[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
sasl/plain with hashed password not working
- To: openldap-technical@openldap.org
- Subject: sasl/plain with hashed password not working
- From: btb <btb@bitrate.net>
- Date: Wed, 02 Oct 2013 09:08:20 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=bitrate.net; s=default; t=1380718084; bh=ycPgcBTdVaVEumqWxQwTW90WfuqAxE96g+SHpXpN29Y=; h=Date:From:To:Subject; b=BcKCKYe3Z6/Ib8FY1l5Hjv4QNkMPVOTMzjingGgBRx7xHJXI6FufyG7KBeQVyUsap znYzkGSEIQUJ5VhwvkFpDOSr2yn5wygg+fvrdMSBXGfr0Q0uQtmxgwHGhaWQ9k6lBH QrTjgWab1ptbXfBSn41EggmqNzyMSIWqxWemQKFI=
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
i've enabled the plain sasl mech, and testing with ldapwhoami works, but
only if the userpassword is left as plaintext. if hashing [ssha] is
used, it fails. a simple bind succeeds. what am i doing wrong?
>ldapwhoami -H 'ldap://dsa4.example.com/' -Y 'plain' -U 'flash' -w
'xxxxxxxx'
SASL/PLAIN authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: Password verification failed
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 slap_listener_activate(7):
524b7989 daemon: epoll: listen=7 busy
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 >>> slap_listener(ldap:///)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 daemon: listen=7, new connection on 16
524b7989 daemon: added 16r (active) listener=(nil)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 conn=1014 fd=16 ACCEPT from IP=192.168.1.81:35171 (IP=0.0.0.0:389)
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989 16r524b7989
524b7989 daemon: read active on 16
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 connection_get(16)
524b7989 connection_get(16): got connid=1014
524b7989 connection_read(16): checking for input on id=1014
ber_get_next
ldap_read: want=8, got=8
0000: 30 22 02 01 01 60 1d 02 0"...`..
ldap_read: want=28, got=28
0000: 01 03 04 00 a3 16 04 05 50 4c 41 49 4e 04 0d 00
........PLAIN...
0010: 66 6c 61 73 68 00 74 69 67 67 65 72
flash.xxxxxxx
ber_get_next: tag 0x30 len 34 contents:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103750 end=0x7f1580103772 len=34
0000: 02 01 01 60 1d 02 01 03 04 00 a3 16 04 05 50 4c
...`..........PL
0010: 41 49 4e 04 0d 00 66 6c 61 73 68 00 74 69 67 67
AIN...flash.xxxx
0020: 65 72 xxxxxx
524b7989 op tag 0x60, time 1380678025
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
524b7989 conn=1014 op=0 do_bind
524b7989 daemon: activity on 1 descriptor
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103753 end=0x7f1580103772 len=31
0000: 60 1d 02 01 03 04 00 a3 16 04 05 50 4c 41 49 4e
`..........PLAIN
0010: 04 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72
...flash.xxxxxxxx
ber_scanf fmt ({m) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f158010375a end=0x7f1580103772 len=24
0000: 00 16 04 05 50 4c 41 49 4e 04 0d 00 66 6c 61 73
....PLAIN...flas
0010: 68 00 74 69 67 67 65 72 h.xxxxxxxxx
ber_scanf fmt (m) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103763 end=0x7f1580103772 len=15
0000: 00 0d 00 66 6c 61 73 68 00 74 69 67 67 65 72
...flash.xxxxxxx
ber_scanf fmt (}}) ber:
ber_dump: buf=0x7f1580103750 ptr=0x7f1580103772 end=0x7f1580103772 len=0
524b7989 >>> dnPrettyNormal: <>
524b7989 <<< dnPrettyNormal: <>, <>
524b7989 conn=1014 op=0 BIND dn="" method=163
524b7989 do_bind: dn () SASL mech PLAIN
524b7989 ==> sasl_bind: dn="" mech=PLAIN datalen=13
524b7989 SASL Canonicalize [conn=1014]: authcid="flash"
524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0
524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth
524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0
524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth>
524b7989 ==>slap_sasl2dn: converting SASL name
uid=flash,cn=plain,cn=auth to a DN
524b7989 ==> rewrite_context_apply [depth=1]
string='uid=flash,cn=plain,cn=auth'
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_context_apply [depth=1]
res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'}
524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" ->
"uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 slap_parseURI: parsing
uid=flash,ou=people,ou=accounts,dc=example,dc=com
ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)
524b7989 >>> dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
524b7989 <<< dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
524b7989 <==slap_sasl2dn: Converted SASL name to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 slap_sasl_getdn: dn:id converted to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 SASL Canonicalize [conn=1014]:
slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 SASL Canonicalize [conn=1014]: authcid="flash"
524b7989 slap_sasl_getdn: conn 1014 id=flash [len=5]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=flash,cn=PLAIN,cn=auth)=0
524b7989 slap_sasl_getdn: u:id converted to uid=flash,cn=PLAIN,cn=auth
524b7989 >>> dnNormalize: <uid=flash,cn=PLAIN,cn=auth>
=> ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth,0)
<= ldap_bv2dn(uid=flash,cn=PLAIN,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,cn=plain,cn=auth)=0
524b7989 <<< dnNormalize: <uid=flash,cn=plain,cn=auth>
524b7989 ==>slap_sasl2dn: converting SASL name
uid=flash,cn=plain,cn=auth to a DN
524b7989 ==> rewrite_context_apply [depth=1]
string='uid=flash,cn=plain,cn=auth'
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=digest-md5,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_rule_apply rule='uid=([^,]*),cn=plain,cn=auth'
string='uid=flash,cn=plain,cn=auth' [1 pass(es)]
524b7989 ==> rewrite_context_apply [depth=1]
res={0,'uid=flash,ou=people,ou=accounts,dc=example,dc=com'}
524b7989 [rw] authid: "uid=flash,cn=plain,cn=auth" ->
"uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 slap_parseURI: parsing
uid=flash,ou=people,ou=accounts,dc=example,dc=com
ldap_url_parse_ext(uid=flash,ou=people,ou=accounts,dc=example,dc=com)
524b7989 >>> dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
=> ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com,0)
<= ldap_bv2dn(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=flash,ou=people,ou=accounts,dc=example,dc=com)=0
524b7989 <<< dnNormalize:
<uid=flash,ou=people,ou=accounts,dc=example,dc=com>
524b7989 <==slap_sasl2dn: Converted SASL name to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 slap_sasl_getdn: dn:id converted to
uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 SASL Canonicalize [conn=1014]:
slapAuthcDN="uid=flash,ou=people,ou=accounts,dc=example,dc=com"
524b7989 => mdb_search
524b7989 mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=com")
524b7989 => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=com")
524b7989 <= mdb_dn2id: got id=0x2c
524b7989 => mdb_entry_decode:
524b7989 <= mdb_entry_decode
524b7989 => access_allowed: auth access to
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "entry" requested
524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 => acl_get: [2] matched
524b7989 => acl_get: [2] attr entry
524b7989 => acl_mask: access to entry
"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "entry" requested
524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: self
524b7989 <= check a_dn_pat: users
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [3] applying auth(=xd) (stop)
524b7989 <= acl_mask: [3] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)
524b7989 base_candidates: base:
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" (0x0000002c)
524b7989 => test_filter
524b7989 daemon: activity on:524b7989 PRESENT
524b7989 => access_allowed: auth access to
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "objectClass" requested
524b7989 => dn: [2] uid=flash,ou=people,ou=accounts,dc=example,dc=com
524b7989 => acl_get: [2] matched
524b7989 => acl_get: [2] attr objectClass
524b7989 => acl_mask: access to entry
"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "objectClass"
requested
524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: self
524b7989 <= check a_dn_pat: users
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [3] applying auth(=xd) (stop)
524b7989 <= acl_mask: [3] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)
524b7989 <= test_filter 6
524b7989 => access_allowed: auth access to
"uid=flash,ou=people,ou=accounts,dc=example,dc=com" "userPassword" requested
524b7989 => acl_get: [1] attr userPassword
524b7989 => acl_mask: access to entry
"uid=flash,ou=people,ou=accounts,dc=example,dc=com", attr "userPassword"
requested
524b7989 => acl_mask: to all values by "", (=0)
524b7989 <= check a_dn_pat: anonymous
524b7989 <= acl_mask: [1] applying auth(=xd) (stop)
524b7989 <= acl_mask: [1] mask: auth(=xd)
524b7989 => slap_access_allowed: auth access granted by auth(=xd)
524b7989 => access_allowed: auth access granted by auth(=xd)
524b7989 slap_ap_lookup: str2ad(cmusaslsecretPLAIN): attribute type
undefined
524b7989 send_ldap_result: conn=1014 op=0 p=3
524b7989 send_ldap_result: err=0 matched="" text=""
524b7989 SASL [conn=1014] Failure: Password verification failed
524b7989 send_ldap_result: conn=1014 op=0 p=3
524b7989 send_ldap_result: err=49 matched="" text="SASL(-13): user not
found: Password verification failed"
524b7989 send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 69 bytes to sd 16
0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41
0C...a>..1...7SA
0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13):
user no
0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found:
Passwor
0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d
verification f
0040: 61 69 6c 65 64 ailed
ldap_write: want=69, written=69
0000: 30 43 02 01 01 61 3e 0a 01 31 04 00 04 37 53 41
0C...a>..1...7SA
0010: 53 4c 28 2d 31 33 29 3a 20 75 73 65 72 20 6e 6f SL(-13):
user no
0020: 74 20 66 6f 75 6e 64 3a 20 50 61 73 73 77 6f 72 t found:
Passwor
0030: 64 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 66 d
verification f
0040: 61 69 6c 65 64 ailed
524b7989 conn=1014 op=0 RESULT tag=97 err=49 text=SASL(-13): user not
found: Password verification failed
524b7989 <== slap_sasl_bind: rc=49
524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989 16r524b7989
524b7989 daemon: read active on 16
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 connection_get(16)
524b7989 connection_get(16): got connid=1014
524b7989 connection_read(16): checking for input on id=1014
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 02 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f1584117620 ptr=0x7f1584117620 end=0x7f1584117625 len=5
0000: 02 01 02 42 00 ...B.
524b7989 op tag 0x42, time 1380678025
ber_get_next
ldap_read: want=8, got=0
524b7989 ber_get_next on fd 16 failed errno=0 (Success)
524b7989 connection_read(16): input error=-2 id=1014, closing.
524b7989 connection_closing: readying conn=1014 sd=16 for close
524b7989 daemon: activity on 1 descriptor
524b7989 daemon: activity on:524b7989
524b7989 daemon: epoll: listen=7 active_threads=0 tvp=NULL
524b7989 connection_close: deferring conn=1014 sd=16
524b7989 daemon: epoll: listen=8 active_threads=0 tvp=NULL
524b7989 conn=1014 op=1 do_unbind
524b7989 conn=1014 op=1 UNBIND
524b7989 connection_resched: attempting closing conn=1014 sd=16
524b7989 connection_close: conn=1014 sd=16
524b7989 daemon: removing 16
524b7989 conn=1014 fd=16 closed