Re: Pb with sasl2 digest - md5 and openldap

[bea chataigne <bchataigne@gmail.com>]

Hello Michael,

Yes sasl-md5 work with clear password, that is why to me the password of syncuser is defined in the base sasl2db.

In my ldap configuration, I have only the following line:

OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr "

In my ldap base I thus have no entry "cn=syncuser,dc=xxx,dc=fr' defined.

My ldapsearch command :

# ldapsearch -Y DIGEST-MD5-U syncuser -h localhost

Reads that rule 

Hello Michael,

Yes sasl-md5 work with clear password, that is why to me the password of syncuser is defined in the base sasl2db.

In my ldap configuration, I have only the following line:

OlcAuthzRegexp: {0} " uid=syncuser, cn=DIGEST-MD5, cn=auth " " cn=syncuser, dc=xxx, dc=fr "

In my ldap base I thus have no entry "cn=syncuser,dc=xxx,dc=fr' defined.

In my ldapsearch command :

# ldapsearch -Y DIGEST-MD5-U syncuser -h localhost

Reads that rule OlcAuthzRegexp: {0} "  for the user  "uid=syncuser, cn=DIGEST-MD5, cn=auth " translates into ldap entry "cn=syncuser,cn=xxx,cn=fr".

Then he compares the password at first in the base sasl2db, then in the ldap base.

In my case the password being in the base sasldb, he should find one correspondence no??

It is correct to there???

Best regards

chataigne

2011/10/29 Michael Ströder <michael@stroeder.com>

bea chataigne wrote:
> # ldapsearch -Y DIGEST-MD5-U syncuser
> ldap_sasl_interactive_bind_s: Invalid credentials ( 49 )      additional
> information: SASL ( 13 ): use(wear out) not found: no secret in database

Does attribute userPassword of entry cn=syncuser,dc=xxx,dc=fr has a clear-text
value? SASL DIGEST-MD5 does not work with hashed passwords.

Ciao, Michael.