[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Simple Bind pass-through to SASL/PLAIN

To: Dan White <dwhite@olp.net>
Subject: Re: Simple Bind pass-through to SASL/PLAIN
From: Zach Schimke <zschimke@mars.asu.edu>
Date: Thu, 10 Mar 2011 16:32:16 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <20110310230355.GI4723@dan.olp.net>
Organization: Mars Space Flight Facility
References: <4D702D2D.80206@mars.asu.edu> <20110304145453.GC4667@dan.olp.net> <4D7149FE.3060205@mars.asu.edu> <20110304204842.GA4704@dan.olp.net> <4D7152C0.9090004@mars.asu.edu> <20110304210921.GC4704@dan.olp.net> <4D7953C4.9080107@mars.asu.edu> <20110310230355.GI4723@dan.olp.net>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 ThunderBrowse/3.3.5

Okay, here's the log from a SASL/PLAIN bind working.

Mar 10 16:28:51 kdc1 slapd[2367]: daemon: read active on 21
Mar 10 16:28:51 kdc1 slapd[2367]: connection_get(21)
Mar 10 16:28:51 kdc1 slapd[2367]: connection_get(21): got connid=41

Mar 10 16:28:51 kdc1 slapd[2367]: connection_read(21): checking forinput on id=41

Mar 10 16:28:51 kdc1 slapd[2367]: do_bind

Mar 10 16:28:51 kdc1 slapd[2367]: >>> dnPrettyNormal:<uid=zschtest,cn=MARS.ASU.EDU,cn=auth>Mar 10 16:28:51 kdc1 slapd[2367]: <<< dnPrettyNormal:<uid=zschtest,cn=MARS.ASU.EDU,cn=auth><uid=zschtest,cn=mars.asu.edu,cn=auth>Mar 10 16:28:51 kdc1 slapd[2367]: do_sasl_bind: dn(uid=zschtest,cn=MARS.ASU.EDU,cn=auth) mech PLAINMar 10 16:28:51 kdc1 slapd[2367]: ==> sasl_bind:dn="uid=zschtest,cn=MARS.ASU.EDU,cn=auth" mech=PLAIN datalen=20Mar 10 16:28:51 kdc1 slapd[2367]: SASL Canonicalize [conn=41]:authcid="zschtest"Mar 10 16:28:51 kdc1 slapd[2367]: slap_sasl_getdn: conn 41 id=zschtest[len=8]Mar 10 16:28:51 kdc1 slapd[2367]: slap_sasl_getdn: u:id converted touid=zschtest,cn=MARS.ASU.EDU,cn=PLAIN,cn=authMar 10 16:28:51 kdc1 slapd[2367]: >>> dnNormalize:<uid=zschtest,cn=MARS.ASU.EDU,cn=PLAIN,cn=auth>Mar 10 16:28:51 kdc1 slapd[2367]: <<< dnNormalize:<uid=zschtest,cn=mars.asu.edu,cn=plain,cn=auth>Mar 10 16:28:51 kdc1 slapd[2367]: ==>slap_sasl2dn: converting SASL nameuid=zschtest,cn=mars.asu.edu,cn=plain,cn=auth to a DNMar 10 16:28:51 kdc1 slapd[2367]: slap_authz_regexp: converting SASLname uid=zschtest,cn=mars.asu.edu,cn=plain,cn=authMar 10 16:28:51 kdc1 slapd[2367]: slap_authz_regexp: converted SASL nameto ldap:///ou=people,o=mars??sub?(&(uid=zschtest)(objectClass=marsPerson))Mar 10 16:28:51 kdc1 slapd[2367]: slap_parseURI: parsingldap:///ou=people,o=mars??sub?(&(uid=zschtest)(objectClass=marsPerson))Mar 10 16:28:51 kdc1 slapd[2367]: str2filter"(&(uid=zschtest)(objectClass=marsPerson))"

Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter
Mar 10 16:28:51 kdc1 slapd[2367]: AND
Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter_list
Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter
Mar 10 16:28:51 kdc1 slapd[2367]: EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter 0
Mar 10 16:28:51 kdc1 slapd[2367]: begin get_filter
Mar 10 16:28:51 kdc1 slapd[2367]: EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter 0
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter_list
Mar 10 16:28:51 kdc1 slapd[2367]: end get_filter 0
Mar 10 16:28:51 kdc1 slapd[2367]: >>> dnNormalize: <ou=people,o=mars>
Mar 10 16:28:51 kdc1 slapd[2367]: <<< dnNormalize: <ou=people,o=mars>

Mar 10 16:28:51 kdc1 slapd[2367]: slap_sasl2dn: performing internalsearch (base=ou=people,o=mars, scope=2)

Mar 10 16:28:51 kdc1 slapd[2367]: => hdb_search
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_dn2entry("ou=people,o=mars")

Mar 10 16:28:51 kdc1 slapd[2367]: search_candidates:base="ou=people,o=mars" (0x00000002) scope=2

Mar 10 16:28:51 kdc1 slapd[2367]: => hdb_dn2idl("ou=people,o=mars")
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       AND
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_list_candidates 0xa0
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       OR
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_list_candidates 0xa1
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_equality_candidates (objectClass)
Mar 10 16:28:51 kdc1 slapd[2367]: => key_read
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_idl_fetch_key: [b49d1940]
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_index_read: failed (-30989)

Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_equality_candidates: id=0,first=0, last=0Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=0 first=0last=0

Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       AND
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_list_candidates 0xa0
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_equality_candidates (uid)
Mar 10 16:28:51 kdc1 slapd[2367]: => key_read
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_idl_fetch_key: [7598d43a]
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_index_read 1 candidates

Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_equality_candidates: id=1,first=5721, last=5721Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1first=5721 last=5721

Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_filter_candidates
Mar 10 16:28:51 kdc1 slapd[2367]:       EQUALITY
Mar 10 16:28:51 kdc1 slapd[2367]: => bdb_equality_candidates (objectClass)
Mar 10 16:28:51 kdc1 slapd[2367]: => key_read
Mar 10 16:28:51 kdc1 slapd[2367]: bdb_idl_fetch_key: [13f0c171]
Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_index_read 2932 candidates

Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_equality_candidates: id=2932,first=3, last=5776Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=2932first=3 last=5776Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_list_candidates: id=1first=5721 last=5721Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1first=5721 last=5721Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_list_candidates: id=1first=5721 last=5721Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1first=5721 last=5721Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_list_candidates: id=1first=5721 last=5721Mar 10 16:28:51 kdc1 slapd[2367]: <= bdb_filter_candidates: id=1first=5721 last=5721Mar 10 16:28:51 kdc1 slapd[2367]: bdb_search_candidates: id=1 first=5721last=5721

Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter
Mar 10 16:28:51 kdc1 slapd[2367]:     AND
Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter_and
Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter
Mar 10 16:28:51 kdc1 slapd[2367]:     EQUALITY

Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access to"cn=Zach Schimke - TEST,ou=people,o=mars" "uid" requested

Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [1] o=new
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [2] ou=rooms,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [3] ou=acl,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [4] ou=groups,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [5] ou=people,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] matched
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] attr uid

Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: access to entry "cn=ZachSchimke - TEST,ou=people,o=mars", attr "uid" requested

Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: to value by "", (=0)

Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat:ou=admins,ou=people,o=marsMar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: cn=marsadmin,ou=role,ou=people,o=mars

Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: *

Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] applying read(=rscxd)(stop)

Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] mask: read(=rscxd)

Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access grantedby read(=rscxd)

Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter 6
Mar 10 16:28:51 kdc1 slapd[2367]: => test_filter
Mar 10 16:28:51 kdc1 slapd[2367]:     EQUALITY

Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access to"cn=Zach Schimke - TEST,ou=people,o=mars" "objectClass" requested

Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [1] o=new
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [2] ou=rooms,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [3] ou=acl,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [4] ou=groups,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => dn: [5] ou=people,o=mars
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] matched
Mar 10 16:28:51 kdc1 slapd[2367]: => acl_get: [5] attr objectClass

Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: access to entry "cn=ZachSchimke - TEST,ou=people,o=mars", attr "objectClass" requested

Mar 10 16:28:51 kdc1 slapd[2367]: => acl_mask: to value by "", (=0)

Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat:ou=admins,ou=people,o=marsMar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: cn=marsadmin,ou=role,ou=people,o=mars

Mar 10 16:28:51 kdc1 slapd[2367]: <= check a_dn_pat: *

Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] applying read(=rscxd)(stop)

Mar 10 16:28:51 kdc1 slapd[2367]: <= acl_mask: [3] mask: read(=rscxd)

Mar 10 16:28:51 kdc1 slapd[2367]: => access_allowed: auth access grantedby read(=rscxd)

Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter 6
Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter_and 6
Mar 10 16:28:51 kdc1 slapd[2367]: <= test_filter 6
Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_result: conn=41 op=0 p=3

Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_result: err=0 matched=""text=""Mar 10 16:28:51 kdc1 slapd[2367]: <==slap_sasl2dn: Converted SASL nameto cn=zach schimke - test,ou=people,o=marsMar 10 16:28:51 kdc1 slapd[2367]: slap_sasl_getdn: dn:id converted tocn=zach schimke - test,ou=people,o=marsMar 10 16:28:51 kdc1 slapd[2367]: SASL Canonicalize [conn=41]:slapAuthcDN="cn=zach schimke - test,ou=people,o=mars"Mar 10 16:28:51 kdc1 slapd[2367]: SASL [conn=41] Error: unable to openBerkeley db /etc/sasldb2: No such file or directoryMar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=7active_threads=0 tvp=NULLMar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=8active_threads=0 tvp=NULLMar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=9active_threads=0 tvp=NULLMar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=10active_threads=0 tvp=NULL

Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on 1 descriptor
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on:
Mar 10 16:28:51 kdc1 slapd[2367]:

Mar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=7active_threads=0 tvp=NULLMar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=8active_threads=0 tvp=NULLMar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=9active_threads=0 tvp=NULLMar 10 16:28:51 kdc1 slapd[2367]: daemon: epoll: listen=10active_threads=0 tvp=NULLMar 10 16:28:51 kdc1 slapd[2367]: SASL Canonicalize [conn=41]:authzid="zschtest"Mar 10 16:28:51 kdc1 slapd[2367]: SASL proxy authorize [conn=41]:authcid="zschtest@MARS.ASU.EDU" authzid="zschtest@MARS.ASU.EDU"Mar 10 16:28:51 kdc1 slapd[2367]: SASL Authorize [conn=41]: proxyauthorization allowed authzDN=""

Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_sasl: err=0 len=-1

Mar 10 16:28:51 kdc1 slapd[2367]: do_bind: SASL/PLAIN bind: dn="cn=zachschimke - test,ou=people,o=mars" ssf=0

Mar 10 16:28:51 kdc1 slapd[2367]: send_ldap_response: msgid=1 tag=97 err=0
Mar 10 16:28:51 kdc1 slapd[2367]: <== slap_sasl_bind: rc=0
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on 1 descriptor
Mar 10 16:28:51 kdc1 slapd[2367]: daemon: activity on:
Mar 10 16:28:51 kdc1 slapd[2367]:  21r




Zach Schimke
Mars Space Flight Facility


On 3/10/2011 4:03 PM, Dan White wrote:

Without seeing any output from your SASL/PLAIN bind, I suspect that
saslauthd may not be working with your slapd installation.
If that's the case, double check the permissions on your saslauthdmux, and
specify a saslauthd_path parameter within your sasl slapd.conf config if
necessary.

On 10/03/11 15:42 -0700, Zach Schimke wrote:
Okay, I get nothing from saslauthd. The relevent logging slapd gives me:
   daemon: epoll: listen=7 active_threads=0 tvp=NULL
   daemon: epoll: listen=8 active_threads=0 tvp=NULL
   daemon: epoll: listen=9 active_threads=0 tvp=NULL
   daemon: epoll: listen=10 active_threads=0 tvp=NULL
   do_bind
dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>
<<< dnPrettyNormal: <cn=zach schimke - test,ou=people,o=mars>,<cn=zach schimke - test,ou=people,o=mars>do_bind: version=3 dn="cn=zach schimke - test,ou=people,o=mars"method=128
    ==> hdb_bind: dn: cn=zach schimke - test,ou=people,o=mars
   bdb_dn2entry("cn=zach schimke - test,ou=people,o=mars")
=> access_allowed: auth access to "cn=Zach Schimke -TEST,ou=people,o=mars" "userPassword" requested
    => dn: [1] o=new
    => dn: [2] ou=rooms,o=mars
    => dn: [3] ou=acl,o=mars
    => dn: [4] ou=groups,o=mars
    => dn: [5] ou=people,o=mars
    => acl_get: [5] matched
    => acl_get: [5] attr userPassword
   access_allowed: no res from state (userPassword)
=> acl_mask: access to entry "cn=Zach Schimke -TEST,ou=people,o=mars", attr "userPassword" requested
    => acl_mask: to value by "", (=0)
<= check a_dn_pat: ou=admins,ou=people,o=mars
<= check a_dn_pat: cn=mars admin,ou=role,ou=people,o=mars
<= check a_dn_pat: *
<= acl_mask: [3] applying read(=rscxd) (stop)
<= acl_mask: [3] mask: read(=rscxd)
    => access_allowed: auth access granted by read(=rscxd)
   send_ldap_result: conn=4 op=0 p=3
   send_ldap_result: err=49 matched="" text=""
   send_ldap_response: msgid=1 tag=97 err=49
   daemon: activity on 1 descriptor
   daemon: activity on:
    15r
So, I do not see anything looking at SASL. Is there something specialI need to put in slapd.access to make the pass-through bit work? Itseems to be an ACL problem at this point (but regular password bindswork properly with other users).
Zach Schimke
Mars Space Flight Facility


On 3/4/2011 2:09 PM, Dan White wrote:
On 04/03/11 13:59 -0700, Zach Schimke wrote:
I'm using openldap-2.3.32, loglevel = -1 (log grows at 2MB/minute),and neither of those tests work. I've even tried with and withoutthe @REALM.
Can you run your slapd in debug mode (-d -1), and your saslauthd indebug
mode (-d)?
Try performing your SASL PLAIN bind, and then your non-saslpass-through
bind, and let us have a look at any relevant output you're seeing from
either daemon. It might help to have a look at both to compare.

Follow-Ups:
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

References:
- Simple Bind pass-through to SASL/PLAIN
  - From: Zach Schimke <zschimke@mars.asu.edu>
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Dan White <dwhite@olp.net>
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Zach Schimke <zschimke@mars.asu.edu>
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Dan White <dwhite@olp.net>
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Zach Schimke <zschimke@mars.asu.edu>
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Dan White <dwhite@olp.net>
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Zach Schimke <zschimke@mars.asu.edu>
- Re: Simple Bind pass-through to SASL/PLAIN
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: Simple Bind pass-through to SASL/PLAIN
Next by Date: Re: php ldap binding problems
Index(es):
- Chronological
- Thread