ldapdb: error: invalid parameter supplied

Dan Nicholson dbn.lists at gmail.com
Sat Apr 22 15:33:23 EDT 2006 

On 4/21/06, Igor Brezac <igor at ipass.net> wrote:
>
> This looks ok.  What does debug of the ldap server show?  Did you setup
> proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser
> -X u:user?

Hi,

Patrick, I'm going to assume that I have the same setup as you since I
took mine entirely from the Book of Postfix.  I was having the same
problems with openldap-2.3.x, but I think I've solved the problem. 
The big thing was getting the regexp in /etc/openldap/slapd.conf to
work correctly.  Now, ldapwhoami checks out as well as ldapdb
authorization through the cyrus-sasl client/server utilities.

One thing to note is that the authorization settings have changed for
openldap-2.3.  With 2.2, I was using saslAuthzTo, sasl-authz-policy
and sasl-regexp.  Those have all now been changed to authzTo,
authz-policy and authz-regexp (man slapd.conf).  Here is what I set in
/etc/openldap/slapd.conf:

$ tail /etc/openldap/slapd.conf
index   objectClass             eq
index   cn                      eq
index   mail,maildrop           pres
index   mailbox,quota,uidNumber,gidNumber       eq

## BINDING
authz-policy                    to
authz-regexp
        uid=(.*),cn=.*,cn=auth
        ldap:///dc=foo,dc=com??sub?(&(objectclass=inetOrgPerson)(uid=$1))

The important piece differing from the Book of Postfix is that the
replacement could not be mail=$1 since the match was on uid.  Without
this, ./server would give me

starting SASL negotiation: user not foundclosing connection

Also, I get the "invalid parameter" error even with successful
authorization.  I also checked with my old openldap-2.2 system, and it
happens there, too.  Here's the tail from a successful ./server,
./client login:

Apr 22 12:22:14 silky slapd[2265]: auxpropfunc error invalid parameter supplied
Apr 22 12:22:14 silky slapd[2265]: _sasl_plugin_load failed on
sasl_auxprop_plug_init for plugin: ldapdb
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 2
Apr 22 12:22:26 silky lt-server: DIGEST-MD5 client step 3

For completeness, this is what I changed my auth user to, notice the authzTo:

dn: uid=proxy,ou=auth,dc=foo,dc=com
uid: proxy
objectClass: inetOrgPerson
givenName: proxy
sn: proxy
cn: proxy
userPassword: XXXXXXXXX
mail: proxy
authzTo: ldap:///ou=people,dc=foo,dc=com??sub?(objectclass=inetOrgPerson)

Hope that helps.

--
Dan

More information about the Cyrus-sasl mailing list