ldapdb: error: invalid parameter supplied

Patrick Ben Koetter p at state-of-mind.de
Sat Apr 22 17:24:21 EDT 2006 

Igor,

* Igor Brezac <igor at ipass.net>:
> On Fri, 21 Apr 2006, Patrick Ben Koetter wrote:
> 
> >>>Authentication fails with the following errors:
> >>>
> >>>Apr 20 19:50:12 laptop slapd[28454]: auxpropfunc error invalid parameter 
> >>>supplied
> >>>Apr 20 19:50:12 laptop slapd[28454]: _sasl_plugin_load failed on 
> >>>sasl_auxprop_plug_init for plugin: ldapdb
> >>>
> >>>Now I am trying to find out who "supplied" the "invalid parameter" in
> >>>order to fix it.
> 
> I missed this one earlier.
> 
> This error does not come from the sample utility.  It comes from the
> openldap server and is probably OK as long as you did not explicitely
> configure ldapdb as the slapd auxprop plugin (if you do not have
> /usr/lib/sasl2/slapd.conf you should be ok).

yep, you're right. As far as I understand it, this 'error' happens when
libsasl in slapd tries to intialize all plugins it can find, when it
intializes itself. It runs over the ldapdb plugin, the plugin replies "I need
ldapdb_uri", and libsasl returns "invalid parameter" allthough ldapdb is never
being used for slapd.conf.

I do have slapd.conf though to limit the mechanisms as I don't have Kerberos
and want to use shared-secret mechs instead.

> >>>The OpenLDAP slaptest utility didn't report any errors on slapd.conf. 
> >>>Also the log_level I've set in /usr/lib/sasl2/sample.conf didn't give me
> >>>any verbose output either when I used Cyrus SASL's server and client to
> >>>test authentication.
> >>>
> >>>Any hints or ideas?
> >>
> >>What are the contents of sample.conf?  You probably did not specify
> >>ldapdb_uri.
> >
> >Here's the content of sample.conf:
> >
> >log_level: 7
> >pwcheck_method: auxprop
> >auxprop_plugin: ldapdb
> >mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5
> >ldapdb_uri: ldap://localhost
> >ldapdb_id: proxyuser
> >ldapdb_pw: proxy_secret
> >ldapdb_mech: DIGEST-MD5
> >
> >As you can see I did specify ldapdb_uri. I don't see anything being wrong
> >with the config. Do you?
> >
> 
> This looks ok.  What does debug of the ldap server show?  Did you setup
> proxy correctly on the ldap server, ldapwhoami -Y DIGEST-MD5 -U proxyuser
> -X u:user?

I am a little bit further, but not done all the way (which is why it took me
some time before I started to reply to your mail).

It turns out my mapping for the proxyuser in slapd.conf had been incorrect and
the whole process of authorization and authentication didn't work from the
very beginning.

Additionally I had the authzTo attribute placed wrong...

Anyway, basic functionality is there now. There's still something that doesn't
work. I can authenticate users from ou=purchasing,ou=people,dc=example,dc=com,
but not from ou=it,ou=people,dc=example,dc=com, which really drives me crazy
at the moment, because I don't understand it, but this is a problem I will
probably take to the OpenLDAP mailing list.

Thanks for the assistance so far!

p at rick


-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

More information about the Cyrus-sasl mailing list