[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Resolved: SASL search-based username mapping succeeds, but auth fails!?
- To: openldap-technical@openldap.org
- Subject: Resolved: SASL search-based username mapping succeeds, but auth fails!?
- From: "William B. Clay" <william.b.clay@acm.org>
- Date: Thu, 5 May 2016 14:07:09 +0200
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0
I document the resolution here in the hope it may save others from
similar embarrassment.
Short form:
The ldapsearch error termination message:
user not found: unable to canonify user and get auxprops
meant, at least in this case, that the SASL password database
(/etc/ldap/sasl2/sasldb2) did not contain the userid specified by option
"-U".
This message is distinct from the message issued on a password error for
a userid that is present in the database:
authentication failure: client response doesn't match what
we generated (tried bogus)
TLDR:
My perplexity was caused by two reasonable (to me at least)
misconceptions that falsely reinforced each other:
1. "unable to canonify user" meant a problem more complex than simply
"user not found" in the SASL database itself.
2. Execution of a SASL AuthzRegexp LDAP lookup proved that the SASL user
password had been successfully checked (i.e., that a -U userid SASL
password is checked PRIOR to AuthzRegexp processing).
The root cause blunder: omitting the saslpasswd2 option "-f
/etc/ldap/sasl2/sasldb2" when creating the SASL userid. This created
the ID in /etc/sasldb2 instead. Verifying existence of the ID with
sasldblistusers2 (also forgetting option "-f", of course) confirmed that
the ID in question was present ... in the wrong place.
I apologize to the list for the mistaken post.
Bill Clay