SOLVED: Re: POSSIBLE BUG: Cyrus SASL 2.1.22: ldapdb

Patrick Ben Koetter p at state-of-mind.de
Mon Aug 20 11:34:32 EDT 2007 

As you've expected it was an error on my side.
However I've done a few changes and for history I can't say what brought the
change. Thanks for the attention to my problem.

p at rick


* Patrick Ben Koetter <p at state-of-mind.de>:
> * Howard Chu <hyc at highlandsun.com>:
> > Patrick Ben Koetter wrote:
> > >This mail expands on a mail I had sent to cyrus-sasl at lists.andrew.cmu.edu a
> > >few days ago. I spent the last days testing this and I believe I have 
> > >found a
> > >bug.
> > 
> > The likelihood that a bug is in the ldapdb code is about zero.
> 
> Agreed. That's why I wrote "possible".
> 
> 
> > >Version:    Cyrus SASL 2.1.22
> > >OS:         CentOS (also tested and verified on Ubuntu and OpenSuse)
> > >Descrition: Entries that successfully can be authenticated using the
> > >            ldapwhoami command can only partially be authenticated using 
> > >            the
> > >            Cyrus SASL ldapdb-plugin.
> > 
> > >Steps to reproduce:
> > >(All files are available for download at
> > ><http://www.state-of-mind.de/bugreport_cyrus-sasl-2.1.22.tgz>)
> > 
> > Since you've gone to the trouble of packaging this up, you should also have 
> > included an extract from the slapd debug log taken from running the sample- 
> > authentication.
> 
> 
> Right. My fault. I've created a completely new package and put it at
> http://www.state-of-mind.de/bugreport_2_cyrus-sasl-2.1.22.tgz.
> 
> It contains log from "loglevel ACL traces".
> 
> 
> > >1. Install configuration as provided by bugreport_cyrus-sasl-2.1.22.tgz.
> > >2. Use ldapwhoami to verify authentication:
> > >
> > >    [root at netinstall ldap]# ldapwhoami -U a -w a
> > >    SASL/DIGEST-MD5 authentication started
> > >    SASL username: a
> > >    SASL SSF: 128
> > >    SASL installing layers
> > >    dn:uid=a,ou=people,dc=example,dc=com
> > >    Result: Success (0)
> > >
> > >    [root at netinstall ldap]# ldapwhoami -U b -w b
> > >    SASL/DIGEST-MD5 authentication started
> > >    SASL username: b
> > >    SASL SSF: 128
> > >    SASL installing layers
> > >    dn:uid=b,ou=people,dc=example,dc=com
> > >    Result: Success (0)
> > 
> > Neither of these commands reflects what the ldapdb plugin does. To test 
> > that you first need to test e.g.
> > 	ldapwhoami -U proxyuser -X a
> 
> [root at netinstall ~]# ldapwhoami -U proxyuser -X a
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
>         additional info: SASL(-14): authorization failure: unable authorization ID
> 
> 
> So it seems that the proxyuser has "Insufficient access". I've followed the
> traces of authentication in the log and see that it fails, but I can't tell
> why.
> 
> If I do interpret the log correctly the authz-regexp mapping works and maps
> proxyuser to the correct dn. Permission is given to read the uid and
> userPassword, but then it fails. This is where I am lost.
> 
> (On a sidenote I wonder: If proxyuser fails, how come the ldapdb plugin would
> work for one entry and not the other?)
> 
> p at rick
> 
> P.S: Seems this is more an OpenLDAP topic than a Cyrus SASL topic. If you want
> me to I can open a new thread on openldap.
> 
> -- 
> The Book of Postfix
> <http://www.postfix-book.com>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

More information about the Cyrus-sasl mailing list