslauthd mux, and
specify a saslauthd_path parameter within your sasl slapd.conf config if
necessary.

On 10/03/11 15:42 -0700, Zach Schimke wrote:
Okay, I get nothing from saslauthd. The relevent logging slapd gives me:
   daemon: epoll: listen=7 active_threads=0 tvp=NULL
   daemon: epoll: listen=8 active_threads=0 tvp=NULL
   daemon: epoll: listen=9 active_threads=0 tvp=NULL
   daemon: epoll: listen=10 active_threads=0 tvp=NULL
   do_bind
dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>
<<< dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>, <cn=zach schimke - test,ou=people,o=mars> do_bind: version=3 dn="cn=zach schimke - test,ou=people,o=mars" method=128
    ==> hdb_bind: dn: cn=zach schimke - test,ou=people,o=mars
   bdb_dn2entry("cn=zach schimke - test,ou=people,o=mars")
=> access_allowed: auth access to "cn=Zach Schimke - TEST,ou=people,o=mars" "userPassword" requested
    => dn: [1] o=new
    => dn: [2] ou=rooms,o=mars
    => dn: [3] ou=acl,o=mars
    => dn: [4] ou=groups,o=mars
    => dn: [5] ou=people,o=mars
    => acl_get: [5] matched
    => acl_get: [5] attr userPassword
   access_allowed: no res from state (userPassword)
=> acl_mask: access to entry "cn=Zach Schimke - TEST,ou=people,o=mars", attr "userPassword" requested
    => acl_mask: to value by "", (=0)
<= check a_dn_pat: ou=admins,ou=people,o=mars
<= check a_dn_pat: cn=mars admin,ou=role,ou=people,o=mars
<= check a_dn_pat: *
<= acl_mask: [3] applying read(=rscxd) (stop)
<= acl_mask: [3] mask: read(=rscxd)
    => access_allowed: auth access granted by read(=rscxd)
   send_ldap_result: conn=4 op=0 p=3
   send_ldap_result: err=49 matched="" text=""
   send_ldap_response: msgid=1 tag=97 err=49
   daemon: activity on 1 descriptor
   daemon: activity on:
    15r


So, I do not see anything looking at SASL. Is there something special I need to put in slapd.access to make the pass-through bit work? It seems to be an ACL problem at this point (but regular password binds work properly with other users).

Zach Schimke
Mars Space Flight Facility


On 3/4/2011 2:09 PM, Dan White wrote:
On 04/03/11 13:59 -0700, Zach Schimke wrote:
I'm using openldap-2.3.32, loglevel = -1 (log grows at 2MB/minute), and neither of those tests work. I've even tried with and without the @REALM.

Can you run your slapd in debug mode (-d -1), and your saslauthd in debug
mode (-d)?

Try performing your SASL PLAIN bind, and then your non-sasl pass-through
bind, and let us have a look at any relevant output you're seeing from
either daemon. It might help to have a look at both to compare.