ldapdb: error: invalid parameter supplied
Dan Nicholson
dbn.lists at gmail.com
Sat Apr 22 15:33:23 EDT 2006
On 4/21/06, Igor Brezac <igor at ipass.net> wrote:
>
> This looks ok. What does debug of the ldap server show? Did you setup
> proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser
> -X u:user?
Hi,
Patrick, I'm going to assume that I have the same setup as you since I
took mine entirely from the Book of Postfix. I was having the same
problems with openldap-2.3.x, but I think I've solved the problem.
The big thing was getting the regexp in /etc/openldap/slapd.conf to
work correctly. Now, ldapwhoami checks out as well as ldapdb
authorization through the cyrus-sasl client/server utilities.
One thing to note is that the authorization settings have changed for
openldap-2.3. With 2.2, I was using saslAuthzTo, sasl-authz-policy
and sasl-regexp. Those have all now been changed to authzTo,
authz-policy and authz-regexp (man slapd.conf). Here is what I set in
/etc/openldap/slapd.conf:
$ tail /etc/openldap/slapd.conf
index objectClass eq
index cn eq
index mail,maildrop pres
index mailbox,quota,uidNumber,gidNumber eq
## BINDING
authz-policy to
authz-regexp
uid=(.*),cn=.*,cn=auth
ldap:///dc=foo,dc=com??sub?(&(objectclass=inetOrgPerson)(uid=$1))
The important piece differing from the Book of Postfix is that the
replacement could not be mail=$1 since the match was on uid. Without
this, ./server would give me
starting SASL negotiation: user not foundclosing connection
Also, I get the "invalid parameter" error even with successful
authorization. I also checked with my old openldap-2.2 system, and it
happens there, too. Here's the tail from a successful ./server,
./client login:
Apr 22 12:22:14 silky slapd[2265]: auxpropfunc error invalid parameter supplied
Apr 22 12:22:14 silky slapd[2265]: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 3
For completeness, this is what I changed my auth user to, notice the authzTo:
dn: uid=proxy,ou=auth,dc=foo,dc=com
uid: proxy
objectClass: inetOrgPerson
givenName: proxy
sn: proxy
cn: proxy
userPassword: XXXXXXXXX
mail: proxy
authzTo: ldap:///ou=people,dc=foo,dc=com??sub?(objectclass=inetOrgPerson)
Hope that helps.
--
Dan
More information about the Cyrus-sasl
mailing list