Re: Got error while enabling SASL

[Dan White <dwhite@olp.net>]

On 02/08/12 21:51 +0530, Gaurav Gugnani wrote:
> Hello Dan,
>
> Thks for replying. But there is 1 Q's:
> Q's:> *While doing ldapsearch - why the dn is showing uid\3Dsasluser21*

Because you were passing '-U uid=sasluser21' to ldapsearch. '\3D' is the
hex escape value for '='.

> I executed ldapwhoami and here are the findings:
>
> ldapwhoami -Y digest-md5 -U sasluser21
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>        additional info: SASL(-13): user not found: no secret in database
>
> *Logs:*
> ldap-test0 slapd[25625]: do_bind: dn () SASL mech DIGEST-MD5
> ldap-test0 slapd[25625]: SASL [conn=7496] Debug: DIGEST-MD5 server step 2
> ldap-test0 slapd[25625]: slap_sasl_getdn: u:id converted to
> uid=sasluser21,cn=DIGEST-MD5,cn=auth
> ldap-test0 slapd[25625]: >>> dnNormalize:
> <uid=sasluser21,cn=DIGEST-MD5,cn=auth>
> ldap-test0 slapd[25625]: <<< dnNormalize:
> <uid=sasluser21,cn=digest-md5,cn=auth>
> ldap-test0 slapd[25625]: ==>slap_sasl2dn: converting SASL name
> uid=sasluser21,cn=digest-md5,cn=auth to a DN
> ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
> string='uid=sasluser21,cn=digest-md5,cn=auth'
> ldap-test0 slapd[25625]: ==> rewrite_rule_apply
> rule='uid=(.*),cn=DIGEST-MD5,cn=auth'
> string='uid=sasluser21,cn=digest-md5,cn=auth' [1 pass
>
> ldap-test0 slapd[25625]: ==> rewrite_context_apply [depth=1]
> res={0,'uid=sasluser21,ou=System,o=xyz'}
> ldap-test0 slapd[25625]: slap_parseURI: parsing
> uid=sasluser21,ou=System,o=xyz
> ldap-test0 slapd[25625]: >>> dnNormalize: <uid=sasluser21,ou=System,o=xyz>
> ldap-test0 slapd[25625]: <<< dnNormalize: <uid=sasluser21,ou=system,o=xyz>
> ldap-test0 slapd[25625]: <==slap_sasl2dn: Converted SASL name to
> uid=sasluser21,ou=system,o=xyz
> ldap-test0 slapd[25625]: slap_sasl_getdn: dn:id converted to
> uid=sasluser21,ou=system,o=xyz
> ldap-test0 slapd[25625]: => bdb_search
> ldap-test0 slapd[25625]: bdb_dn2entry("uid=sasluser21,ou=system,o=xyz")
> ldap-test0 slapd[25625]: => bdb_dn2id("uid=sasluser21,ou=system,o=xyz")
> ldap-test0 slapd[25625]: <= bdb_dn2id: got id=0x68a
> ldap-test0 slapd[25625]: entry_decode: "uid=sasluser21,ou=System,o=xyz"
> ldap-test0 slapd[25625]: <= entry_decode(uid=sasluser21,ou=System,o=xyz)
> ldap-test0 slapd[25625]: => access_allowed: auth access to
> "uid=sasluser21,ou=System,o=xyz" "entry" requested
> ldap-test0 slapd[25625]: => dn: [2] o=xyz
> ldap-test0 slapd[25625]: => dn: [3] ou=subscribers,o=xyz
> ldap-test0 slapd[25625]: => acl_get: [4] attr entry
> ldap-test0 slapd[25625]: => acl_mask: access to entry
> "uid=sasluser21,ou=System,o=xyz", attr "entry" requested
> ldap-test0 slapd[25625]: => acl_mask: to all values by "", (=0)
> ldap-test0 slapd[25625]: <= check a_dn_pat: self
> ldap-test0 slapd[25625]: <= check a_dn_pat: uid=replicator,ou=system,o=xyz
> ldap-test0 slapd[25625]: <= check a_dn_pat: uid=sasluser21,ou=system,o=xyz
> ldap-test0 slapd[25625]: <= acl_mask: no more <who> clauses, returning =0
> (stop)
> ldap-test0 slapd[25625]: => slap_access_allowed: auth access denied by =0
> ldap-test0 slapd[25625]: => access_allowed: no more rules

Notice "auth access denied".

> On Wed, Feb 8, 2012 at 9:32 PM, Dan White <dwhite@olp.net> wrote:
> > You might need a more permissive (by anonymous auth) ACL here, for
> > dn.base="ou=System,o=xyz" and "attrs=entry".
> >
> > See slapd.access(5).

Read through the manpage for slapd.access, and fix your ACL config as
described above.

--
Dan White